The United States District Court for the District of Columbia issued a Memorandum Opinion on June 15, 2018, granting a Motion to Dismiss filed on behalf of Laboratory Corporation of America (“LabCorp”). The plaintiff sued LabCorp based upon allegations that LabCorp failed to adequately protect her personal health information as it was visible to another patient who was at a nearby intake station. She alleged that by failing to make proper “public accommodations” to protect her data that LabCorp was operating a non-HIPAA compliant facility. The court correctly noted that “[w]hile the statute provides both civil and criminal penalties for improperly handled or disclosed information, the language of the statute specifically limits enforcement action to HHS and individual states’ attorney’s general.” The court went on to confirm that HIAA grants no private right of action, consistent with many prior rulings. (A copy of the court’s Memorandum Opinion is available here.)
To remedy Respondent’s noncompliance with 45 C.F.R. § 164.312(a), civil money penalties of $2,000 per day for each day of a period that began on March 24, 2011 and that continued through January 25, 2013; and
To remedy Respondent’s noncompliance with 45 C.F.R. § 164.502(a), civil money penalties of$1,500,000 per year for the years 2012 and 2013
So, does this mean that health care providers and their business associates are immune from liability? The same month the District Court issued that ruling, a Department of Health and Human Services (HHS) Administrative Law Judge ruled that the University of Texas MD Anderson Cancer Center violated HIPAA and ordered MD Anderson to pay more than $4.3 million in civil monetary penalties for failing to encrypt its electronic devices containing electronic protected health information (ePHI), resulting in a breach when those devices were stolen. The Office of Civil Rights (OCR) determined that MD Anderson’s policies were not current and that the lack of device-level encryption placed the security of the ePHI on those devices at high-risk. (A copy of the Administrative Law Judge’s ruling is available here.)
Non-compliance with HIPAA and HITECH not only places a patient’s ePHI at risk, it exposes the non-compliant Covered Entity or Business Associate to potential civil and criminal penalties that can be pursued by attorneys with the OCR or a state’s attorney’s general. As discussed within the Administrative Law Judge’s decision, those penalties are calculated on a daily basis or annual basis. MD Anderson was penalized $2,000 per day ($730,000.00 per year) for a period of almost two years. In addition, they were penalized $1.5 million per year for a period of two years.
Ignoring the issue of compliance accomplishes two things. First, inaction creates a history of non-compliance because the entity cannot affirmatively demonstrate actions taken to achieve and maintain compliance increasing the probability that the entity will be penalized in the event of audit or investigation. Second, procrastination only compounds the impact of the penalty phase as it creates a longer period of time over which penalties might be assessed.
From a risk mitigation perspective, privacy compliance deserves to be made a priority as it can significantly reduce exposure to the penalties that might be assessed in the event of audit or investigation of a data breach. Starting the process can be overwhelming, but as with all such things, it begins with that first all important step. Begin with a comprehensive risk assessment to identify areas of noncompliance followed by the development of a corrective action plan. If you are unsure about how to perform the risk assessment, consider seeking assistance and guidance. The important thing is to act.
If you are struggling to implement or maintain your HIPAA compliance program, get in touch with us and let’s talk about conducting a risk assessment and automating much of the work.