By: Dave Davidson
It has been a busy autumn for the enforcement of health care privacy rights. Recent activities range from settling the claim for the largest HIPAA violation in US history, to penalties imposed for filming TV shows, to actions initiated by state governments. All of these actions confirm the serious position taken by regulators nationwide to protect the privacy of protected health information (PHI).
The Big One
On October 15, 2018, Anthem, Inc., an independent licensee of Blue Cross, paid $16 million to settle its claim with the HHS Office of Civil Rights (OCR), for a breach that compromised the PHI of 79 million people. This was the largest reported breach in history. The PHI breach occurred in 2015, when hackers initiated a “spearfishing” attack via fraudulent emails. The government found that Anthem lacked appropriate information system procedures to identify and respond to security breaches, and minimum access controls to stop these kinds of attacks.
In addition to the financial penalty, Anthem agreed to a corrective action plan, in which it agreed to perform a risk analysis, and incorporate the results of the analysis into its existing processes, in order to achieve a “reasonable and appropriate level” of HIPAA compliance.
This settlement is in addition to the $115 million settlement Anthem reached last year with the victims of the breach.
Alright Mr. Severino, I’m Ready for My Close Up
On September 20, 2018, the OCR announced that it had settled a HIPAA claim with three Boston-area hospitals. The total settlement amount is almost $1 million. Boston Medical Center, Brigham & Women’s Hospital, and Massachusetts General had all invited the ABC television network to film its Save My Life: Boston Trauma television show at their facilities. ABC’s description of the series, says the show’s viewers, “…will get unparalleled access to top tier trauma teams inside the emergency rooms and operating rooms of the nation’s most prestigious hospitals including the Boston Medical Center, Massachusetts General, and Brigham and Women’s. Lives that could be lost in lesser hands at less renowned medical centers are saved through feats of miraculous skill. The only certainty is that those who need care will receive the very best that medicine has to offer. This remarkable series tells many stories of heroism, poignancy, and unexpected humor.”
Unfortunately, that “unparalleled access” was not authorized by the people whose care and treatment was being filmed. The OCR has provided guidance for this kind of media activity, but unfortunately, none of the hospitals followed it. No advance authorizations were obtained from the patients before they were filmed. According to OCR Director Roger Severino, “Patients in hospitals expect to encounter doctors and nurses when getting treatment, not film crews recording them at their most private and vulnerable moments…. Hospitals must get authorization from patients before allowing strangers to have access to patients and their medical information.” For the breach, Boston Medical Center paid $100,000; Brigham & Women’s Hospital paid $384,000; and Massachusetts General paid $515,000.
This was not ABC’s pilot episode with HIPAA problems. In April 2018, NY Presbyterian Hospital paid $2.2 million, for a similar violation involving the filming of the series NY Med.
States are also increasing their enforcement of privacy laws and regulations. On September 11, 2018, Arc of Erie County paid $200,000 to the state of New York for allowing the PHI of 3,751 of its clients to be accessible on its website. And on September 24, 2018, the University of Massachusetts paid $230,000 to the state of Massachusetts for improper handling of a situation in which an employee intentionally and inappropriately accessed patient PHI.
It’s a Wrap
This recent enforcement activity shows the serious position that federal and state governments are taking in regard to maintaining the privacy of PHI. The government will continue to seek significant penalties for these breaches in order to confirm the significance of maintaining the confidentiality of protected health information. All providers must therefore be extremely diligent in making sure they have appropriate IT protections in place, as well as thorough policies and procedures. Nothing will prevent a breach more than minding your P’s and Q’s and your PHI.