HIPAA Enforcement Litigation
Healthcare providers are keenly aware of the steady increase in Health Insurance Portability and Accountability Act (“HIPAA”) enforcement efforts by the federal government—acting through the Office for Civil Rights (“OCR”) of the Department of Health and Human Services (“HHS”)—in the past several years. The OCR has not only brought more enforcement actions against healthcare providers who fail to protect patients protected health information (“PHI”), but it has also sought higher and higher penalties for HIPAA violations to the point that we are seeing fines at an unprecedented level. HIPAA enforcement actions are so prevalent because HIPAA, by its nature, has sweeping implications due to its broad application to all “covered entities,” a term that includes hospitals, health plans, HMOs, outpatient facilities, pharmacies, private medical practices, and most other healthcare providers. On top of that, in 2013 HHS expanded most of HIPAA’s requirements to apply to covered entities’ “business associates,” i.e. persons or entities that use a covered entity’s PHI to perform a service for it or on its behalf. Accordingly, virtually every person, practice, or facility working in the healthcare arena—including law firms—have some connection to, and is in some way subject to HIPAA.
Representative Matter: DBS attorneys successfully defended a community-based acute care facility in an Office for Civil Rights (OCR) review of alleged violations of the Privacy and Breach Notification Rules.
All HIPAA violations are, to some degree, the result of a covered entity’s failure to protect and maintain PHI. But these violations can take many different forms, all of which are enforced (with varying degrees of punishment) by the OCR. Some of the more common types of HIPAA violations include:
- Unencrypted Data Breaches – These are data breaches where a covered entity either loses PHI or has it stolen because the covered entity did not properly encrypt the data on its servers. Unencrypted data breaches occur with particular frequency when PHI is maintained on personal data devices such as smart phones, handheld devices, laptop computers, or tablets—which are typically not encrypted—and the device is lost or stolen.
- Breaches Due to Employee Error – These breaches are attributable to actual errors of a covered entity’s or business associate’s employee(s), such as inadvertently sending PHI to third parties, improperly storing unencrypted PHI, or disclosing confidential patient information that could be used to identify the patient.
- Business Associate Breaches – Both the business associate and the covered entity are liable for a breach committed by the covered entity’s business associate and not the covered entity (or one of its employees) itself. Given the prevalence of such breaches, covered entities should pay particular attention to drafting business associate agreements, and always inquire whether a potential vendor has a HIPAA audit report and HIPAA compliance program in place.
- Failure to Notify Violations – These violations arise after one of the more traditional breaches described above. After a breach, the covered entity is required to notify HHS, the affected individuals, and (depending on the number of people affected) possibly the state Attorney General and the media. This notification requires extensive documentation, and failure to strictly comply with these notification obligations can lead to further HIPAA sanctions.
No matter the type of HIPAA violation, any person or facility that is under investigation or subject to an enforcement action must act quickly and carefully to avoid, or at the very least substantially mitigate, its liability for a breach. HIPAA enforcement actions usually begin in one of three ways: (i) someone makes a complaint to the OCR alleging a HIPAA breach; (ii) the OCR conducts its own compliance review which uncovers a HIPAA breach; or, (iii) the person of facility self-reports a HIPAA violation and the OCR commences an investigation. In each scenario, the first thing the alleged HIPAA violator will receive from the OCR will be some type of notification of the enforcement action along with a request to produce relevant information. Although this is merely the first step in the process, the OCR notification often presents a difficult decision for a covered entity because it forces the entity to balance producing potentially incriminating information, on the one hand, with its legal duty to cooperate with the OCR investigation, on the other. This balance is especially delicate given that HIPAA violations can, in certain egregious circumstances, generate criminal enforcement and criminal penalties. It is important for every covered entity to remember that these concerns exist, to some degree, in every HIPAA enforcement action, even if the notification from OCR suggests the alleged infraction is minor or technical.
Representative Matter: DBS attorneys assisted a physician practice group in developing comprehensive HIPAA compliance protocols and procedures.
There is perhaps no better—and certainly no more frequent—example of the nexus between health law and litigation than HIPAA enforcement cases. No matter the type of breach alleged or the type of covered entity that is facing the resulting enforcement action, it is critical that the covered entity engage counsel that not only has experience with HIPAA (and HIPAA’s unique defenses and arguments), but who also has sufficient civil and criminal defense litigation experience to, first, keep the HIPAA breach solely a civil matter, and, second, to quickly and effectively respond if criminal liability arises.
Learn more about Barrett & Singal's services in the area of Healthcare Litigation
This website presents general information about Barrett & Singal and is not intended as legal advice nor should you consider it as such. You should not act upon this information without seeking professional counsel.
Please note that contacting Barrett & Singal by email, telephone or facsimile will not establish an attorney-client relationship, obligate us to act as your attorney or impose an obligation on either the law firm or the receiving lawyer to keep the transmitted information confidential. Completion of Barrett & Singal’s new client intake protocol, including without limitation the firm’s conflicts checking process and an engagement letter, is necessary to establish an attorney-client relationship. Absent a current attorney-client relationship with Barrett & Singal, any information or documents communicated or transmitted by you to Barrett & Singal will not be treated as confidential, secret or protected in any way. If you are not a current client of Barrett & Singal, please do not send any confidential information to us through this web site or otherwise concerning any potential or actual legal matter you have. Before providing any confidential information to us, you must obtain permission to do so from one of the firm’s lawyers. By clicking "Accept," you acknowledge that we have no obligation to maintain the confidentiality of any information you submit to us unless we already represent you or unless we have agreed to receive limited confidential material/information from you as a prospective client.
If you would like to discuss becoming a client, please contact one of our attorneys to arrange for a meeting or telephone conference. If you wish to disclose confidential information to a lawyer in the firm before an attorney-client relationship is established, the protections that the law firm will provide to such information from a prospective client should be discussed with the firm attorney before such information is submitted. Thank you for your interest in Barrett & Singal.