HHS Settlement Agreements: What You Need to Know
The U.S. Department of Health and Human Services (HHS) is responsible for enforcing the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules. When a covered entity or business associate violates these rules, HHS may enter into a settlement agreement with the entity to resolve the issue.
What are HHS Settlement Agreements?
HHS settlement agreements are legally binding documents in which a covered entity or business associate agrees to take corrective actions and pay a financial penalty for HIPAA violations. The settlement agreement outlines the specific violations that were found, the corrective actions that must be taken, and the amount of the penalty that must be paid.
Why are HHS Settlement Agreements Important?
HHS settlement agreements serve as an important deterrent for covered entities and business associates who may be tempted to neglect their HIPAA compliance obligations. The financial penalties associated with settlement agreements can be significant, and the public disclosure of the agreement can tarnish a company’s reputation.
What Happens if a Covered Entity or Business Associate Refuses to Enter into a Settlement Agreement?
If a covered entity or business associate refuses to enter into a settlement agreement with HHS, the agency may pursue enforcement through the Office for Civil Rights (OCR). This could result in a more severe penalty or even litigation.
Recent HHS Settlement Agreements
In recent years, HHS has entered into several high-profile settlement agreements related to HIPAA violations. Some of the notable examples include:
– Anthem Inc. – In 2018, Anthem agreed to pay $16 million in penalties following a data breach that exposed the personal information of nearly 79 million individuals.
– Cottage Health – In 2019, Cottage Health agreed to pay $3 million in penalties following several breaches that led to the exposure of over 62,000 individuals’ personal health information.
– CHSPSC LLC – In 2020, CHSPSC LLC agreed to pay $2.3 million in penalties following a breach that compromised the personal information of over 6 million individuals.
HHS settlement agreements are an important tool for enforcing HIPAA Privacy, Security, and Breach Notification Rules. Covered entities and business associates should prioritize their compliance efforts to avoid costly penalties and reputational harm. In the event of a violation, it is important to work with HHS to reach a settlement agreement and take corrective actions to prevent future incidents.