Though most physicians and physician practice managers are familiar and comfortable with several aspects of complying with the provisions of the HIPAA rules, many are largely unaware of the contours of HIPAA enforcement. When a breach or improper disclosure occurs, or other HIPAA deficiency is discovered, many may panic at the thought of facing tens of thousands of dollars in penalties. Even a $10,000 penalty could be devastating for a smaller practice.
This article attempts to explain the realities of HIPAA enforcement: the investigative process, concrete examples of enforcement and advice on how to navigate HIPAA enforcement actions.
The Department of Health & Human Services (HHS) Office for Civil Rights (OCR) is responsible for enforcing HIPAA. HIPAA enforcement itself is governed by the Enforcement Rule, first published in 2000 along with the Privacy Rule, and updated over time (most recently in 2013 with the publication of the Omnibus Rule). In most cases, HIPAA enforcement by the OCR begins with a complaint investigation or a compliance review.
Complaint investigations are generated, as the name suggests, by complaints submitted to the OCR. Complaints may be submitted by anyone aware of the alleged improper conduct; the complaint does not need to be submitted by a patient or the individual described in protected health information (PHI). Complaints must be submitted in writing and must describe the acts or omissions believed to be a violation of HIPAA. The complainant’s name must be included in the submission, and the complaint must be filed within 180 days of when the complainant knew or should have known of the allegedly violative act or omission.
When a complaint is submitted and is accepted, the OCR will notify both the complainant and the covered entity (or business associate) that is the subject of the complaint that the OCR has begun an investigation. This determination is based on a preliminary review of the facts in the complaint. Although the OCR retains broad discretion to investigate, when the preliminary review suggests that the violation may have occurred from willful neglect, the OCR is required by law to investigate.
A complaint investigation may review many different types of documents, such as policies, procedures, handbooks, and other specific information requested by the OCR from the covered entity and/or the complainant. Covered entities are required to reply to such investigative requests, and failure to do so can lead to adverse outcomes.
Compliance reviews, by contrast, begin from sources other than complaints. These sources include news media reports, breach reports (which must be filed by covered entities in the event of a breach), and other sources of information. The OCR has been deliberately vague about the basis for a compliance review, stating that by describing the instances in which a review would be conducted could lead covered entities to focus compliance efforts “towards those aspects of compliance that had been identified as likely to result in a compliance review.”1 Put another way, the OCR would prefer that covered entities focus on compliance overall rather than merely compliance as a means of avoiding OCR scrutiny. As with complaint investigations, covered entities are required to cooperate with the OCR and provide it with documentation upon request.
Once the investigation or compliance review is finished, the OCR will close the matter if no violation is discovered. When noncompliance with HIPAA is found, however, the OCR does not immediately impose penalties. Instead, the OCR usually attempts to resolve the matter informally. This usually occurs through either voluntary compliance by the covered entity on its own, corrective actions at the OCR’s urging or entry into a resolution agreement and corrective action plan (RA/CAP). An RA/CAP usually involves payment of some kind of settlement amount, but this is always less than the amount that would be required if the OCR imposed a civil money penalty (CMP).
The OCR is required to impose a CMP once it has made a final determination that a covered entity has violated one or more of the HIPAA regulations. The precise amount to be imposed, however, depends on the degree of knowledge of the conduct, and the total number of violations. For a single violation in which the covered entity did not know and could not have known of the violation through the exercise of reasonable diligence, the penalty can be as low as $127 per violation. For violations due to willful neglect when the covered entity does not correct the violation within 30 days of discovery, the penalty can be as high as $63,973 per violation. Multiple violations can increase these amounts, and it is not uncommon for one incident to involve multiple, separate violations of a HIPAA requirement.
For example, HIPAA requires that covered entities enter into business associate agreements (BAA) with their business associates, which must include specific provisions (e.g., a prohibition on further disclosures of PHI that would violate the Privacy Rule; a requirement that the business associate impose the same restrictions BAA upon any subcontractor it uses; etc.). If a covered entity enters five different BAAs with five different business associates, and each agreement lacks two required provisions, the covered entity has committed five violations of each of the two requirements for a total of 10 different violations.
During complaint investigations and compliance reviews stemming from a specific violation, the OCR also often discovers other deficiencies. For example, in investigating a breach report the OCR might also discover that the covered entity:
- Has not updated its security risk assessment in over a decade, even though it has changed electronic infrastructure several times in that period;
- Does not have a security officer; and
- Lacks effective physical safeguards for electronic PHI, each of which may have helped give rise to the breach in question.
Enforcement in practice
The OCR tends to resolve most complaint investigations and compliance reviews through informal means and, as a result, does not make a “final determination” of a violation that would require imposing a CMP. The OCR has further stated that its overall goal is to obtain compliance from covered entities and business associates; its conduct suggests that it is less concerned with imposing stiff penalties and securing large monetary recoveries (in contrast to CMS Recovery Audit Contractors [RACs], for example). This tendency can be seen in reviews of the OCR’s own statistics regarding its enforcement efforts2, as well as its published RA/CAPs.3
In the period between 2018 and 2021, the OCR imposed CMPs between 10 and 19 times per year. This amounted to less than 1% of total cases investigated. By contrast, corrective action was obtained between 995 and 1,357 times in each of those years, when the case went beyond the preliminary review and was investigated.4
In many cases, the covered entity can avoid the worst penalties simply by complying with the OCR’s guidance and responding promptly to its requests. For example, compare two different cases involving a violation of HIPAA: one involving a podiatry practice and the other involving a psychiatric practice. In both cases, patients with existing account balances were denied access to their medical records until the patients paid their respective balances. Following complaints by the patients themselves, the OCR investigated their two cases.
In the case of the podiatry practice, the patient complained multiple times. The OCR investigated the practice twice, sent letters with technical assistance (i.e., instructions on how to comply with HIPAA), and called the practice twice. Investigators were told that the physician who owned the practice was aware of the OCR’s inquiry. The OCR then sent a letter offering the practice the opportunity to submit written evidence of mitigating factors or affirmative defenses to support the waiver of a CMP, all of which the practice ignored. As a result, the OCR imposed a $100,000 penalty.
By contrast, the psychiatric practice was notified of the OCR’s investigation and subsequently gave the patient full access to their records. The practice entered an RA/CAP and settlement with the OCR and was required to pay only $3,500. The practice also had to undertake various remedial actions to implement more effective policies and procedures surrounding patient access to records, which they would have to submit to the OCR for review prior to their implementation. However, this result is far more desirable than a $100,000 CMP.
In our own practice, we represented a solo physician office that suffered a HIPAA security breach. During our representation, and with the hard work of the practice itself, we were able to convey to the OCR that the practice was taking its compliance efforts seriously and avoided the imposition of any penalties and any remedial action. Instead, the OCR simply closed the investigation.
The facts in our client’s situation were not ideal. The breach was a hack and ransomware attack that had occurred over the course of several days. The physical, administrative and technical safeguards in place at the time of the breach had been inadequate, and the client had used a local IT technician to provide most of its technical support. The client’s server was in an unlocked room with incorrectly configured cables that had been adjusted to bypass its firewall, and its antivirus and malware programs had not been updated for some time. Moreover, the client’s security risk assessment was out of date.
Upon discovery of the hacking incident, the client took several steps to fix the problem. It investigated the incident — using an outside audit company — and instructed its EHR vendor to restore access to its records. It fired the IT technician and hired a new company with HIPAA expertise. The client also hired another company to conduct a new security risk assessment (SRA), and developed new policies and procedures based on this assessment. It fixed the physical security issues, installed new security cameras on the building exterior, improved its backup procedures and enabled several other technical safeguards to protect against future hacks.
Most importantly, the client documented all its efforts extensively and provided a clearly written narrative with evidence to demonstrate its efforts, including copies of emails with the IT technician, the EHR provider, auditors and new security company, as well as copies of old and new SRAs and policies and procedures. The OCR took nearly two years to investigate the matter before closing the case. This was a good result; however, it required extensive effort over the course of months, not to mention significant expense to the client in legal fees and fees to other contractors.
From this experience, one can conclude that the OCR looks for certain things when determining whether to impose penalties or require additional remediation during an investigation or compliance review. First, the OCR wants to see that the covered entity is taking its compliance efforts seriously. This requires more than simply stating as much; evidence must be presented to demonstrate it. Beyond simply having policies and procedures in place, covered entities need to be actively engaged in ongoing compliance efforts, including periodic internal monitoring, evaluation of the efficacy of policies and procedures and revision where needed. Second, the OCR will be more convinced of the covered entity’s efforts if the covered entity can also supply contemporaneous documentation to support its assertions of compliance. It is not enough to merely “tell” — one must also “show.” It is also helpful to present this information as clearly and organized as possible.
No covered entity will be 100% effective in maintaining HIPAA compliance. Eventually, there will be a breach, a violation or some other problem. When that occurs, it is far easier to respond to such incidents and mount a defense if the practice has been diligent in its HIPAA compliance efforts prior to that point and maintains robust documentation of its efforts. Even then, an effective response will require the help of knowledgeable healthcare legal counsel.
- 71 Fed. Reg. 8396, Feb. 16, 2006.
- HHS. “Enforcement Results by Year.” Available from: https://bit.ly/46yvILg.
- HHS. “Resolution Agreements.” Available from: https://bit.ly/44wFnjz.
- HHS. “Enforcement Results by Year.”