HIPAA Fines Do Not Only Apply to Covered Entities

In 2009, Congress enacted the Health Information Technology for Economic and Clinical Health (HITECH) Act, making business associates of covered entities directly liable for compliance with certain requirements of the HIPAA Rules.  Consistent with the HITECH Act, the HHS Office for Civil Rights (OCR) issued a final rule in 2013 to modify the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules. Among other things, the final rule identifies provisions of the HIPAA Rules that apply directly to business associates and for which business associates are directly liable.

The highest percentage of HIPAA OCR enforcement actions have been against Covered Entities to date.  Business Associates should not view this as the OCR only enforces HIPAA enforcement actions against Covered Entities, as a recent enforcement action that was issued on September 23, 2020, illustrates.

CHSPSC LLC (CHSPSC) was fined $2,300,000 for a breach that affected the PHI of over 6 million individuals.  CHSPSC provides services such as IT and health management services to hospitals and physician clinics in its role as a Business Associate.  Chinese hackers utilized advanced malware and focused on obtaining data including patient names, Social Security numbers, addresses, dates of birth, and phone numbers.  It is one of the largest healthcare data breaches to date.  Hackers used compromised administrative credentials to remotely access CHSPSC’s systems through its Virtual Private Network (VPN).  To further the issue, the FBI notified CHSPSC in April of 2014 that they had tracked the cyberhacking group’s advanced persistent threats to CHSCPC’s systems.  Even with this notice, hackers continued to access and export PHI until August 2014.  The investigation revealed that 237 covered entities served by CHSPSC were affected by the breach.

As part of their investigation, the OCR found longstanding noncompliance with various HIPAA requirements such as failures to implement information system activity review, security incident procedures, and lack of sufficient access controls.  They also found noncompliance with the area that is called out in over 90% of the OCR HIPAA enforcement actions, failure to conduct an appropriate risk analysis per the HIPAA Security Rule requirements.  If the risk analysis requirement would have been properly performed it is likely it would have led CHSPSC to implement appropriate security measures for the other areas the OCR found noncompliance with.  The HIPAA risk analysis process can not be understated for both Covered Entities and Business Associates as it is the cornerstone of being compliant with the HIPAA Security Rule.  We recently published an article about some great tools to assist small and medium-sized businesses with this process.

The OCR enforcement action fine was not the only cost as in October of 2014 several patients filed lawsuits due to the failure to implement basic security procedures.  The parties received a settlement in 2019 for $3,100,000.  CHSPSC has agreed to enter into a corrective action plan (CAP) to ensure compliance with the HIPAA rules. CHSPSC is required to develop and submit to HHS a written plan to internally monitor compliance with the CAP which will take a substantial amount of internal time, cost, and effort.

Business Associates should use this enforcement action as a reminder that they are handling data that hackers view as highly lucrative, which makes them a prime target.  They are also on the hook for OCR enforcement action fines, potential legal settlements with individuals, and potential large loss of business due to brand damage due to allowing such a breach to occur.  A breach like this could cause a business associate to go out of business much faster than a Covered Entity so HIPAA compliance should be a high priority to any business associate.

About the Author

Doug Kanney

Doug Kanney is a Principal at Schellman based in Columbus, Ohio. Doug leads the HITRUST and HIPAA service lines and assists with methodology and service delivery across the SOC, PCI-DSS, and ISO service lines. Doug has more than 17 years of combined audit experience in public accounting. Doug has provided professional services for multiple Global 1000, Fortune 500, and regional companies during the course of his career.

More Content by Doug Kanney
Previous Video
Its HIPAA Time
Its HIPAA Time

Next Article
HIPAA Settlements Hold Lessons on Right of Access, Breach Reporting
HIPAA Settlements Hold Lessons on Right of Access, Breach Reporting

The Office for Civil Rights (OCR) recently announced two HIPAA settlements that offer lessons for covered e...