2018 was memorable year in the healthcare industry for a variety of reasons, including enforcement activities. The HHS OIG’s unprecedented Fraud Takedown resulted in the OIG charging more than 600 defendants in 58 federal districts with participating in fraud schemes involving about $2 billion in losses to Medicare and Medicaid. Not to be outdone, the HHS Office of Civil Rights (OCR) had a record-breaking year with respect to HIPAA violation settlements and Civil Monetary Penalties. In September 2018, a trio of hospitals gained notoriety for their settlement with the OCR over allegations related to allowing a film crew to record patients without their consent. In October 2018, the single largest penalty of the year, $16 million, was levied against Anthem for a 2015 data breach impacting 78,800,000 plan members.
If the 2018 enforcement actions and fines imposed by State Attorneys General are any type of crystal ball into what 2019 may hold, HIPAA covered entities should consider their liabilities under State law as further support for refreshing their commitments to HIPAA compliance.