On February 1, 2017, HHS issued a press release announcing a final determination imposing $3.2 million in civil money penalties against a large health care provider (a covered entity under the Health Insurance Portability and Accountability Act (HIPAA)) resulting from the impermissible disclosure of individuals' protected health information (PHI) (see Legal Update, For the Second Time Ever, HIPAA Privacy Violations Result in Civil Money Penalties).

The provider, which operates several hospitals and clinics, submitted a HIPAA breach notification to HHS in 2010 reporting the loss of an unencrypted, non-password protected Blackberry containing the electronic PHI of 3,800 individuals (see Practice Note, HIPAA Breach Notification Rules for Group Health Plans and HIPAA Privacy, Security, and Breach Notification Toolkit). During the ensuing HHS investigation, the provider disclosed that two third parties had conducted analyses of its HIPAA compliance, both of which recommended the use of encryption to avoid the loss of PHI going forward. According to HHS, the provider continued to issue unencrypted Blackberry devices, laptops, and other devices to its workforce – despite its knowledge of the analyses' recommendations. The provider also lacked:

In 2011 and 2013, two additional disclosures of electronic PHI involving the provider's personnel occurred, the latter of which:

HHS attempted to informally resolve its investigation of HIPAA noncompliance with the provider during 2015 and 2016. After those efforts failed, HHS issued a proposed determination of civil money penalties to the provider, along with fact findings addressing the basis for the penalties. The proposal informed the provider of its right to request a hearing within 90 days, which the provider failed to invoke. Following expiration of that period, HHS finalized the $3.2 million penalty determination against the provider.

The provider's liability for penalties is based on its:

HHS cited several "aggravating factors" that weighed in its penalties determination, including:

Although HHS resolution agreements involving HIPAA noncompliance have become fairly routine over the past few years, this enforcement action illustrates a less common civil money penalties process at HHS's disposal when more informal settlement efforts are unsuccessful (45 C.F.R. § 160.416; see Legal Update, Stolen Pen Drive Results in $2.2 Million HIPAA Settlement). One of the takeaways in this case is that it is not enough for a HIPAA covered entity to simply retain a third party to conduct a risk/gap analysis and propose recommendations. Rather, the covered entity should either follow through in implementing recommendations from any such analysis or document why it decided not to do so.

In a related HHS development, the government finalized regulations to reflect required annual inflation-related increases to civil monetary penalties under the Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015 (see Legal Update, DOL Increases Civil Money Penalties for 2017, Effective January 13, 2017). The adjusted civil penalty amounts apply to civil penalties assessed on or after February 3, 2017 (that is, the date the final regulations were published in the Federal Register), if the violation occurred after November 2, 2015. If the violation occurred before November 2, 2015 (or a penalty was assessed before September 6, 2016) the pre-adjustment civil penalty amounts in effect before September 6, 2016 apply.