To Settle or Not to Settle – That Is the Question Raised by Recent HIPAA CMPs

On February 1, 2017, the Department of Health and Human Services, Office for Civil Rights (“OCR”) announced that the Children’s Medical Center of Dallas (“Children’s”) has paid a civil monetary penalty (“CMP”) of $3.2 million to resolve multiple HIPAA violations over several years. This CMP announcement raises a number of questions, such as whether it was financially advantageous to choose to accept a CMP rather than a proposed financial settlement and corrective action plan, and whether imposing millions of dollars in penalties on a non-profit children’s hospital strikes the right balance of promoting compliance versus taking funds away from patient care (although OCR applied the minimum CMP amounts available for the violations).

Take-Away Considerations

• Covered entities and business associates must conduct a comprehensive risk analysis and must take steps to address gaps identified as part of the risk analysis.
• Policies and procedures should address all required elements of the Privacy and Security Rules.
• “Addressable” does not equal optional. The encryption implementation specification is addressable as opposed to required. Therefore, encryption must be implemented if, after a risk assessment, the entity has determined that the specification is a “reasonable and appropriate” safeguard in its risk management of the confidentiality, integrity, and availability of e-PHI. If the covered entity or business associate concludes that the addressable encryption implementation specification is not reasonable and appropriate, then it must document that determination and implement an equivalent alternative measure.
• Although most entities facing CMPs choose to settle, the costs of a corrective action plan may make accepting a CMP a more attractive alternative, especially if OCR is seeking the minimum level of penalties.

Read the full analysis here