The privacy of personal health information is often considered the foundation on which an open exchange of the information between a medical service provider and the patient is built. The privacy of this most sensitive information depends on protection from unauthorized access, while at the same time making such information available to those who have a recognized need to use it.

The Office of Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS), among other duties, enforces the HIPAA Privacy Rule, which protects the privacy of individually identifiable health information; the HIPAA Security Rule, which sets national standards for the security of electronic protected health information; and the HIPAA Breach Notification Rule, which requires covered entities and business associates to provide notification following a breach of unsecured protected health information. 

OCR’s actions in fulfilling its duties indicates that it identifies and investigates cases of significant impact, and where the matter involves systemic or long-standing concerns, financial penalties are a part of the resolution. Since 2013, HHS has entered into more than a dozen resolution agreements involving a civil money penalty (CMP) with healthcare organizations involved in privacy violations.

Investigation Time

Correlations may be drawn between the length of time OCR takes to investigate an incident and the amount of the CMP, and systematic and long-term concerns regarding the conduct investigated and the CMP. The corrective action plans that are a part of these resolution agreements have involved several recurring requirements: risk analysis, risk management and training. Generally, a longer investigation results in a larger CMP. 

The average investigation time for CMPs of greater than $1 million was 43 months. The average investigation time for matters involving CMPs less than $400,000 was 25.5 months. An interesting difference of more than a year exists between length of investigation for the million-plus-dollar fines and the length of investigation for the less than $400,000 CMPs.

Systemic or long-term concerns are closely associated with the assessment and amount of the CMP. The resolution agreements reveal that where deficiencies last for a number of years, there is a presence of a CMP. For example, a CMP was assessed when a risk assessment was not conducted for more than four years, failure to train the workforce for more than seven years, and failure to manage encryption policies and other policies for more than four years.

Penalty Assessment

Similarly, systemic issues of the following types appear to have contributed to the assessment of CMPs: failure to conduct a risk assessment of any kind, failure to safeguard personal health information (PHI) and failure to implement policies regarding authorizing access to protected information. One or more of these issues was present in matters where a significant CMP was levied. 

Corrective action plans for the matters evaluated contained provisions requiring the entity to conduct a thorough risk analysis, develop a risk management plan that addresses the risks identified and provide training. Not surprisingly, the training component often required training all the workforce members on policies and procedures with regard to protected health information. 

HHS provides on its website further insight into the training required. HHS points out that covered entities must train employees on policies and procedures for personal health information. Entities must impose sanctions against workforce members who flaunt the policies and procedures. A risk analysis was often required promptly, with it being tailored to the type of incident reported to HHS. The development of the risk management plan typically would involve components for the development of timeline for implementation evaluation and revision of the risk plan. 

Healthcare organizations should be actively engaged in proactive measures to protect and secure electronic personal health information. The refusal to take such measures over a length of time exposes the entity to CMPs, stringent requirements regarding remediation training of entire workforces and accelerated pressures to create viable policies and procedures to protect against unwanted incidents of privacy violations.

G. Calvin Hayes is an attorney out of Buchanan Ingersoll & Rooney’s Tampa office. He is a member of the firm’s cyber security and data protection team, where he advises clients regarding data security issues and conducts electronic data breach investigations and multi-state notifications. He can be reached at This e-mail address is being protected from spambots. You need JavaScript enabled to view it. .

Digital Edition