On April 21, the Department of Health and Human Services’ Office of Civil Rights announced a resolution with New York Presbyterian Hospital regarding HIPAA privacy violations. The violations took place when the personal health information of two patients was disclosed to a crew from the ABC television series NY Med without the permission of the patients or their families. In one instance, the TV crew recorded the last moments of the victim of a fatal accident. The hospital agreed to pay $2.2 million to settle the case, without admitting liability.
The settlement with New York Presbyterian is the fourth time since Mid-March of 2016 that HHS has announced a fine for HIPAA privacy violations. On March 16, North Memorial Health Care of Minnesota was fined $1.55 million for failing to enter into a business associate agreement with a major contractor, and for failing to institute an organization-wide risk analysis regarding the risks and vulnerabilities to patient information. The next day, on March 17, the Feinstein Institute of Medical Research agreed to pay $3.9 million to settle HIPAA claims that arose after a laptop with PHI was stolen from an employee’s car. On April 17, Raleigh Orthopaedic Clinic, P.A., of North Carolina, agreed to settle charges that it potentially violated HIPAA by failing to execute a business associate agreement prior to turning over PHI to a potential business partner. Raleigh Orthopaedic agreed to pay $750,000.
The recent settlements continue a trend that has been going on for several months. Several smaller settlements had been announced earlier in 2016. In 2015, HHS announced total settlements of more than $6 million for HIPAA privacy violations.
The rash of HIPAA enforcement activity comes at a time when OCR is also starting an extensive program of audits. The stepped-up focus on HIPAA privacy rules may stem from two reports issued by the HHS Office of Inspector General in September of 2015. One report called for the OCR to strengthen its oversight of HIPAA privacy standards, and one called for stronger follow-up of privacy breaches.
The enforcement actions and audit program make 2016 look like it will be the “Year of HIPAA.” Having an effective, workable compliance program in place will help you through it, and will make sure you’re not a news story or cautionary tale in the future.