Why Are HIPAA Fines Down 93% - With Data Breaches Soaring?Federal Regulators Struggle With Pivotal Court Ruling, Rising Workload and Turnover
What works best for driving healthcare sector entities to improve their protection of patient data?
The threat of federal regulatory fines for health data breaches and HIPAA violations? The embarrassment of having to notify thousands, if not millions, of trusting patients that their sensitive health information was stolen by cybercriminals? The terror of critical IT systems, such as electronic health records and life-supporting medical devices, being inaccessible for diagnosing and treating patients? The likelihood of very expensive and time-consuming class action lawsuits?
All of those are valid fears faced by healthcare providers and their vendors that handle protected health information and suffer hacking incidents, ransomware attacks, data exfiltration or an array of other damaging data breaches.
But while regulatory fines and settlements, such as those imposed by the Department of Health and Human Services' Office for Civil Rights, which enforces HIPAA, grab headlines, the reality is that only a small percentage of breaches ever face regulatory action. In fact, since a pivotal court ruling in 2021, HHS OCR has only issued one major fine for a data breach in the last 22 months, and total annual fines for breaches have dropped a whopping 93%.
This comes at a time when the number of healthcare breaches reported to HHS has nearly doubled since 2018 and some services have been disrupted for weeks by ransomware attacks.
For sure, HHS OCR has slapped dozens of covered entities and business associates with hefty fines and strict corrective action plans in the aftermath of breaches - big and small - since 2008, when the agency issued its first HIPAA enforcement action. That includes a record $16 million settlement in 2018 against health insurer Anthem in the wake of a 2014 cyberattack that compromised the PHI of nearly 79 million individuals.
But in the aftermath of many breach investigations and HIPAA complaints, HHS OCR will often offer technical assistance to help the organization address potential violations of the HIPAA security and privacy rules rather than pursue civil monetary penalties or financial settlements.
In fact, the dominant focus of HHS OCR's HIPAA enforcement over the last three and a half years has centered around cases involving entities potentially violating the HIPAA right for patients to access their medical records.
HHS OCR has taken enforcement actions, including financial settlement and corrective action plans, in 41 such right of access cases. Meanwhile, the agency has brought only one case involving a data breach related to hacking or ransomware since January 2021. It resulted in a $937,000 fine against Oklahoma State University.
Overall, to date, OCR has settled or imposed a civil money penalty in 126 cases, resulting in a total of $133.5 million in fines.
A number of factors play into HHS OCR's HIPAA enforcement. For one, the tiny agency pretty much has had the same budget and headcount for years, even as the volume of breaches and HIPAA complaints continue to soar annually.
HHS' enforcement statistics website show that as of Oct. 31, 2022, OCR has received over 312,031 HIPAA complaints since April 2003 - the compliance date of the HIPAA Privacy Rule - and 97% of those cases have been resolved, mostly through the agency providing technical assistance or requiring actions, such as changes in privacy practices. In some cases, OCR determined that no HIPAA violation occurred or that a complaint did not present an eligible case for enforcement, such as OCR lacking jurisdiction.
But even in some breach cases in which HHS OCR appears to have clear-cut jurisdiction, enforcement action is not a simple endeavor.
On Jan. 14, 2021, a federal appeals court struck down a $4.3 million fine imposed by OCR in a breach case involving the University of Texas MD Anderson Cancer Center. The court in its ruling said it found the fine "arbitrary, capricious and contrary to law," calling into question the processes and analysis HHS OCR uses in its enforcement decisions.
While HHS OCR officials declined Information Security Media Group's request for comment on the impact of that court ruling, some privacy and security experts say the court's decision appears to have put a chill on HIPAA enforcement actions in certain cases.
"There probably is impact, but because of the opaque nature of OCR enforcement progress, I think it's hard to measure," says privacy attorney David Holtzman of consultancy HITprivacy LLC and a former senior adviser at HHS OCR.
"I also think that we're seeing a policy shift at HHS on how it approaches information security and how they look at the security rule and its role in combating breaches in cybersecurity incidents. So, I don't think it's just MD Anderson. I think there are many, many issues at play."
In any case, since the MD Anderson court ruling, HHS OCR has issued financial settlements in only two breach cases. They include a $5.1 million fine levied on Jan. 15, 2021 - one day after the MD Anderson court ruling - against Lifetime Healthcare, parent company of health insurer Excellus - in a breach affecting 9 million individuals. In the last 22 months, the agency has brought forward only one other breach settlement case - a $937,000 fine against Oklahoma State University in October for a hacking incident affecting nearly 280,000 individuals.
From HHS OCR's perspective, enforcement in breach cases, right of access disputes and other HIPAA violations remains a top priority.
"OCR continues to enforce the law. They have a rules, and we are certainly continuing to investigate breaches and investigate different complaints that people post to OCR. That continues to be our posture and how we are going to work things moving forward," says Nicholas Heesters, HHS OCR senior adviser of cybersecurity.
In the meantime, healthcare sector entities and their business associates are not the only ones that need to be paying closer attention to their security posture. A Nov. 16 annual report by the HHS Office of Inspector General says HHS itself needs to modernize its approach to cybersecurity (see: HHS Needs to Modernize Its Cyber Approach: Watchdog Agency).
HHS faces "significant challenges" in protecting data and technology from cyberthreats and improving how its various related entities share large volumes of critical data, including public health data, the watchdog report says.
The department's federated IT and cybersecurity approach doesn't make those challenges any easier, it says.
Greg Garcia, executive director at the Health Sector Coordinating Council, a public-private advisory group to HHS, says that it is imperative - for the sake of the healthcare and public health sector at large - that HHS find ways to better coordinate cybersecurity across its many agencies.
"You have all of these operational divisions within HHS," he says. They don't necessarily coordinate on cybersecurity "in a coherent way because they all have their own statutory authorities that they have to answer to," he says.
"It's incumbent upon the executive leadership … to find ways to coordinate holistically how HHS is going to address constantly evolving cybersecurity threats against the nation's healthcare system."
Garcia says that monetary incentives can play a role in securing the industry.
"We're told that the Centers for Medicare and Medicaid Services, is considering whether they can use the reimbursement process as an incentive to do the right thing in cybersecurity or reimbursements are higher," he says. Other potential incentives include grant programs from HHS, "to give smaller hospital systems a leg up in terms of investing in the Health Information Sharing and Analysis Center membership, which is a very small amount to pay or to invest in other managed security services," he says.
Garcia and others also say a fundamental challenge facing the HHS is the siloed nature of the federal agencies that regulate various aspects of cybersecurity in healthcare, including HHS' Food and Drug Administration, the Office for Civil Rights and the Office of the National Coordinator for Health IT. Another federal agency involved in healthcare sector cybersecurity is the Cybersecurity and Infrastructure Security Agency, which is charged with protecting critical infrastructure and is part of the Department of Homeland Security.
"I think what will be interesting to watch is to what extent the administration supports a separate activity at HHS for cybersecurity or whether they're going to roll everything up into one agency," Holtzman says.
Meanwhile, every new presidential administration appoints a new HHS secretary, who then chooses a new director of HIPAA enforcement. But except for Roger Severino, who served as HHS OCR director for all four years of the Trump administration, most don't stay for the full term.
In fact, HHS OCR has had five directors over the past decade. Lisa Pino, the Biden administration's first HHS OCR director, left the job after less than a year. In September, Melanie Fontes Rainer became the new director. She declined ISMG's request for interview.
Like any new HHS OCR director, Rainer will need to come up to speed, Holtzman says.
"To some extent, the managers and the staff are working to both teach the director to … wherever her comfort level is, and also to learn from the new director what her priorities are," he says. "And then we have the secretary's and the administration's priorities."
Over 5,000 health data breaches since 2009 have affected the personal information of 370 million people. Ransomware gangs and hackers are targeting healthcare providers, insurance firms and partners at an alarming rate. Targeting Healthcare explores these trends and how the industry can respond.
Marianne Kolbasuk McGee: Hi, I'm Marianne Kolbasuk McGee with Information Security Media Group. So far this year, health data breaches have affected more than 40 million individuals in the U.S. Nearly twice a day, hospitals, doctor offices and a cast of business associates fall victim to hacking, theft, loss or misuse of patient data. The Department of Health and Human Services Office for Civil Rights is responsible for policing HIPAA breaches, levying fines and prescribing corrective actions. In the past, HHS has levied fines of up to $16 million dollars for a 2015 breach at health insurer Anthem that affected nearly 79 million patients. But much of that appears to have changed since January 14, 2021, with a federal appeals court ruling that struck down the agency's approach to levying fines. In a breach case against the University of Texas MD Anderson Cancer Center, the court found that a $4.3 million fine by HHS was arbitrary and capricious, in part because other providers had committed the same mistake losing a laptop with personal health information without facing any penalty. Since a $5.1 million fine levied the very next day against lifetime healthcare, the agency has bought for only one breach settlement case in the last 22 months. That was a $937,000 fine against Oklahoma State University. This is happening at a time when the number of breach cases has nearly doubled. Observers say that the MD Anderson case is just one of many challenges facing HHS Office for Civil Rights ability to enforce HIPAA.
David Holtzman: There probably is impact but because of the opaque nature of OCR enforcement program, I think it's hard to measure. I also think that we're seeing a policy shift at HHS. I don't think it's just MD Anderson. I think there are many, many issues at play here.
McGee: In fact, since the MD Anderson ruling, HHS' average fines for breaches has fallen 93% - from an average of $14 million a year between 2018 and 2021 to $900,000 since early last year. We asked HHS about the sudden drop but officials declined to discuss it.
Nicholas Heesters: To answer what the single event may have indicated heuristics but all I can say is that OCR continues to enforce all the HIPAA rules and we are certainly continuing to investigate breaches and investigate different complaints that people pose to OCR and that continues to be our posture and how we are going to work things moving forward.
McGee: Holtzman, a former senior adviser at HHS says the agency is also dealing with years of growing workloads and staffing shortages.
Holtzman: I don't think we can discount the lack of resources that OCR has, and their portfolio has increased tremendously. Under the last administration, they added a new division for conscience and other related issues. OCR has not had an opportunity to add investigators. In fact, in order to live within its budget constraints, it has fewer investigators today than it did 10 years ago. And then, I also think it's important to recognize that in order to investigate breach cases, you need some technical capability. Unlike the Federal Trade Commission, or the SEC or the Justice Department, OCR doesn't have access to technical laboratories or testing equipment. Everything is a book exercise with OCR.
McGee: With the number of breach reports nearly doubling since 2018, impacting 182 million patients, some question whether the threat or fines is having any effect on cybersecurity and healthcare.
Greg Garcia: It's hard to prove the negative that OCR enforcement has resulted in fewer cyberattacks. But we certainly do support a combination of carrots and sticks. There remain a number of health providers who simply have not done the right thing, have not invested. Some would say negligent but there are many, many more who are doing the right thing yet they still get hacked, and then it becomes a process of punishing the victim. With that in mind, we've had a number of consultations with HHS about how do we better incentivize the healthcare industry to make those appropriate investments that maybe will move the needle toward a higher level of preparedness.
McGee: HHS must balance two conflicting policies, ensuring that patients can easily access their healthcare information and protecting it from unauthorized disclosure.
Holtzman: They have to make sure that they are adopting appropriate technologies that allow consumers access to all of this health information - that they are providing the appropriate tools, but at the same time, they are not creating vulnerabilities. It is a very tenuous time in the healthcare industry. And I think each HHS is hearing that message from the healthcare industry that we are at wit's end on how to satisfy both of these requirements.
McGee: Typically, potential federal fines are only part of the damages that healthcare entities incur from breaches, lost revenue, IT remediation, state penalties and class action lawsuits can multiply total breach costs tenfold.
Holtzman: We have seen just a firestorm of class action lawsuits resulting from alleged incidents of breaches and alleging damage. So I think, to some extent, the OCR wants to stay away from cases in which the plaintiff's attorneys are pursuing their own remedies.
McGee: Jeff Westerman, a Los Angeles attorney specializing in class action claims, argues that the problems with data privacy are much greater than HHS enforcement can address.
Jeff Westerman: I don't know that a civil enforcement action would have much more impact than the private civil litigation that gets filed. It can be and the regulators or the government can bring all kinds of resources to bear. But I think that from a motivational standpoint, if you're not going to seek - and I'm not even sure there is a basis for criminal enforcement - but without criminal enforcement, where individuals face criminal penalties. I'm not sure that there's going to be much individual incentive.
McGee: The government and related healthcare groups are pushing for more incentives to encourage healthcare organizations to improve security and to follow industry best practices. In 2021, Congress directed HHS enforcement to consider an organization's adoption of recognized security practices, such as NIST standards as a mitigating factor in the enforcement process.
Heesters: But these are strictly voluntary, though there is no penalty for not doing these things. I think that's important to note that there is not a penalty if an organization does not implement a defined recognized security practice. But, we got a lot of things that are related to the NIST cybersecurity framework, to the work of the HIPAA in the four or five D Group, health information industry cybersecurity practices. If they can come to the table and they can demonstrate the OCR and they have had recognized security practices implemented for the previous 12 months, then that's going to be considered as a mitigating factor.
McGee: Greg Garcia, with the healthcare sector coordinating council, believes that monetary incentives can play a role in securing the industry.
Garcia: We're told that CMS - The Centers for Medicare & Medicaid Services - is considering whether they can use the reimbursement process as an incentive. Do the right thing in cybersecurity, your reimbursements are higher. If you can show that you are managing the security of medical devices in a more secure way, reimbursement can also be an incentive for that. We've talked about whether there can be grant programs from HHS perhaps a matching grant to give smaller hospital systems a leg up in terms of investing in the ISAC membership, which is a very small amount to pay or to invest in other managed security services. So, we think there is a lot that HHS can do.
McGee: Garcia and others say a fundamental challenge facing the Department of Health and Human Services is a siloed nature in the federal agencies that regulate various aspects of cybersecurity and healthcare. Among them is the Cybersecurity and Infrastructure Security Agency, which is part of the Department of Homeland Security, which is charged with protecting critical infrastructure.
Holtzman: I think what will be interesting to watch is to what extent the administration supports the separate activity and HHS for cybersecurity, or whether they're going to roll everything up into one agency - the CISA effort - and to treat healthcare as just a another cybersecurity critical infrastructure for cybersecurity awareness and response.
Garcia: You have all of these operational divisions within HHS, you have OCR, you have the Office of the National Coordinator, which regulates health IT interoperability, you have CMS, you have FDA. So all of these offices touch cybersecurity in some way. But they don't necessarily do it in a coherent way because they all have their own statutory authorities that they have to answer to. So it is incumbent upon the executive leadership, the political leadership of HHS to find ways to coordinate holistically how HHS is going to address at a policy level, at a programmatic level, at an operational level how they're going to address this constantly evolving cybersecurity threat against the nation's healthcare system.
McGee: Every time a new administration moves into the White House, the President appoints a new HHS secretary, who then appoints a new director of HIPAA enforcement. But except for Roger Severino, who has served as HHS OCR director for all four years of the Trump administration, most don't stay for the full term. In fact, the agency has had five directors over the past decade. Lisa Pino, the Biden administration's first HHS OCR director, left the job after less than a year. In September, Melanie Fontes Rainer became the new director. She declined ISMG's requests for an interview.
Holtzman: I don't know the current director personally, I know her by reputation. She's a smart, very good leader who is well trusted by the Secretary. But just looking at her resume, she doesn't have too much background or experience in privacy, or information security matters. And she needs to come up to speed and every director does that. So to some extent, the managers and the staff are working to both learn, to both teach the director to whatever her comfort level is, and also to learn from the new director, what her priorities are. And then we have the Secretary's and the administration's priorities.
McGee: As the political and enforcement debate rages on, healthcare will continue to be a prime target for bad actors. No one's quite sure how and when things will improve. For ISMG, I'm Marianne Kolbasuk McGee. Thanks for watching.