When HIPAA Hurts: Recent Enforcement Actions Focus on Business Associates; Unlawful Disclosures

Lately, there have been several headlines with the keyword “HIPAA” and dollar signs with a lot of zeroes.  The Office for Civil Rights (“OCR”) has been active lately in enforcing HIPAA, entering into several settlements with providers of various sizes and types.

For example, on March 16, 2016, OCR released information on a $1.55 million settlement it reached with North Memorial Health Care of Minnesota.  OCR alleged that North Memorial failed to execute a business associate agreement with a “major contractor” for a seven-month period and failed to conduct a risk analysis that covered its entire organization and infrastructure.  Significantly, the trouble started for North Memorial in 2011 when it notified OCR about a significant data breach caused by that same business associate’s employee. 

This enforcement activity highlights the necessity of actively managing business associate relationships.  Under HIPAA, a covered entity must enter into a business associate agreement with each of its vendors that receives, uses, discloses, or maintains the covered entity’s protected health information.  A covered entity must also report breaches that have occurred, whether through the fault of the covered entity itself or a business associate.  At a minimum, covered entities should ensure their business associate agreements are compliant with HIPAA regulations.  Covered entities should also determine when choosing and contracting with their business associates whether more protection is warranted.  Protections that can be built into business associate agreements include indemnification, strict breach response obligations, and potentially even audit rights.  Business associates have the same contracting considerations with respect to their subcontractors that handle clients’ protected health information.

Further, OCR announced on April 21, 2016 that it had reached a settlement with New York-Presbyterian Hospital, site of the network television show, “NY Med,” for $2.2 million dollars.  According to OCR, the Hospital unlawfully gave access to ABC television crews without seeking prior patient authorization and otherwise failed to adequately protect its PHI when camera crews were on-site.  New York-Presbyterian Hospital and North Memorial Health Care of Minnesota are both subject to two-year Corrective Action Plans.

This case resulted in a new FAQ from OCR on the topic, which unequivocally states OCR’s thoughts on the subject: that generally, “It is not sufficient for a health care provider to request or require media personnel to mask the identities of patients (using techniques such as blurring, pixelation, or voice alteration software) for whom an authorization was not obtained, because the HIPAA Privacy Rule does not allow media access to the patients’ PHI, absent an authorization, in the first place.”

This blog’s previous post outlines the audit threat from OCR beginning earlier this year, and the current post highlights OCR’s ability both to levy significant fines for violations and to subject entities to monitoring for the periods set forth in Corrective Action Plans.  OCR has been flexing its muscle, which shows that, if health care providers or health plans are lax on their HIPAA compliance, HIPAA can hurt.