After a slow start to the year in terms of HIPAA settlement, the Office for Civil Rights (OCR) is trying to finish the year with a bang. Since September 20, 2018, OCR has announced four different HIPAA settlements. The nature of the conduct underlying each settlement has varied widely. As such, it remains difficult to determine what facts or circumstances will most interest OCR in pursuing an issue for the imposition of a penalty.
The most recent settlement involving Advanced Care Hospitalists (ACH) was announced on December 4, 2018. ACH incurred a fine of $500,000 for arguably pervasive HIPAA issues. For background, the settlement indicated that ACH’s problems began when a hospital notified ACH that some of its PHI was freely accessible on a third party billing company’s website. Unfortunately for ACH, the third party billing company was not unknown to ACH but was the billing company used by ACH. Compounding the issue, ACH never executed a business associate agreement with the billing company during the course of a roughly eight-month relationship spanning late 2011 into mid-2012. To keep making matters worse, ACH did not have any HIPAA compliance policies or procedures in place until April 2014. As the litany of background facts demonstrate, ACH was not setting itself up positively if OCR ever engaged in an investigation.
Predictably, the bad event did happen, the cause of which was likely easily avoidable. Basic HIPAA policies and procedures should have alerted ACH to the necessity of signing a business associate agreement before sharing any PHI with a vendor. In fact, the ACH settlement is at least the third settlement reached by OCR premised at least in part upon a missing business associate agreement. As a quick reminder, it is the covered entity’s obligation to put a business associate agreement into place. Additionally, while the lack of a business associate agreement will cause compliance concerns, it should not just be reflexively handed out to every single vendor. That course of action will just set an organization up for a claim that it does not take HIPAA obligations seriously because it is unlikely that all of those contracts would be monitored and a good number of parties would be in breach upon execution.
Ultimately, the ACH settlement is a matter hopefully represents an outlier of activity in the present day. With that being said, there are still some aspects of the settlement that seem consistent with recent OCR actions that should continue to leave the healthcare industry uncertain as to when a settlement will be pursued. As noted, the sharing of PHI occurred from November 2011 until June 2012 and the PHI was seen online in February 2014. However, it is now November 2018 and a settlement is just being issued. The Resolution Agreement does not state when or how notice of the breach provided to OCR, which could be a factor in the timing of the settlement.
Despite the caveat on unknown timing of filing, OCR has demonstrated recent trait of penalizing arguably dated activity. Consider the following 2018 settlements: (i) Fresenius paid $3.5 million in February 2018 for conduct from 2012, (ii) three Boston health systems paid a combined $999,000 over filming of a television show in 2015 and (iii) Allergy Associates of Hartford paid $125,000 for a physician talking with a reporter about a patient in 2015. Does it really take OCR over three years to fully investigate, negotiate and resolve an issue? While that is not necessarily outside the realm of possibility, the length of time and potential for a lookback should be troubling for organizations in healthcare, whether a covered entity or business associate. Unless the statute of limitations has run on an issue, an organization should always be prepared for the proverbial knock on the door.
Regardless of the time when a breach or event of non-compliance occurred, every settlement announced by OCR should serve as a reminder that now is always the best time to vet compliance practices and implement updates where appropriate. While the government may not explicitly say as much, it is practically impossible to be one hundred percent compliant all of the time. Irrespective of that reality, it is possible to demonstrate honest, good faith effort to be compliant one hundred percent of the time. When an organization can demonstrate that it is trying to do the right thing and a mistake occurs, the outcome should be much different than for a similar organization that takes the ostrich approach of sticking its head in the sand.