HIPAA Penalties Due To DisarrayHIPAA penalties are always discussed in training and presentations about HIPAA.  Those discussions are usually more about an overview of what is in the law than actual information on how the law is applied.  HIPAA penalties are really not seen often.  Civil money penalties are not part of the settlements we usually see but OCR announced a big one in October.  How do they really apply those huge numbers everyone talks about but we never see?

I can’t count the number of times people get big eyes and talk about the $1.5m fines are scary and that is why you better worry about HIPAA compliance.   Honestly, in our training, we tell people that there will be so many other things they have to worry about if they get caught not complying with HIPAA the penalties are the least of their worries.

There are so many things that happen when you are under the microscope of the OCR in an investigation plus answering your patients/clients dealing with a privacy breach, your staff having to address all of that internally and with lawyers and your business partners.  If you are lucky it won’t involve the media on top of all of those things.  Just soaking all of that into your limited resources will be overwhelming and very expensive both in cash and time.  It may be a relief to get to the point you are talking about penalties.

The HIPAA penalties built into the enforcement rules added under HITECH give OCR a lot of flexibility in how they approach each situation.  There are thousands of cases settled each year that involve nothing more than assurances of corrective actions.  You can bet if you made those assurances and then they end up back on your doorstep it won’t be pretty.  Many times we have heard that the handful of cases that end up in a settlement or actual penalty are because the organization ignored OCR or argued something like “you are not the boss of me”.  It is also possible that they had a breach during an investigation or didn’t do the corrective actions agreed to on a previous breach.

HIPAA Penalties Imposed

October 23 OCR announced that a civil money penalty was imposed against Jackson Health System (JHS) in Miami, Florida for violations of HIPAA for $2,154,000.  When these are announced we actually see all the details about the financial calculations of the penalties applied to the violations found in the investigation.  When we last saw this it was the MD Anderson case last year and that one is still moving through the courts.  This one isn’t as contentious as that case so far because they didn’t appeal it to the ALJ.  Maybe because they saw what happened to MD Anderson.

Here is the press release quote that leads us to the water OCR wants us to drink from this case.

OCR’s investigation revealed a HIPAA compliance program that had been in disarray for a number of years. This hospital system’s compliance program failed to detect and stop an employee who stole and sold thousands of patient records; lost patient files without notifying OCR as required by law; and failed to properly secure PHI that was leaked to the media. OCR Director Roger Severino

What happened to cause the disarray leading to HIPAA penalties?

It is important to note that we are not talking about any small organization here.  They are a huge non-profit academic medical system that operates It operates six major hospitals, a network of urgent care centers, multiple primary care and specialty care centers, long-term care nursing facilities, and corrections health services clinics treating 650K patients a year and has about 12K employees.  Remember that when people tell you they are sure an organization that size has a robust privacy and security program or at least is “HIPAA compliant”.

This notice is loaded with information as to what happened because a lot of things were found.  The “Findings of Fact” section includes 50 points that OCR checked off to get to their proposed HIPAA penalties they sent over to JHS.  Because there is a lot of legal points that have to be made we can try to whittle those 50 points down a bunch to just the ones with the most meat.  It all starts in 2013 but boy does it play out for a long time.  Let’s begin at the beginning.

On August 22, 2013, JHS submitted a Breach Notification Report (“Report”) to OCR. The Report indicated a loss of paper records for 1,471 patients from the Jackson Memorial Hospital’s Health Information Management (HIM) department in January 2013 (“January 2013 loss”). OCR JHS Determination

We have to note that they did the little thing that says from now on in this document we will call this the Jan 2013 loss because there are many more to reference.  That is the first one and the loss took place in Jan but wasn’t reported until the end of August.  Employees told their supervisor about two different incidents of missing boxes of paper records from the emergency room in Dec 2012 and Jan 2013.  The supervisor never mentioned the Dec issue to anyone until the investigation was happening after it happened again in Jan.

The second one which happens in July 2015 when “ OCR became aware of multiple media reports disclosing the PHI of a JHS hospital patient, a well-known NFL player.  An ESPN reporter also shared a photograph of an electronic display board in a JHS operating room and a paper schedule containing the PHI of the same patient.”  Ok, we know that was the JPP case where he blew his fingers off with fireworks during the 4th.  What a hubbub that one was and so many people accused the ESPN reporter of a HIPAA violation.

OCR opened an investigation on that one when they saw the news – note to all of you out there.  They didn’t notify JHS about the investigation until Oct 26 though.  JHS did report on Feb 25, 2016 that a photograph was taken of an operating room electronic display board which displayed the PHI of two individuals including “a well-known person in the community.” That means they did it in their year end requirements.

An employee had been selling patient information since July 2011
Don’t get too sure of that because they didn’t figure that out without another problem happening.  The THIRD issue was actually reported before the second one.  Feb 19, 2016 JHS filed a report with OCR that an employee had been selling patient information since July 2011.  As part of that report they said that 24,188 patients were inappropriately accessed by that employee over those years.

The really sad part on this one is JHS didn’t find the employee stealing even after 5 years of doing it.  An anonymous caller notified their compliance department on January 4, 2016 that the employee was selling patients’ ePHI.  It could have been going on much longer without the whistleblower.

Clearly they did not see the gaping holes in their privacy and security program until they found out patient information was being sold.  All of the other things no big deal.  Hello, canary in the mine anyone!

Security Risk Analysis is not just paperwork

No surprise here that the big gaping hole starts with SRAs that didn’t actually meet the standards of an SRA.  When OCR was asking for documentation about all the SRAs and associated risk management plans (which they almost always ask for BTW) JHS gave them plenty.  They had both internal and third party ones. They did internal ones in 2009, 2012 and 2013.  Third parties did the 2014-2017 SRAs.  Great they have the paperwork!

You know where we are going next, though, they were not done properly.  All of the ones prior to 2017 “erroneously identified” several HIPAA Security requirements as not applicable to them.  Right off the bat they just skipped parts of what they were supposed to do and said these compliance requirements don’t apply to us.  They were treating it like nothing more than paperwork that could be completed or skipped.  OCR started looking at reports back in 2015/2016 time frame.  They made them fix that on the next one that was done but it is no wonder why all of this was happening.

The one done in 2014 was deficient in scope of both the ePHI involved and the threats and vulnerabilities that exist in their systems.  Even with that limitation they didn’t provide evidence or documentation of a response to the findings and recommendations of the third party.

Same issue in 2015 when all of the ePHI wasn’t included and on top of that some sections of the SRA done by the third party were left blank.  Of course, the same high risk threats where on the 2015 one that were on the 2014 one that was not remediated.  Yet again, they were not remediated to a reasonable and appropriate level.

You will never guess that the same people must have done the one in 2016 because it had the same problems as the one from 2015.  Deficient in scope with some sections were left blank on this report and again the same high risk issues are listed but nothing done.  Are we in an infinite loop?

They tried a different approach in 2017.  But, again not a proper SRA even then.  This one didn’t even include the whole system.  Remember this organization is huge!  They only included the main campus in this supposed SRA and did it “compartmentalized by department”.  This one ended up being basically a policy review with staff interviews.  I really want to know the third parties that did these but you know that is left out.  Pay attention all you IT folks using the fill in the blanks forms or spreadsheets when you ask a few questions after running your scans.  All of these fall into those categories.

They go on with more specific violations like not reviewing audit logs even though they had the ability to create reports and review them.  When the SRA isn’t done properly like these you know there isn’t even a train on the tracks for the wheels to fall off of.

It gets pretty bad, too.  They admitted that the employee stealing information did not have the authorization or authority to the level of access that they used to get the data.  Of course, they had policies and procedures that said they wouldn’t do that but they were never followed.  In the JPP case, the nurse who released the info was continuing to access his records even when there was no TPO involved.  A second employee was found to be doing the same thing and never had a TPO reason to access them.  We haven’t even made it all the way through all the violations at this point.  This quote comes from item 30 in the list:

While all of these employees were sanctioned, their broad and excessive access evidences a lack of restriction, review and/or modification of the appropriate levels of access to ePHI. OCR JHS Determination

We still have more details about the paper records lost and the lack of proper breach notifications but we honestly can not cover this entire list in one episode.  We have never had one that had so many issues we couldn’t cover them all.

HIPAA Penalties Calculation

This place is a mess based on these findings.  OCR hit the big points and applied the penalties based on their findings.  They hit them with three different violations and two of them were going on for years.  They didn’t have a proper SRA or Risk Management program was one.  The other was they didn’t have any reasonable Access Management controls which they determined met the reasonable cause culpability standard that they said they used the lowest amount allowed which was $1,000. Here are the number of violations in those two issues.

2013: 163 days from July 22, 2013 to December 31, 2013

2014: 365 days from January 1, 2014 to December 31 , 2014

2015: 365 days from January 1, 2015 to December 31, 2015

2016: 26 days from January 1, 2016 to January 27, 2016

They also added the failure to have any Breach Notification policies when the 2013 requirements became official for one.  They added one 31 days later.  This one they said was willful neglect not correct.  The big kahuna one for 31 days.  They law requires a minimum of $50,00 per violation on that one.  That is how they got to the big number was all those days at $1k each and then the big one.

One final point to share was included in the considerations language about how they decided the amounts on the HIPAA penalties.  They noted that 2012-2018 JHS has filed about 150 small breach notifications to HHS that involved 391 individuals.

This case brought the enforcement actions announced to date in 2019 to a total of 5 for $5,349,000 and only this one was really imposing HIPAA penalties.  If you look at all of the announced enforcement by OCR since 2015 there is a total of 45 cases announced with an average amount involved of $1.85m per case.  In almost 4 years thousands of cases have been closed so it is easy to see the statistical likelihood of paying one of those big HIPAA penalties is pretty low.  Granted the impact would be huge if you happened to be one of these organizations.

When it comes to the risks I worry about the most it isn’t the actual HIPAA penalties it is all the things that happens before you get to that point.  Your business has to survive the impact of all of those other things even when you are one of thousands that just agree to correct action plans. That is usually a long and expensive road to travel even when no HIPAA penalties are ever imposed on your organization.  Worry about the cost that you never hear about in the news not the handful that you do hear about with the big HIPAA penalties blasted in the headlines.