HIPAA FINES TREND DOWN; CORRECTIVE ACTIONS TREND UP
The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) is completing its 25th anniversary as 2021 closes. To celebrate, the Department of Health and Human Services (“DHHS”) relaxed the enforcement of certain monetary penalties and is promoting transparency between itself and its regulated entities.
DHHS recently created and now maintains an updated chart depicting the top 5 issues investigated by its Office of Civil Rights (“OCR”), available by year and state, in addition to its own enforcement data. In 2020, the most investigated matters included cybersecurity issues, namely administrative and technical safeguards. And while not updated past 2015, data breach-driven enforcement actions yielded both investigations and DHHS-mandated corrective actions in 85% of cases. In 2020, the number of corrective actions increased by nearly 10 percent despite an overall drop in total investigations.
Additionally, DHHS announced further discretion before assessing fines for “good faith” violations resulting from the use of telehealth remote communications and the use of online or web-based scheduling applications used to promote Covid-19 vaccines (very transparent agenda…). DHHS announced that OCR “will not impose penalties for noncompliance with the regulatory requirements under the HIPAA Rules against covered health care providers in connection with the good faith provision of telehealth during the COVID-19 nationwide public health emergency.” DHHS further provided a list of Business Associates representing HIPAA-compliant communication products, which included Microsoft Teams, Google G Suite, Amazon Chime, and GoTo Meeting.
DHHS’ announcement regarding penalty enforcement follows its most recent reduction of the maximum allowable annual penalty that can be assessed against a covered entity for HIPAA compliance failures. Prior to 2019 and as codified in 45 C.F.R. §160.404(b), both willful violators and accidental violators could sustain maximum fines of $1,500,000.00. However, in April 2019, OCR announced relaxed penalties in 84 FR 18151:
These changes by DHHS are also reflected in a general, downward trend in the reported settlement amounts between DHHS and covered entities for HIPAA-violations.
An examination of the data available shows positive trends by OCR to lessen its previous draconian approach towards civil penalties. However, the number of DHHS-directed corrective actions continue to rise, disproportionately to the number of investigations, with the most investigated matters directly related to cybersecurity issues.