HHS Aggressively Enforcing HIPAA Rules

As of July, the Department of Health and Human Services (HHS) had investigated and resolved over 20,674 violations of the Health Information Privacy and Accountability Act (HIPAA) Security and Privacy Rules for 2013.[1] HHS reports that the most frequently investigated issues are:

  • Impermissible uses and disclosures of protected health information;
  • Lack of safeguards of protected health information;
  • Lack of patient access to their protected health information;
  • Uses or disclosures of more than the minimum necessary protected health information;
  • Lack of administrative safeguards of electronic protected health information.

Private Practices are the covered entities that are most often required to take corrective actions by HHS.

HHS has also announced a number of high-dollar settlements this year.

WellPoint Inc., a managed care company, agreed to a $1.7 million settlement with HHS following an investigation into violations of HIPAA. The company reported security weaknesses that rendered the PHI of 612,402 individuals vulnerable to unauthorized access. The investigation found that WellPoint failed to implement adequate technical safeguards as required by HIPAA.

Penalties have been assessed even when security weaknesses do not result in actual unauthorized access to patient information. In May, IdahoStateUniversity was found to have failed to maintain adequate security at a university clinic after it failed to restore a firewall that was disabled for maintenance.  The lapse was not discovered for at least ten months, and left the information of 17,500 patients unsecured during that time. The University agreed to pay a $400,000 penalty for the breach, even though it was determined that the lapse resulted in no improper access to patient records.

In August, Affinity Health Plan, Inc., a not-for-profit managed care plan, settled with HHS for over $1.2 million after Affinity failed to erase confidential medical information from the hard drives of leased photocopiers prior to returning the copiers to leasing agents. The breach resulted in the impermissible disclosure of the PHI of up to 344,579 individuals. An investigation by HHS revealed that Affinity did not account for PHI stored on photocopier hard drives when they analyzed risks and vulnerabilities of electronically stored data and that they did not implement policies and procedures to safeguard the information.

These significant penalties show that HHS is acting aggressively to hold covered entities accountable for breaching HIPAA, even when violations are unintentional and result in no actual unauthorized access to PHI. The increased penalties under the Final Omnibus Rule will make it possible for HHS to seek even larger settlements. Covered entities and business associates of covered entities should work with an attorney to update their policies and procedures to comply with new HIPAA requirements in order to avoid being subjected to these large penalties.


[1] U.S. Dep’t of Health and Human Services, Enforcement Highlights (Aug. 8, 2013) http://www.hhs.gov/ocr/privacy/hipaa/enforcement/highlights/index.html.

Comments are closed.