Beyond the HHS Wall of Shame

By now many people have heard of the HHS Wall of Shame. The Wall of Shame refers to the list of organizations that have had a breach affecting 500 or more individuals. The list includes the name of the organization, the date of the breach, the approximate number of individuals affected, the type of breach (theft, improper disposal, unauthorized access, etc.) and locations of breached information (network server, laptop, paper, etc.). From September 2009 to date there have been almost 500 breaches affecting over 20 million individuals.

Enforcement Activities & Results
Upon closer look at the HHS website you will see even more information on breaches and examples of OCR’s enforcement activities. The Enforcement Highlights tab gives a summary of the activities for the current month. In addition, previous months’ and years’ activities can be accessed.

In summary, since the compliance date in April 2003, HHS has received over 75,474 HIPAA complaints. We have resolved ninety-one percent of complaints received (over 68,896): through investigation and enforcement (over 18,122); through investigation and finding no violation (8,800); and through closure of cases that were not eligible for enforcement (41,974).

From the compliance date to the present, the compliance issues investigated most are, compiled cumulatively, in order of frequency:

1. Impermissible uses and disclosures of protected health information;
2. Lack of safeguards of protected health information;
3. Lack of patient access to their protected health information;
4. Uses or disclosures of more than the minimum necessary protected health information; and
5. Lack of administrative safeguards of electronic protected health information.

The most common types of covered entities that have been required to take corrective action to achieve voluntary compliance are, in order of frequency:

1. Private Practices;
2. General Hospitals;
3. Outpatient Facilities;
4. Health Plans (group health plans and health insurance issuers); and,
5. Pharmacies.

Highlighting the Naughty

The Case Examples and Resolutions Agreements tab highlights the organizations that have been found to be in violation of the HIPAA Privacy and Security rules. These organizations have reached a resolution agreement with OCR. The resolution agreement details corrective actions that the organization must implement as well as any resolution payment that must be made.

Below are the current examples that are highlighted.

• Massachusetts Provider Settles HIPAA Case for $1.5 Million – September 17, 2012
• Alaska DHSS Settles HIPAA Security Case for $1,700,000 – June 26, 2012
• HHS Settles Case with Phoenix Cardiac Surgery for Lack of HIPAA Safeguards –April 13, 2012
• HHS settles HIPAA case with BCBST for $1.5 million –March 13, 2012
• Resolution Agreement with the University of California at Los Angeles Health System –July 6, 2011
• Resolution Agreement with General Hospital Corp. & Massachusetts General Physicians Organization, Inc.–February 14, 2011
• Civil Money Penalty issued to Cignet Health of Prince George’s County, MD–February 4, 2011
• Resolution Agreement with Management Services Organization Washington, Inc.–December 13, 2010
• Resolution Agreement with Rite Aid Corporation–July 27, 2010
• Resolution Agreement with CVS Pharmacy, Inc.–January 16, 2009
• Resolution Agreement with Providence Health & Services–July 16, 2008

A closer look into the Phoenix Cardiac Surgery example reveals the details of the case.

HHS Settles Case with Phoenix Cardiac Surgery for Lack of HIPAA Safeguards

Phoenix Cardiac Surgery, P.C., of Phoenix and Prescott, AZ, has agreed to pay the U.S. Department of Health and Human Services a $100,000 settlement amount and a corrective action plan that includes a review of recently developed policies and other actions taken to come into full compliance with the Privacy and Security Rules. OCR’s investigation found that the physician practice was posting clinical and surgical appointments for their patients on an Internet-based calendar that was publicly accessible.

Further, Phoenix Cardiac Surgery had implemented few policies and procedures to comply with the HIPAA Privacy and Security Rules, and had limited safeguards in place to protect patients’ electronic health information (ePHI).

Sending a Message

What should be clear from the HHS and OCR website is that OCR believes that highlighting examples of breaches and resolutions will push organizations to better protect patient information. The Wall of Shame was the first step to raising awareness of data breaches. OCR is now highlighting organizations that have entered into resolution agreements. In addition, OCR is spotlighting their enforcement process and results.

As Leon Rodriguez, the director of the Department of Health and Human Services’ Office for Civil Rights, has said in the past

Making enforcement a priority (because) enforcement promotes compliance

It is clear by the website that OCR is serious about enforcement and their goal of ensuring compliance with the HIPAA regulations.