It seems that the US Department of Health and Human Services Office of Civil Rights is increasing enforcement actions against health care providers and their vendors (known as business associates). While one might have suspected that enforcement actions would be down under this administration, in fact, the opposite is true and fines are up.
In this case, the Pagosa Springs (Colorado) Medical Center paid $111,000 plus for failing to terminate the access of a former employee to a patient calendar program.
The calendar only contained information on 557 patients, so this is not a massive breach.
They also did not obtain a signed Business Associate Agreement from Google, who’s software they were using.
The former employee accessed (but didn’t appear to do anything evil with the data) the data twice, two months apart.
The medical center had to enter into a corrective action program that included a number of items including improved policies, training and other items.
OCR Director Roger Severino said that enforcement will increase under his watch.
Evidence of this is that this is the third enforcement action in the last month.
On December 4th, a Florida based physicians group paid a $500,000 fine for various HIPAA violations.
A week prior to that, OCR settled with a Hartford based practice for $125,000 for impermissible disclosure of protected health information.
Putting this all together, it would seem to lend some credence to OCR’s claim that enforcements are up.
In the first case, only 557 records were involved. That translates to a fine of $200 per record disclosed.
In addition, to fine someone for not having a BAA with a company like Google indicates that they definitely want people to obey the process, without regard to there being significant risk (on the part of Google). After all, Google probably has as good a security as the best medical practices.
The HIPAA compliance process is complex and even daunting, but failing to follow it can be expensive.
It also appears that the Office of Civil Rights has a very long memory as one of these fines was for something that happened 7 years ago, in 2011.
Our recommendation is to follow the process and document what you have done. Though that can be painful, so is writing a check to the government for $100,000 or even $500,000.
Information for this post came from Health IT Security.