Why Are HIPAA Fines Down 93% - With Data Breaches Soaring?Federal Regulators Struggle With Pivotal Court Ruling, Rising Workload and Turnover
What works best for driving healthcare sector entities to improve their protection of patient data?
The threat of federal regulatory fines for health data breaches and HIPAA violations? The embarrassment of having to notify thousands, if not millions, of trusting patients that their sensitive health information was stolen by cybercriminals? The terror of critical IT systems, such as electronic health records and life-supporting medical devices, being inaccessible for diagnosing and treating patients? The likelihood of very expensive and time-consuming class action lawsuits?
All of those are valid fears faced by healthcare providers and their vendors that handle protected health information and suffer hacking incidents, ransomware attacks, data exfiltration or an array of other damaging data breaches.
But while regulatory fines and settlements, such as those imposed by the Department of Health and Human Services' Office for Civil Rights, which enforces HIPAA, grab headlines, the reality is that only a small percentage of breaches ever face regulatory action. In fact, since a pivotal court ruling in 2021, HHS OCR has only issued one major fine for a data breach in the last 22 months, and total annual fines for breaches have dropped a whopping 93%.
This comes at a time when the number of healthcare breaches reported to HHS has nearly doubled since 2018 and some services have been disrupted for weeks by ransomware attacks.
For sure, HHS OCR has slapped dozens of covered entities and business associates with hefty fines and strict corrective action plans in the aftermath of breaches - big and small - since 2008, when the agency issued its first HIPAA enforcement action. That includes a record $16 million settlement in 2018 against health insurer Anthem in the wake of a 2014 cyberattack that compromised the PHI of nearly 79 million individuals.
But in the aftermath of many breach investigations and HIPAA complaints, HHS OCR will often offer technical assistance to help the organization address potential violations of the HIPAA security and privacy rules rather than pursue civil monetary penalties or financial settlements.
In fact, the dominant focus of HHS OCR's HIPAA enforcement over the last three and a half years has centered around cases involving entities potentially violating the HIPAA right for patients to access their medical records.
HHS OCR has taken enforcement actions, including financial settlement and corrective action plans, in 41 such right of access cases. Meanwhile, the agency has brought only one case involving a data breach related to hacking or ransomware since January 2021. It resulted in a $937,000 fine against Oklahoma State University.
Overall, to date, OCR has settled or imposed a civil money penalty in 126 cases, resulting in a total of $133.5 million in fines.
A number of factors play into HHS OCR's HIPAA enforcement. For one, the tiny agency pretty much has had the same budget and headcount for years, even as the volume of breaches and HIPAA complaints continue to soar annually.
HHS' enforcement statistics website show that as of Oct. 31, 2022, OCR has received over 312,031 HIPAA complaints since April 2003 - the compliance date of the HIPAA Privacy Rule - and 97% of those cases have been resolved, mostly through the agency providing technical assistance or requiring actions, such as changes in privacy practices. In some cases, OCR determined that no HIPAA violation occurred or that a complaint did not present an eligible case for enforcement, such as OCR lacking jurisdiction.
But even in some breach cases in which HHS OCR appears to have clear-cut jurisdiction, enforcement action is not a simple endeavor.
On Jan. 14, 2021, a federal appeals court struck down a $4.3 million fine imposed by OCR in a breach case involving the University of Texas MD Anderson Cancer Center. The court in its ruling said it found the fine "arbitrary, capricious and contrary to law," calling into question the processes and analysis HHS OCR uses in its enforcement decisions.
While HHS OCR officials declined Information Security Media Group's request for comment on the impact of that court ruling, some privacy and security experts say the court's decision appears to have put a chill on HIPAA enforcement actions in certain cases.
"There probably is impact, but because of the opaque nature of OCR enforcement progress, I think it's hard to measure," says privacy attorney David Holtzman of consultancy HITprivacy LLC and a former senior adviser at HHS OCR.
"I also think that we're seeing a policy shift at HHS on how it approaches information security and how they look at the security rule and its role in combating breaches in cybersecurity incidents. So, I don't think it's just MD Anderson. I think there are many, many issues at play."
In any case, since the MD Anderson court ruling, HHS OCR has issued financial settlements in only two breach cases. They include a $5.1 million fine levied on Jan. 15, 2021 - one day after the MD Anderson court ruling - against Lifetime Healthcare, parent company of health insurer Excellus - in a breach affecting 9 million individuals. In the last 22 months, the agency has brought forward only one other breach settlement case - a $937,000 fine against Oklahoma State University in October for a hacking incident affecting nearly 280,000 individuals.
From HHS OCR's perspective, enforcement in breach cases, right of access disputes and other HIPAA violations remains a top priority.
"OCR continues to enforce the law. They have a rules, and we are certainly continuing to investigate breaches and investigate different complaints that people post to OCR. That continues to be our posture and how we are going to work things moving forward," says Nicholas Heesters, HHS OCR senior adviser of cybersecurity.
In the meantime, healthcare sector entities and their business associates are not the only ones that need to be paying closer attention to their security posture. A Nov. 16 annual report by the HHS Office of Inspector General says HHS itself needs to modernize its approach to cybersecurity (see: HHS Needs to Modernize Its Cyber Approach: Watchdog Agency).
HHS faces "significant challenges" in protecting data and technology from cyberthreats and improving how its various related entities share large volumes of critical data, including public health data, the watchdog report says.
The department's federated IT and cybersecurity approach doesn't make those challenges any easier, it says.
Greg Garcia, executive director at the Health Sector Coordinating Council, a public-private advisory group to HHS, says that it is imperative - for the sake of the healthcare and public health sector at large - that HHS find ways to better coordinate cybersecurity across its many agencies.
"You have all of these operational divisions within HHS," he says. They don't necessarily coordinate on cybersecurity "in a coherent way because they all have their own statutory authorities that they have to answer to," he says.
"It's incumbent upon the executive leadership … to find ways to coordinate holistically how HHS is going to address constantly evolving cybersecurity threats against the nation's healthcare system."
Garcia says that monetary incentives can play a role in securing the industry.
"We're told that the Centers for Medicare and Medicaid Services, is considering whether they can use the reimbursement process as an incentive to do the right thing in cybersecurity or reimbursements are higher," he says. Other potential incentives include grant programs from HHS, "to give smaller hospital systems a leg up in terms of investing in the Health Information Sharing and Analysis Center membership, which is a very small amount to pay or to invest in other managed security services," he says.
Garcia and others also say a fundamental challenge facing the HHS is the siloed nature of the federal agencies that regulate various aspects of cybersecurity in healthcare, including HHS' Food and Drug Administration, the Office for Civil Rights and the Office of the National Coordinator for Health IT. Another federal agency involved in healthcare sector cybersecurity is the Cybersecurity and Infrastructure Security Agency, which is charged with protecting critical infrastructure and is part of the Department of Homeland Security.
"I think what will be interesting to watch is to what extent the administration supports a separate activity at HHS for cybersecurity or whether they're going to roll everything up into one agency," Holtzman says.
Meanwhile, every new presidential administration appoints a new HHS secretary, who then chooses a new director of HIPAA enforcement. But except for Roger Severino, who served as HHS OCR director for all four years of the Trump administration, most don't stay for the full term.
In fact, HHS OCR has had five directors over the past decade. Lisa Pino, the Biden administration's first HHS OCR director, left the job after less than a year. In September, Melanie Fontes Rainer became the new director. She declined ISMG's request for interview.
Like any new HHS OCR director, Rainer will need to come up to speed, Holtzman says.
"To some extent, the managers and the staff are working to both teach the director to … wherever her comfort level is, and also to learn from the new director what her priorities are," he says. "And then we have the secretary's and the administration's priorities."
Over 5,000 health data breaches since 2009 have affected the personal information of 370 million people. Ransomware gangs and hackers are targeting healthcare providers, insurance firms and partners at an alarming rate. Targeting Healthcare explores these trends and how the industry can respond.