HIPAA Enforcement Litigation
Healthcare providers are keenly aware of the steady increase in Health Insurance Portability and Accountability Act (“HIPAA”) enforcement efforts by the federal government—acting through the Office for Civil Rights (“OCR”) of the Department of Health and Human Services (“HHS”)—in the past several years. The OCR has not only brought more enforcement actions against healthcare providers who fail to protect patients protected health information (“PHI”), but it has also sought higher and higher penalties for HIPAA violations to the point that we are seeing fines at an unprecedented level. HIPAA enforcement actions are so prevalent because HIPAA, by its nature, has sweeping implications due to its broad application to all “covered entities,” a term that includes hospitals, health plans, HMOs, outpatient facilities, pharmacies, private medical practices, and most other healthcare providers. On top of that, in 2013 HHS expanded most of HIPAA’s requirements to apply to covered entities’ “business associates,” i.e. persons or entities that use a covered entity’s PHI to perform a service for it or on its behalf. Accordingly, virtually every person, practice, or facility working in the healthcare arena—including law firms—have some connection to, and is in some way subject to HIPAA.
Representative Matter: DBS attorneys successfully defended a community-based acute care facility in an Office for Civil Rights (OCR) review of alleged violations of the Privacy and Breach Notification Rules.
All HIPAA violations are, to some degree, the result of a covered entity’s failure to protect and maintain PHI. But these violations can take many different forms, all of which are enforced (with varying degrees of punishment) by the OCR. Some of the more common types of HIPAA violations include:
- Unencrypted Data Breaches – These are data breaches where a covered entity either loses PHI or has it stolen because the covered entity did not properly encrypt the data on its servers. Unencrypted data breaches occur with particular frequency when PHI is maintained on personal data devices such as smart phones, handheld devices, laptop computers, or tablets—which are typically not encrypted—and the device is lost or stolen.
- Breaches Due to Employee Error – These breaches are attributable to actual errors of a covered entity’s or business associate’s employee(s), such as inadvertently sending PHI to third parties, improperly storing unencrypted PHI, or disclosing confidential patient information that could be used to identify the patient.
- Business Associate Breaches – Both the business associate and the covered entity are liable for a breach committed by the covered entity’s business associate and not the covered entity (or one of its employees) itself. Given the prevalence of such breaches, covered entities should pay particular attention to drafting business associate agreements, and always inquire whether a potential vendor has a HIPAA audit report and HIPAA compliance program in place.
- Failure to Notify Violations – These violations arise after one of the more traditional breaches described above. After a breach, the covered entity is required to notify HHS, the affected individuals, and (depending on the number of people affected) possibly the state Attorney General and the media. This notification requires extensive documentation, and failure to strictly comply with these notification obligations can lead to further HIPAA sanctions.
No matter the type of HIPAA violation, any person or facility that is under investigation or subject to an enforcement action must act quickly and carefully to avoid, or at the very least substantially mitigate, its liability for a breach. HIPAA enforcement actions usually begin in one of three ways: (i) someone makes a complaint to the OCR alleging a HIPAA breach; (ii) the OCR conducts its own compliance review which uncovers a HIPAA breach; or, (iii) the person of facility self-reports a HIPAA violation and the OCR commences an investigation. In each scenario, the first thing the alleged HIPAA violator will receive from the OCR will be some type of notification of the enforcement action along with a request to produce relevant information. Although this is merely the first step in the process, the OCR notification often presents a difficult decision for a covered entity because it forces the entity to balance producing potentially incriminating information, on the one hand, with its legal duty to cooperate with the OCR investigation, on the other. This balance is especially delicate given that HIPAA violations can, in certain egregious circumstances, generate criminal enforcement and criminal penalties. It is important for every covered entity to remember that these concerns exist, to some degree, in every HIPAA enforcement action, even if the notification from OCR suggests the alleged infraction is minor or technical.
Representative Matter: DBS attorneys assisted a physician practice group in developing comprehensive HIPAA compliance protocols and procedures.
There is perhaps no better—and certainly no more frequent—example of the nexus between health law and litigation than HIPAA enforcement cases. No matter the type of breach alleged or the type of covered entity that is facing the resulting enforcement action, it is critical that the covered entity engage counsel that not only has experience with HIPAA (and HIPAA’s unique defenses and arguments), but who also has sufficient civil and criminal defense litigation experience to, first, keep the HIPAA breach solely a civil matter, and, second, to quickly and effectively respond if criminal liability arises.
Learn more about Donoghue Barrett & Singal's services in the area of Healthcare Litigation