It hasn’t been widely publicized, but President Trump’s administration brought five HIPAA enforcement actions, totaling $11,631,000, during his first 100 days in office. The appointment of Roger Severino as the Director, Office of Civil Rights (OCR), on March 22, 2017, was done quietly without the customary press release. These initial enforcement actions have all been in the pipeline for years during the Obama administration. Nonetheless, it is significant that the Trump administration has stayed the course, signaling the likelihood of ongoing enforcement of HIPAA.
The enforcement actions include:
- 2/1/2017: Children’s Medical Center of Dallas (Children’s) – $3.2 Million. Children’s lost multiple lost devices with ePHI, and the OCR investigation revealed that while their Security Risk Analysis recommended encryption since 2007, they failed to act on this advice for 6 years. Instead, they continued to issue unencrypted devices to employees. Children’s chose not to negotiate with the OCR, and simply paid the entire $3.2 million Civil Monetary Penalties determination.
- 2/16/2017: Memorial Healthcare System – $5.5 Million. This hospital system in South Florida failed to monitor activity of the account of a terminated user, who accessed the records of 80,000 patients over a 1 year period.
- 4/12/2017: Metro Community Provider Network – $400K. This Federally Qualified Health Center, a safety net provider, in Denver Colorado, failed to conduct a Computer Security Risk Analysis, and failed to manage risks, prior to a data breach. The federal government didn’t want to put them out of business, so they agreed to a modest settlement of $400K.
- 4/20/2017: Center for Children’s Digestive Health – $31K. This 6 physician GI practice in the Chicago area engaged with a patient chart storage company, FileFax, Inc. in 2003. They failed to obtain a HIPAA Business Associate Agreement for 12 years.
- 4/24/2017: Cardionet – $2.5 Million. This Philadelphia-area remote wireless cardiac monitoring provider, agreed to a $2.5 settlement. In January 2012, after an investigation of a lost laptop with ePHI of 1391 individuals, the investigation revealed that CardioNet had insufficient risk analysis and risk management processes, and their HIPAA policies and procedures were in draft form — not implemented.
There are other clues that the Trump administration will continue with HIPAA enforcement. It is widely reported that the Trump administration is working on an executive order involving cyber-security. Also, new HHS Secretary Price, during his tenure as Congressman from Georgia, authored an Obamacare replacement bill, which included provisions requiring HIPAA compliance from health plans and providers.