This question comes up a lot lately: how is HIPAA enforced? The U.S. Department of Health and Human Services (HHS) has a page that gives a nice flow chart for the answer.

But that does not seem to answer what people are really asking. I think what entities really want to know is what will trip a HIPAA violation and generate a fine — what should they really worry about. An excellent source of insight for that answer comes from the Case Examples and Resolutions Agreements. The UCLA agreement just two months ago (July 6, 2011) to “settle potential violations of the HIPAA Privacy and Security Rules for $865,500”, for example, details their mistakes.

On June 5, 2009 and June 30, 2009, HHS began investigations of two separate complaints alleging that the Covered Entity was in violation of the Privacy and/or Security Rules. The investigations indicated that the following conduct occurred (“Covered Conduct”):

(i) During the period from August 31, 2005 to November 16, 2005, numerous Covered Entity workforce members repeatedly and without a permissible reason examined the electronic protected health information of Covered Entity patients, and during the period from January 31, 2008 to February 2, 2008, numerous Covered Entity workforce members repeatedly and without a permissible reason examined the electronic protected health information of a Covered Entity patient.

(ii) During the period 2005-2008, a workforce member of Covered Entity employed in the office of the Director of Nursing repeatedly and without a permissible reason examined the electronic protected health information of many patients.

(iii) During the period 2005-2008, Covered Entity did not provide and/or did not document the provision of necessary and appropriate Privacy and/or Resolution Agreement/Corrective Action Plan 08-82727 and 08-83510 (University of California Los Angeles Health System) Security Rule training for all members of its workforce to carry out their function within the Covered Entity.

(iv) During the period 2005-2008, Covered Entity failed to apply appropriate sanctions and/or document sanctions on workforce members who impermissibly examined electronic protected health information.

(v) During the period from 2005-2009, Covered Entity failed to implement security measures sufficient to reduce the risks of impermissible access to electronic protected health information by unauthorized users to a reasonable and appropriate level.

The words “reasonable and appropriate level” are the key to this enforcement agreement. It might seem vague at first glance but clearly a Covered Entity has to manage authentication and authorization. An appropriate level of access would be based on a need-to-know basis. In other words, no need means no authorization for a user.

And while the $865,500 fine could be called large, it reflects four years of authorization management deficiencies and information exposures to numerous “workforce members”. Compare it to the $1,000,000 fine handed to Massachusetts General Hospital earlier this year after a single authorized workforce member accidentally left billing papers on a subway on the way to work.

The documents were not in an envelope and were bound with a rubber band. Upon exiting the train, the MGH employee left the documents on the subway train and they were never recovered. These documents contained the PHI of 192 individuals.

I suspect these fine amounts prompt risk managers to wonder how a long-term and repeated exposure of information, which cites weak privacy management and hints at neglect and negligence, could get a lower fine than a one-time accidental disclosure by a single person.

“Willful neglect without correction” is specified under Section 13410(d) of the HITECH Act Enforcement Interim Final Rule as a “Tier D” penalty of $50K per violation up to $1.5 million per year per violator.

Perhaps documents left on the subway are considered by HHS a Tier D act, but it doesn’t sound like it from their agreement. Maybe I’m underestimating the importance regulators place on an envelope and rubber band, or on special circumstances of the case. The HITECH enforcement exception was the first thing that jumped to my mind after I read the agreement, but there must have been some other compelling evidence of privacy neglect:

…prohibition on the imposition of penalties for any violation that is corrected within a 30-day time period, as long as the violation was not due to willful neglect