What Anthem's Historic $16 million HIPAA Settlement Means for Providers

Nov 16, 2018 at 05:02 pm by steve


The Department of Health and Human Services announced a historically large $16 million HIPAA settlement with Anthem, Inc. following its investigation of the equally historic 2014 breach affecting almost 79 million people. Is this an enforcement trend?

The February 2014 cyber attack against Anthem gave the intruders access to members' health care information for more than a year. In addition to impermissible access and disclosure, the Resolution Agreement highlighted failures to (1) perform enterprise-wide risk analysis, (2) implement sufficient procedures to regularly review information system activity, (3) identify and respond to suspected or known security incidents, and (4) implement adequate minimum access controls to prevent cyber-attack access.

This spring, Roger Severino, Director of HHS Office of Civil Rights (OCR), stated that while the majority of its 25,600-plus investigations have been resolved through voluntary cooperation and corrective action, the nature or scope of some breaches warrants enforcement action. OCR's range of 2018 enforcement actions bears witness to this statement.

February 1, 2018
$3.5 million settlement by Fresenius Medical Care North America, a large network of clinics and hospitals, highlighted the:

February 13, 2018
$100,000 settlement by Filefax. Inc., a business associate in receivership, confirmed HIPAA's continuing obligations and liability after an organization ceases operations.

June 18, 2018
Civil Money Penalty judgment of $4.35 million against MD Anderson Cancer Center emphasized the:

September 20, 2018


What are common HIPAA failures identified by OCR
?


What can you do?


Beth Pittman is of counsel with Waller, where she practices health law.

Sections: Business