Dedicated to helping health professionals.

HIPAA, HITECH, ePHI, and Significant Sanctions For Covered Entities and Business Associates

On February 17, 2009 Congress enacted the American Recovery and Reinvestment Act (“ARRA”).[1] Although ARRA was mainly created as a tool to help the American economy, it also gave way to a new era of regulations intended to protect electronic protected health information (“ePHI”). The Health Information Technology for Economic and Clinical Health Act[2] (“HITECH”) was included in Title IV and Title XIII of the ARRA, with the purpose of moving the country’s health records into digital formats and reinforcing the HIPAA Privacy and Security Rule[3] requirements. While this may lead to the rapid transmission of healthcare information, it also poses significant threats to covered entities and business associates for security breaches involving ePHI.

The Secretary of U.S. Department of Health and Human Services (“HHS”) Office of Civil Rights (“OCR”) determines the amount of the fine for violations of HIPAA and HITECH involving security breaches, which can range from $100 to $50,000 per violation, with an annual capped of $1,500,000 for multiple violations of an identical requirement or prohibition. For the period June 2013 to May 2014, OCR entered into settlements with nine (9) different covered entities for security breaches with fines that ranged from $150,000 to $3,300,000.[4]

HIPAA and HITECH requires covered entities to develop and maintain, among other things, appropriate administrative, technical and physical safeguards for protecting ePHI. Specifically, covered entities are required to: (i) ensure the confidentiality, integrity and availability of all ePHI they create, receive, maintain or transmit; (ii) identify and protect against reasonably anticipated threats to the security or integrity of information; (iii) protect against reasonably anticipated threats to security or integrity of the information; (iv) protect against reasonably anticipated, impermissible uses or disclosures; and (v) ensure compliance by their workforce.[5]

During the last five years, OCR has been actively auditing and monitoring covered entities and business associates. On 2013, Affinity Health Plan settled with OCR for $1,215,780 because it failed to erase data containing PHI from photocopiers returned to its leasing agent and impermissibly disclosing the PHI of up to 344,579 individuals. OCR determined Affinity had failed to evaluate risks and vulnerabilities of its photocopiers as required by HITECH.[6] In another case, the managed care company Wellpoint, Inc., reported a breach that indicated that its online application database left the ePHI of 612,402 individuals accessible to unauthorized individuals on the internet. OCR’s investigation revealed that Wellpoint had failed to implement adequate policies and procedures for authorizing access to the online application database. Wellpoint paid $1,700,000 in fines to settle the breach with the OCR.[7]

On 2014, OCR settled with New York Presbyterian Hospital (“NYBH”) for the highest HIPAA settlement to date, $4,800,000. NYBH reported a breach whereby ePHI of 6,800 patients was inadvertently disclosed. OCR concluded that NYBH failed to conduct a risk analysis and implement adequate security measures, and as a result, ePHI of 6,800 patients was accessible via Google and other internet search engines.[8] Finally, on July 20, 2016 Oregon Health & Science University agreed to pay $2,700,000 and entered into three year corporate integrity agreement because OCR found “widespread and diverse problems” with its database protection.[9]

As technology continues to evolve in the 21st century and proliferation of ePHI continues in the form of smart phones, tablets, flash drives and laptops, security breaches are projected to increase dramatically in the near future. While many healthcare providers are trying to be compliant by investing heavily in cyber-security, criminals are finding new and creative ways to gains access to ePHI.

Chapman Law Group (CLG) is dedicated to assisting covered entities and business associates in all aspects of health care. We have the resources and expertise to provide advice on data breach notification requirements (data breach rule) and defend you against audits, civil and criminal investigations, as well as to assist in preparing compliance that work. If you have questions or concerns regarding any aspect of HIPAA or HITECH please call Juan C. Santos at Chapman Law Group.


[1] Pub. L. No. 111-5.
[2] 42 U.S.C. § 1320d-5.
[3] 45 C.F.R. 160.103.
[4] ID See note 2.
[5] ID see note 2 and 3.
[6] See: Annual Report to Congress on Breaches of Unsecured Protected Health Information for Calendar Years  2011 and  2012.
[7] ID See note 5.
[8] ID See note 5
[9] Modern Healthcare (7/20, Conn, Subscription Publication)