Privacy and Compliance Highlights
Novel COVID-19 Issues
The pandemic raised numerous novel healthcare privacy and compliance issues. As continuous monitoring and surveillance and contact tracing became key pillars of the fight against COVID-19, complex issues related to data sharing, consent and data privacy quickly came to the fore. We helped clients across a wide variety of industries — from employers to universities to retailers to healthcare organizations to governmental agencies — put solutions in place that enabled the client to ensure health and safety while also complying with federal and state regulations.
The pandemic accelerated the adoption of telemedicine throughout the country, as providers were forced to adopt telehealth solutions almost overnight. The significant reliance on telehealth, particularly early on, greatly normalized telehealth as a healthcare delivery model. Most states eliminated existing regulatory barriers to widespread adoption of telehealth virtually overnight to combat the pandemic. While there will likely be some retraction after the national health emergency ends we anticipate that telehealth is here to stay and many regulatory restrictions will be permanently loosened.
The Office of the National Coordinator (ONC) was tasked with implementing information blocking regulations in the 21st Century Cures Act. The regulations are heralded as having the potential to revolutionize the healthcare industry and increase transparency by arming patients with significantly more data, which carries its own healthcare privacy and compliance concerns.
OCR Shifts Focus
The Office for Civil Rights (OCR), as the enforcement arm of the Department of Health and Human Services, continues to open investigations in all matters involving 500 or more patients affected in a HIPAA breach incident. However, it is still relatively rare for any one of those investigations to move toward enforcement via a settlement or imposition of penalties.
Although the OCR entered into 20 resolution agreements in 2020, more than half did not involve data security incidents. Rather, the bulk of settlements related to the OCR’s Right of Access Initiative, which seeks to enforce patient complaints relating to timely access to medical records. To date, the OCR has entered into 16 settlements under this initiative, 11 of which were in 2020.
The settlement amounts in resolution agreements involving HIPAA breaches ranged from a high of $6.85 million to $100,000 on the low end. The higher multimillion-dollar settlements tended to involve incidents affecting millions of patients. The smaller settlements involved smaller providers and smaller incidents.
In general, the 2020 resolution agreements showed little evidence of a particular pattern or focus. While a few enforcement actions were based on the failure to perform a risk analysis or to maintain appropriate HIPAA policies and procedures, others involved lack of encryption or lack of access controls. The OCR may be looking for low-hanging fruit at this point rather than focusing on a specific aspect of HIPAA.
Looking ahead, it may be more challenging for the OCR to significantly ramp up enforcement or penalty amounts in light of the recent M.D. Anderson Cancer Center decision. In January 2021, the 5th Circuit vacated the OCR’s $4.3 million penalty against MD Anderson for three separate incidents involving lost thumb drives and a stolen laptop – all unencrypted. The 5th Circuit Court of Appeals held that the simple loss of unencrypted protected health information did not amount to an affirmative “disclosure” under HIPAA and that the OCR's penalty lacked support under the regulations.
Significantly, the 5th Circuit also found it arbitrary and capricious that the OCR enforced the rules against some covered entities but not others. MD Anderson was able to point to instances where other HIPAA-covered entities lost unencrypted laptops but were not penalized.
It is unclear how the OCR will navigate these new post-MD Anderson waters – whether inside or outside the jurisdiction of the 5th Circuit. But MD Anderson will certainly provide some additional arguments for covered entities to consider when responding to OCR investigations.