Act promptly to address HIPAA violations
If you discover improper use or disclosure of protected health information (PHI) or any vulnerabilities to the privacy or security of PHI, it is crucial to diligently identify and correct any related violation or vulnerability. Prompt correction will go a long way toward minimizing exposure to potential penalties and liabilities, and may even create an affirmative defense to penalties for HIPAA violations.
The HIPAA civil monetary penalty regulations protect a covered entity or business associate from civil monetary penalties for a violation of HIPAA administrative simplification requirements (e.g., the Privacy, Security and Breach Notification Rules) if the violation:
- Is not due to willful neglect.
- Is corrected within 30 days after the covered entity or business associate knew, or by exercising reasonable diligence should have known, that the violation occurred. This 30 day period may be extended by the Department of Health and Human Services (HHS) Secretary based on the nature and extent of the violation.
In its October 2016 guidance on the use of cloud services providers (CSPs), the HHS Office for Civil Rights (OCR) observed that a covered entity and business associate are required to enter into a business associate agreement before the covered entity’s electronic PHI (ePHI) is stored or transmitted in the business associate’s cloud. The guidance also stated that the CSP is required to comply with the HIPAA Rules even if it has not executed a business associate agreement. (For more information, read our alert OCR addresses business associate concerns for cloud services.) OCR recognized, however, that a CSP could qualify for the affirmative defense by correcting any non-compliance within 30 days (or additional period determined by OCR) of when it first knew or should have known that the covered entity’s ePHI was maintained in its cloud, unless the CSP’s lack of knowledge was due to its willful neglect. The CSP would then need to promptly enter into a business associate agreement and comply with all applicable HIPAA Rules, or securely return or destroy the ePHI.
It is important to keep in mind that the 30 period to correct a violation begins when the covered entity or business associate knew or should have known of the violation. In some cases the 30 day clock may begin to run when the breach is discovered. In other cases, OCR may determine that a violation should have been discovered earlier or only after subsequent investigation.
Even if the affirmative defense regulation is not satisfied, prompt steps to correct a HIPAA violation, address vulnerabilities, and mitigate the harm from any breach are likely to significantly reduce the potential exposure. For example, if OCR determines that a violation is due to willful neglect (and therefore not eligible for the affirmative defense) and the violation is corrected within 30 days, the minimum and maximum civil monetary penalties under the regulations would be drastically reduced - minimums would decrease from $50,000 to $10,000 per violation. Moreover, OCR as well as other potential enforcers are likely to be more lenient if a covered entity or business associate can show that it acted in good faith to address any violations or vulnerabilities upon discovery and to mitigate harmful effects of any breach or violation.
Covered entities that fail to diligently respond to HIPAA violations or vulnerabilities to the privacy or security of PHI face potential financial exposure that has been expanding rapidly in recent years. Already in 2017, OCR has announced seven resolution agreements with covered entities for HIPAA violations, including settlements for $5.5 million with a Florida health system, $2.5 million with a cardiac remote monitoring company, $2.4 million with a Texas health system, and $2.2 million with a life insurance company. Furthermore, on Feb. 1, 2017, OCR announced its imposition of a $3.2 million civil monetary penalty against a Texas children’s hospital for failure to implement recommended safeguards to address known risks.For more information, please contact one of the attorneys listed below.