According to health privacy experts, the first part of 2018 was a “light” time for enforcement of the Health Insurance Portability and Accountability Act of 1996, also known as HIPAA. As of April, there were only two publicly-disclosed settlements for violations. One involved Fresenius Medical Care North America, which paid the U.S. Department of Health and Human Services $3.5 million in fines after it failed to implement policies and procedures to address security incidents. The second fine involved Filefax, Inc., a medical records storage company, which improperly disposed of medical records for 2,150 patients.
Public settlements were down, but that doesn’t mean that enforcement is lax. In this module, we delve into enforcement actions and learn about how the federal government ensures that a covered entity is held responsible for any unauthorized disclosures that violate HIPAA.
There is a two-pronged approach to HIPAA enforcement. The first, is the civil route, whereby the U.S. Department of Health and Human Services’ Office of Civil Rights investigates alleged violations and imposes civil penalties for HIPAA violations. The second prong is a criminal enforcement route, led by either the U.S. Department of Justice or a state’s attorney general, which will conduct a criminal investigation and prosecute a covered entity that violates HIPAA’s privacy and security regulations.
Civil Investigation of HIPAA Violations
The civil investigation process begins with the Office of Civil Rights looking into a filed complaint. Next, it will conduct a compliance review to determine whether a covered entity is complying and protecting a person’s protected health information. Finally, it will conduct educational outreach to foster HIPAA compliance.
The Office of Civil Rights receives thousands of complaints of possible HIPAA violations annually, but it cannot investigate every single one. Approximately sixty-two percent of complaints filed with it are ineligible for investigation. It will only act on complaints that meet the following conditions. First, the alleged violation must have taken place after the date the Rules took effect. Compliance wasn’t required until 2005, so the Office of Civil Rights can’t investigate a complaint about a potential violation that occurred before that year. Second, the complaint must be filed with the Office of Civil Rights against a covered entity covered by the Privacy and Security Rules. Examples of such entities include health plans, doctors, health insurance companies, and pharmacies. Examples of entities that may have access to a person’s protected health information but aren’t subject to HIPAA’s Privacy and Security Rules include employers, life insurers and state law enforcement agencies. Third, a complaint must allege an activity that, if proven, violates the Privacy or Security Rule. For example, the Office of Civil Rights can’t investigate a complaint alleging that a doctor sent his patient’s demographic information to an insurance company to obtain payment because the Privacy Rule generally permits doctors to disclose such information for purposes of billing for services.
According to the Office of Civil Rights, “some of the most frequently investigated compliance issues relate to improper use or disclosure of health information, lack of safeguards to protect health information and lack of patient access to health information.” A complainant alleging a HIPAA violation must file a complaint within 180 days of when he knew, or should have known, about the alleged violation of the Privacy or Security Rule. The Office of Civil Rights may waive this time limit if it determines that the complainant shows good cause for not submitting the complaint within the 180-day time frame.
If the Office of Civil Rights accepts a complaint for investigation, it will notify the complainant and the covered entity named in it. Once notified, both parties can present information about the problem described in the complaint. The Office of Civil Rights may request information from each to understand the facts, the circumstances surrounding the incident, and the covered entity’s related policies, procedures, and practices. The Office reviews the evidence gathered in each case.
When the investigation is done, the Office of Civil Rights issues a closure letter, which presents the agency’s decision on whether there has been a violation of a federal statute or regulation. It will attempt to settle and resolve the issues with the covered entity by obtaining:
- voluntary compliance;
- corrective action; and
- a resolution agreement
Sample Case Studies of HIPAA Remedies
The Office of Civil Rights prefers to resolve HIPAA violations using a measure such as a resolution agreement that will have a covered entity voluntarily comply with HIPAA. For example, in 2017 one investigation concerned Memorial Healthcare System, a nonprofit corporation which operates six hospitals, an urgent care center, a nursing home, and a variety of ancillary healthcare facilities throughout South Florida. The protected health information, such as names, dates of birth, and Social Security numbers, of over 115,000 people had been impermissibly accessed by its employees and impermissibly disclosed to affiliated physician office staff. Additionally, a former employee’s login credentials had been used to access health records affecting 80,000 people. Memorial Healthcare System not only agreed to pay a $5.5 million settlement, it announced that it would voluntarily implement a robust corrective action plan immediately that would include procedures to modify and terminate employees’ right of access, as required by the HIPAA Rules. Some of these procedures in the corrective action plan included:
- enacting new policies and procedures to enhance password security;
- hiring IBM to provide assessment, response, and password monitoring services; and
- hiring an independent technology firm to conduct monthly network audits and scans
Urging voluntary compliance and reaching a resolution agreement aren’t the only tools in the civil arsenal. The Office of Civil Rights can also impose severe civil monetary penalties. HIPAA imposes a tiered structure for fines with a high financial cost for a covered entity that fails to adequately protect protected health information. A violation that the covered entity was unaware of and could not have realistically avoided even had reasonable care been exercised will still lead to a minimum fine of $100 per violation and a maximum of $50,000 per violation, with an annual maximum of $1.5 million in fines. A HIPAA violation suffered as a direct result of “willful neglect” of HIPAA Rules but where an attempt has been made to correct the violation will lead to a minimum fine of $10,000 per violation and a maximum of $50,000 per violation, with an annual maximum of $1.5 million in fines. If there’s a violation due to willful neglect and the covered entity makes no attempt to correct the violation, there will be a $50,000 fine per violation with an annual maximum of $1.5 million in fines.
Covered entities of all sizes and reputations can be fined. In July 2009, the Office of Civil Rights fined a Kaiser Permanente Hospital $187,500 for patient privacy violations. It found that the hospital, located in Los Angeles, compromised the privacy of four patients when several employees improperly accessed those patients’ electronic health records. This penalty followed another fine levied against the same hospital two months earlier, for improper access to the medical records of the “Octomom,” Nadya Suleman. Kaiser was fined $250,000 after it discovered that twenty-five employees were identified as having inappropriately accessing Suleman’s medical records.
Another case involved two Arizona-based cardiac surgeons whom the Office of Civil Rights investigated in 2009. It notified the surgeons that it had initiated an investigation on a complaint alleging that the surgeons had impermissibly disclosed electronic protected health information by making it available on the Internet. Specifically, the physicians posted over 1,000 separate entries of electronic protected health information on a publicly accessible, Internet-based calendar and had transmitted daily electronic protected health information from an office-based email account to the employees’ personal email accounts.
Due to these violations, the Office of Civil Rights required both physicians to pay $100,000 and to institute a corrective action plan with policies and procedures to assess risks and vulnerabilities and implement technical security measures to guard against unauthorized access to protected health information.
Criminal Prosecutions for HIPAA Violations
A covered entity that violates HIPAA can also face criminal prosecution and penalties. Any person who “knowingly” obtains or discloses individually identifiable protected health information for an unauthorized use can face both a criminal fine and imprisonment. There are two elements of the federal statute:
1) knowingly obtaining individually identifiable health information relating to an individual; and
2) obtaining that information in violation of federal law.
HIPAA’s criminal enforcement provision has a low threshold to prove criminal intent. The DOJ has interpreted the “knowingly” element of the HIPAA statute for criminal liability as requiring only knowledge of the actions that constitute an offense; knowledge that an action violates HIPAA is not required.
The penalties for the misdemeanor statute for HIPAA violations subject the violator to a fine of up to $50,000 and imprisonment for up to one year. Offenses committed under false pretenses carry fines of up to $100,000 and up to five years imprisonment. Offenses committed with the intent to sell, transfer, or use individually identifiable protected health information for commercial advantage, personal gain, or malicious harm permit fines of $250,000 and imprisonment of up to ten years. During sentencing, a court may also order the payment of restitution for improper disclosure of protected health information.
A prosecution for improper disclosure of protected health information is often brought in tandem with a healthcare fraud prosecution case. In one 2016 case, three former district managers of a Boston-based pharmaceutical company drove pharmaceutical sales by directing sales representatives to fill out prior authorizations for a certain drug even when physicians refused to authorize it. To follow through with this scheme, the district managers accessed patients’ protected health information to learn about their medical histories and then shared the data with sales representatives. All three district managers pled guilty to committing healthcare fraud and prosecutors also charged them with violating HIPAA because they accessed confidential and protected health information that they had no right to access or disclose.
Criminal prosecutions for HIPAA violations are usually misdemeanor cases, punishable by fines, penalties, forfeitures or short-term confinement. Still, in some cases, HIPAA prosecutions can result in the more serious felony convictions.
One of the few felony HIPAA prosecutions involved a 33-year-old woman in Alaska who worked as a financial counselor at a hospital and had access to computerized medical records. One of her friends, who had been recently sentenced to life imprisonment, contacted her and asked her to check the medical records of two people he had victimized: one victim who had been sexually assaulted and another whom he had shot. She provided him with the information, including what each victim told hospital staff about how they sustained their injuries, the severity of the injuries and what was reflected in hospital records about their cooperation with law enforcement. In sentencing her to a two-year sentence after felony conviction, the federal district judge stated that the former hospital employee “displayed no respect for the law or the private and confidential information of the victims,” adding that “in this day and age, every human being expects private records to remain private.”
Private Right of Action
HIPAA does not provide a person a private right to sue. The ability to bring a civil enforcement action to remedy HIPAA violations and ensure that a healthcare provider is HIPAA compliant lies within the exclusive power of the U.S. Department of Health and Human Services. Courts have also held that there is no implied private right of action under HIPAA. In one case, a hospital sued to prevent a newspaper from publishing information contained in a hospital peer review report. A federal district court in Colorado held that no implied private right of action exists under HIPAA. The fact that a federal statute has been violated and hospital patients harmed didn’t automatically give rise to a private cause of action in favor of that person. Instead, the court reasoned that Congress needed to create an implied private right of action to enforce federal law.
While a patient can’t bring an individual action seeking monetary damages or an injunction for the unauthorized disclosure of health information, she may be able to bring a tort action based on state law, such as negligence, or another state statute that recognizes a private right of action.
In 2015, Yehonatan Weinberg filed a class action lawsuit against Advanced Data Processing, a medical billing and coding company providing services to emergency medical services providers across the United States. He alleged that ADP failed to safeguard his sensitive personal information and exposed the protected health information of hundreds of other emergency medical service patients, including their names, birth dates, Social Security numbers, health insurance information and other protected health information, to criminals who then sold their identities.
Weinberg made two claims: one claim for negligence based on alleged HIPAA violations and the other a (Florida) state law negligence claim under the “undertaker’s doctrine,” which imposes a liability on someone who undertakes (by contract or for free) to aid someone and then fails to act as a reasonable person in carrying out that aid. He alleged that ADP implicitly undertook a responsibility to safeguard the information of its clients’ patients.
The federal district court in Florida dismissed his first claim, reasoning that “Florida courts have refused to recognize a private right of action for negligence per se based on an alleged violation of a federal statute.” However, the court granted his second claim based on state law, finding that Weinberg had sufficiently alleged a duty pursuant to the undertaker’s doctrine because state law imposed a duty of care not only on parties to a contract, but also any third parties that perform services under the contract.
 Five Breaches Add Up to Millions in Settlement Costs for Entity That Failed to Heed HIPAA’s Risk Analysis and Risk Management Rules, U.S. Dep’t of Health & Human Servs., HHS Press Office (Feb. 1, 2018), https://www.hhs.gov/about/news/2018/02/01/five-breaches-add-millions-settlement-costs-entity-failed-heed-hipaa-s-risk-analysis-and-risk.html.
 Consequences for HIPAA Violations Don’t Stop When a Business Closes, U.S. Dep’t of Health & Human Servs., HHS Press Office (Feb. 13, 2018), https://www.hhs.gov/about/news/2018/02/13/consequences-hipaa-violations-dont-stop-when-business-closes.html?language=es.
 George F. Indest, Failure to Comply with HIPAA Can Result in Both Civil and Criminal Penalties, The Health Law Firm (Nov. 11, 2014), http://www.thehealthlawfirm.com/blog/posts/failure-to-comply-with-hipaa-can-result-in-both-civil-and-criminal-penalties.html.
 Enforcement Process, U.S. Dep’t of Health & Human Servs., (June 7, 2017), https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/enforcement-process/index.html.
 How OCR Enforces the HIPAA Privacy & Security Rules, U.S. Dep’t of Health & Human Servs., (July 7, 2017), https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/examples/how-ocr-enforces-the-hipaa-privacy-and-security-rules/index.html.
 Pamela Del Negro, What is the HIPAA Complaint Process?, Robinson+Cole, (Aug. 8, 2017), https://www.dataprivacyandsecurityinsider.com/2017/08/what-is-the-hipaa-complaint-process/.
 How to File a Health Information Privacy or Security Complaint, U.S. Deo’t of Health & Human Servs., (Sept. 6, 2017), https://www.hhs.gov/hipaa/filing-a-complaint/complaint-process/index.html.
 How OCR Enforces the HIPAA Privacy & Security Rules, U.S. Dep’t of Health & Human Servs., (July 7, 2017),https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/examples/how-ocr-enforces-the-hipaa-privacy-and-security-rules/index.html.
 Memorial Healthcare System Pays $5.5M HIPAA Settlement, Becker’s Health IT & CIO Report, (Feb. 17, 2017), https://www.beckershospitalreview.com/healthcare-information-technology/memorial-healthcare-systems-pays-5-5m-hipaa-settlement.html.
45 C.F.R. § 160.404(b).
 45 C.F.R. § 160.404(b)(2)(i)(A)-(B).
 45 C.F.R. § 160.404(b)(2)(ii)(A)-(B).
 45 C.F.R. § 160.404(b)(2)(iv)(A)-(B).
 Lauren Bair Jacques, “Electronic Health Records and Respect forPatient Privacy: A Prescription for Compatibility,” 13 Vand. J. Ent. & Tech. L. 441, 454 (2011).
 See generally Joyce E. Cutler, Kaiser Permanente Gets $ 187,000 Fine for Second Patient Privacy Violation, BNA’s Health Care Daily Rep., (July 20, 2009); see also Health Leaders Media Staff, Kaiser Fined $250,000 for disclosing Octo-Mom Medical Records, Media Health Leaders (May 15, 2009), http://www.healthleadersmedia.com/technology/kaiser-fined-250000-disclosing-octo-mom-medical-record.
 Kaiser Fined $250,000 for Octomom HIPAA Violation, Los Angeles Times, (June 1, 2009) as reprinted in Yale School of Medicine, (July 20, 2012) https://medicine.yale.edu/news/article.aspx?id=1978.
 Small Practice Subject to $100,000 Payment to Resolve Alleged HIPAA Violations, Lexology, (April. 30, 2012), https://www.lexology.com/library/detail.aspx?g=070eeed0-05ec-4e8c-ace9-213ca127f4f4.
 HHS Settles Case With Phoenix Cardiac Surgery for Lack of HIPAA Safeguards, U.S. Dep’t of Health & Human Servs., (June 7, 2017), https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/examples/phoenix-cardiac-surgery/index.html.
42 U.S.C. §1320-d-6(a)(2).
 United States v. Huping Zhou, 678 F.3d 1110, 1113 (9th Cir. 2012).
 42 U.S.C. §1320-d-6(b)(1)-(2).
 42 U.S.C. § 1320d–6(b)(3).
 U.S. Department of Justice, U.S. Attorney’s Office, District of Massachusetts, Three Warner Chilcott District Managers Sentenced for Healthcare Fraud, (Oct. 28, 2016), https://www.justice.gov/usao-ma/pr/three-warner-chilcott-district-managers-sentenced-healthcare-fraud.
 U.S. Department of Justice, U.S. Attorney’s Office, District of Alaska, Press Release, Anchorage Woman Sentenced To Two Years Imprisonment For HIPAA Violation, (Jun. 1, 2015), https://www.justice.gov/usao-ak/pr/anchorage-woman-sentenced-two-years-imprisonment-hipaa-violation.
 Acara v. Banks, 470 F.3d 569, 571 (5th Cir. 2006).
 Univ. of Colorado Hosp. v. Denver Pub. Co., 340 F. Supp. 2d 1142, 1145 (D. Colo. 2004).
 Weinberg v. Advanced Data Processing, Inc., 147 F.Supp.3d 1359,1362 (S.D. Fla. 2015).
 See id. at 1365; see also Wallace v. Dean, 3 So. 3d 1035, 1051 (2009)
 Weinberg, 147 F.Supp.3d at 1366.