HIPAA Breach News

Contract Class Certified in CareFirst Data Breach Lawsuit 9 Years After Legal Action was Initiated

Posted by Steve Alder

A lawsuit against CareFirst BlueCross BlueShield that was filed in response to a 2014 data breach has had a contract class certified by a federal judge, 9 years after legal action was initiated. The lawsuit can now proceed and more than 1 million plan members are a step closer to obtaining damages. In June 2014, hackers gained access to CareFirst systems, which contained the data of around 1.1 million plan members; however, the intrusion was not detected for several months. In response to major data breaches at Anthem Inc., Premera, Excellus, and Community Health Systems, CareFirst conducted a review of its systems which reviewed there had been unauthorized access to one of its databases.

CareFirst announced the data breach in May 2015 and explained that a single database was compromised that stored data that members and other individuals enter to access CareFirst’s websites and online services. The compromised data included names, birth dates, email addresses, and subscriber ID numbers, but no highly sensitive information such as Social Security numbers, financial information, or health information.

A lawsuit – Chantal Attias, et al. vs. CareFirst  – was filed in the U.S. District Court for the District of Columbia shortly after the notification letters were mailed that alleged injuries had been suffered as a result of the breach. The lawsuit, which named seven policyholders as plaintiffs, alleged breach of contract and violations of the Consumer Protection Acts in Maryland and Virginia. The lawsuit was dismissed in 2016 due to a lack of standing, as the plaintiffs failed to allege a concrete, identifiable injury had been sustained as a result of the breach. The ruling was appealed, and the District Court’s ruling was overturned. In 2018, the Supreme Court declined a review of the case, which was referred back to the District Court, then followed several years of back-and-forth litigation. In 2022, the plaintiffs moved to certify three classes, one for each cause of action; however, in March 2023, District Court Judge Christopher Cooper denied the plaintiffs’ motion to certify two consumer classes and one contract class without prejudice, allowing the plaintiffs to file a renewed and modified motion which they did.

In late 2023, CareFirst’s motion for summary judgment was partially granted, and the claims under the consumer protection statutes in Maryland and Virginia were dismissed. The court found that the plaintiffs could not show there had been any identity theft, and under Washington D.C. law, mitigation expenses incurred to abate the risk of future fraud do not qualify as actual damages, therefore the plaintiffs would only be able to recover nominal damages.

On March 29, 2023, after careful consideration and a hearing on the matter, Judge Cooper found that certification of a contract class was warranted. “The standing issue that prevented the Court from certifying the last go around has since dissolved because, as all sides agree, each member of the proposed class has allegedly suffered a concrete injury based on CareFirst’s supposed breach of its contractual obligation to safeguard its customers’ data—regardless of whether they sustained an additional, tangible injury due to the data breach,” wrote Judge Cooper in his ruling.

The contract class consists of all individuals in the District of Columbia, Maryland, or Virginia who purchased or possessed health insurance from CareFirst, had their sensitive data exposed in the data breach, and were notified about that breach by CareFirst in May 2015.

The post Contract Class Certified in CareFirst Data Breach Lawsuit 9 Years After Legal Action was Initiated appeared first on HIPAA Journal.

Data Breach at New York Medical Billing Service Provider Affects 284K Individuals

Posted by Steve Alder

M&D Capital Premier Billing in Queens, NY, has announced a breach of the protected health information of 284,326 individuals. Data breaches have also been reported by Tri-City Healthcare District and Dental Health Services in California, and Ethos (Southwest Boston Senior Services) in Massachusetts.

M&D Capital Premier Billing

M&D Capital Premier Billing, a Queens, NY-based billing service provider, has notified 284,326 individuals about a cybersecurity incident identified on July 8, 2023. Suspicious activity was detected within its network and third-party cybersecurity specialists were engaged to investigate the nature and scope of the unauthorized activity. The forensic investigation confirmed that an unauthorized third party gained access to its network on June 20, 2023, and maintained access until July 8, 2023.

During those three weeks, protected health information provided by its covered entity clients may have been viewed or acquired. That information may have included names, addresses, dates of birth, Social Security numbers, financial information, medical billing information, insurance information, and medical information such as diagnoses, medication, and treatments. M&D Capital Premier Billing said it has reviewed its existing policies and procedures and has implemented additional administrative and technical safeguards to help prevent future attacks. The affected individuals have been offered single bureau credit monitoring/single bureau credit report/single bureau credit score services at no cost.

Ethos (Southwest Boston Senior Services)

Ethos, aka Southwest Boston Senior Services, has recently announced a cybersecurity incident that occurred on November 18, 2023, that exposed the protected health information of 14,503 individuals. On March 13, 2024, it was confirmed that protected health information had potentially been accessed or acquired in the incident. For most of the affected individuals, the exposed data included names, addresses, medical insurance information, and health and treatment information. A small group of affected individuals also had their Social Security numbers exposed.

Contact information has now been verified, which will allow individual notifications to be mailed to the affected individuals. Ethos did not state in its website notification whether credit monitoring and identity theft protection services are being offered. The notification letters will explain the steps that affected individuals can take to monitor and protect their information.

Tri-City Healthcare District

Tri-City Healthcare District in California has notified 7,847 individuals about the exposure of some of the protected health information. On November 9, 2023, unusual activity was detected in its systems, which disrupted access to those systems. The forensic investigation confirmed that an unauthorized third party gained access to its network on November 8, 2023, and may have viewed or exfiltrated files containing patient data.

The review of the affected files was completed on or around March 7, 2024, and confirmed that names and Social Security numbers had been exposed. Notification letters were sent to the affected individuals on April 4, 2024, and complimentary identity theft protection services have been offered. Tri-City Healthcare District said it has implemented additional security measures to further harden security and prevent similar incidents in the future.

Dental Health Services

Dental Health Services, a Californian provider of dental health plans to individuals in California, Oregon, and Washington, has notified certain plan members about an impermissible disclosure of some of their protected health information. On or around February 7, 2024, an error resulted in monthly invoices mistakenly being emailed to certain employer group customers that contained plan member data. While the invoices were encrypted and password protected, before the error was identified, the email recipients were sent the encryption password in a separate email, which allowed the invoices to be viewed.

The invoices contained the impacted members’ names, dates of birth, member identification numbers, eligibility dates, plan types, and premium amounts due. Dental Health Services has received assurances from all recipients of the emails that the incorrectly disclosed invoices have been deleted. Due to the nature of the disclosed information, Dental Health Services does not believe the data will be misused.

The post Data Breach at New York Medical Billing Service Provider Affects 284K Individuals appeared first on HIPAA Journal.

One Third of Healthcare Websites Still Use Meta Pixel Tracking Code

Posted by Steve Alder

A recent analysis of healthcare websites by Lokker found widespread use of Meta Pixel tracking code. 33% of the analyzed healthcare websites still use Meta pixel tracking code, despite the risk of lawsuits, data breaches, and fines for non-compliance with the HIPAA Rules.

Website Tracking Technologies in Healthcare

A study conducted in 2021 that looked at the websites of 3,747 U.S. hospitals found 98.6% of the hospitals used at least one type of tracking code on their websites that transferred data to third parties, and an analysis in 2022 of the websites of the top 100 hospitals in the United States by The Markup/STAT revealed one-third of those hospitals used tracking technologies on their websites that transferred visitor data, including protected health information (PHI), to third parties.

In December 2022, the HHS’ Office for Civil Rights issued guidance to HIPAA-regulated entities on the use of website tracking technologies. The guidance made it clear that these technologies violate HIPAA unless there is a business associate agreement (BAA) in place with the provider of the code or authorizations are obtained from patients. OCR and the Federal Trade Commission wrote to almost 130 healthcare organizations in July 2023 warning them about the compliance risks of using tracking technologies, after these tools were discovered on their websites. In March 2024, OCR updated its guidance – believed to be in response to a legal challenge by the American Hospital Association –  however, OCR’s view that a BAA or authorizations are required has not changed.

Several hospitals and health systems have reported the use of these tracking technologies to OCR as data breaches, and many lawsuits have been filed against hospitals over the use of these tools, some of which have resulted in large settlements. For example, Novant Health agreed to pay $6.6 million to settle a lawsuit filed by patients who had their PHI transferred to third parties due to the use of these tracking tools. The FTC is also actively enforcing the FTC Act with respect to trackers, with BetterHelp having to pay $7.8 million to consumers as refunds for disclosing sensitive health data without consent. States have also taken action over the use of Meta pixel and other website trackers, with New York Presbyterian Hospital settling a Pixel-related HIPAA violation case with the New York Attorney General for $300,000.

Lokker’s 2024 Study of Website Tracking Technologies

Lokker, a provider of online data privacy and compliance solutions, conducted a study of 3,419 websites across four industries (healthcare, technology, financial services, and retail), that explored three critical areas of risk.

  • Unauthorized consumer data collection through third-party trackers, tags, and pixels.
  • How privacy tools are often failing to meet the requirements of emerging laws.
  • The escalating complexities of protecting consumers’ data privacy.

The study looked at the threat of data brokers sharing consumer data with foreign adversaries. Across all industries, 12% of websites had the TikTok pixel, including 4% of healthcare companies. While the privacy risks associated with this pixel are lower than other tracking technologies, the information collected by TikTok pixel may be transferred to China. 2% of websites, including 0.55% of healthcare websites, were found to use pixels and other web trackers that originated in China, Russia, or Iran. Data transfers to foreign nations are a major concern for the U.S. government. In February this year, President Biden signed an Executive Order to prevent the sharing of Americans’ data with foreign countries.

Alarmingly, given the considerable media coverage, HIPAA guidance, regulatory fines, and lawsuits associated with website tracking technologies, 33% of healthcare organizations were still using Meta pixel on their websites. Lokker found an average of 16 trackers and a maximum of 93 trackers on healthcare websites. The most common trackers used by healthcare organizations were from Google (googletagmanager.com, doubleclick.net, google-analytics.com, google.com, googleapis.com, youtube.com), Meta (facebook.com, facebook.net), ICDN (icdn.com), and Microsoft (linkedin.com). There appears to be confusion about obtaining consent from website visitors about the collection of their data through tracking technologies such as pixels and cookies. According to OCR guidance, the use of a banner on a website advising visitors about the use of tracking technologies does not constitute a valid HIPAA authorization. These consent banners were identified on the websites of 59% of healthcare organizations.

These consent banners often do not function as intended, as 98.5% of websites load cookies on page load, with Lokker reporting that, on average, 33 cookies are loaded before consent banners appear, and these banners often misclassify or overlook cookies and trackers. Lokker also found that technologies such as browser fingerprinting are often excluded from consent tools, and the rapidly evolving web means tracker changes may go unnoticed by consent tools, resulting in users unwittingly consenting to undesired data collection.

In addition to compliance risks related to HIPAA, there is also a risk of Video Privacy Protection Act (VPPA) violations. 3% of healthcare companies had Meta pixel or other social media trackers on pages containing video players, putting them at risk of VPPA lawsuits. In 2023, more than 80 lawsuits were filed alleging VPPA violations due Meta pixel being used to gather and disseminate video viewing data from websites without user consent, some of which have led to multi-million-dollar settlements.

“LOKKER’s research sheds light on critical issues that businesses often underestimate. Unauthorized data collection through third-party trackers and related technologies is far more pervasive than most people realize. We all build websites with third-party tools, and they use other third-party tools, and so on. Many of these are essential and necessary. However, this web of interconnected technologies produces dozens to hundreds of URLs collecting data on a single webpage and is the engine that powers the data broker market,” said Ian Cohen, founder and CEO of LOKKER. “Moreover, data collection on websites and ad tech happens in real time; existing privacy tools are not real-time, and therefore not getting the job done. As a result, we’re seeing a dramatic increase in privacy violations, lawsuits, and fines.” The findings are published in Lokker’s Online Data Privacy Report March 2024.

The post One Third of Healthcare Websites Still Use Meta Pixel Tracking Code appeared first on HIPAA Journal.

Otolaryngology Associates Data Breach Affects Almost 317,000 Patients

Posted by Steve Alder

A cyber threat actor has tried to extort money from the Indiana ENT specialists, Otolaryngology Associates, after gaining access to its network and exfiltrating patient and employee data. Otolaryngology Associates said its security system generated alerts about a potential intrusion on February 17, 2024, a few hours after the threat actor gained access to the network. Immediate action was taken to secure the network and block the attack, and at no point was access to the network prevented.

Three days later on February 20, and again on February 21, a threat actor made contact and claimed to have stolen data in the attack and threatened to publish the stolen data if the ransom was not paid. Third-party forensic experts were engaged to investigate the breach and they determined that the threat actor had not manually accessed files on the network but had run programs that exfiltrated data from internal systems.

The forensic investigation was able to narrow down the data that may have been exfiltrated, but it was not possible to determine exactly what types of data had been taken. The review of the files on the compromised parts of the network revealed they contained the protected health information of 316,802 individuals. For the majority of the affected individuals, the information potentially stolen in the attack was limited to information contained in billing records, which do not include Social Security numbers or driver’s license numbers. The exposed information was limited to names, OA medical record numbers, service codes, date(s) of service, treating physician names, appointment locations, insurance company names, and the dollar amount of charges.

A subset of the affected individuals may have had one or more of the following exposed: Social Security number, driver’s license number, address, email address, telephone number, date of birth, appointment schedule, referral forms, and/or insurance plan numbers. Affected employees may have had their bank account information and payroll information exposed. The individual notification letters state the types of information that have been exposed. OA Facial Plastics patients were not affected as OA Facial Plastics systems were not accessed by the attacker.

Otolaryngology Associates said it has implemented additional security measures to prevent further attacks and has instructed a cybersecurity firm to monitor the dark web for any release of patient data. At the time of issuing the notifications, no patient data has been publicly released.

The post Otolaryngology Associates Data Breach Affects Almost 317,000 Patients appeared first on HIPAA Journal.

Email Accounts Compromised at Aveanna Healthcare and UNC Hospitals & School of Medicine

Posted by Steve Alder

Email accounts have been compromised at the Georgia home health provider Aveanna Healthcare and UNC Hospitals and School of Medicine in North Carolina. Patient data has been exposed and potentially stolen in the attacks.

Aveanna Healthcare

Aveanna Healthcare, an Atlanta, GA, provider of home health and hospice care, has announced a security breach of its email environment and the exposure of the data of 65,482 patients. Anomalous activity was identified in an employee email account on September 22, 2023. The account was immediately secured, and an investigation was launched to determine the nature of the activity, and whether patient data had been exposed or stolen.

The investigation confirmed that an unauthorized third party had gained access to its email environment and potentially obtained files that contained patient information. Third-party specialists were engaged to review the affected files to determine the individuals affected and the types of data that may have been compromised. That process was completed on March 12, 2024, and notification letters started to be mailed to the affected individuals on March 15, 2024. The affected individuals have been offered complimentary identity theft protection services.

The types of data involved varied from individual to individual and may have included names in combination with one or more of the following: Social Security number, driver’s license or state identification number, date of birth, medical information, diagnosis, treatment information, MRN/patient identification number, incidental health reference, provider name, health insurance information, prescription information, Medicare/Medicaid number, and treatment cost information. Aveanna Healthcare said it has not found any evidence to indicate patient data has been misused.

UNC Hospitals & School of Medicine

UNC Hospitals & School of Medicine has reported a breach of its email environment. A School of Medicine employee received a phishing email from a known and trusted contact and followed the link in the email, believing the message to be a genuine communication. The employee’s email account was protected with multi-factor authentication (MFA); however, the threat actor tricked the employee into sharing the MFA code, allowing the email account to be accessed.

The email account was compromised on February 1, 2024, and the incident was discovered the following day. The account was immediately secured; however, patient information in the account may have been viewed or acquired. While there have been no reports of misuse of patient information, UNC Hospitals is offering complimentary credit monitoring services to individuals who had their driver’s license numbers, Social Security numbers, financial account information, and/or health insurance information exposed. At this stage, it is unclear how many individuals have been affected.

The post Email Accounts Compromised at Aveanna Healthcare and UNC Hospitals & School of Medicine appeared first on HIPAA Journal.

Malicious Actor Steals Patient Data from Multiple Ernest Health Hospitals

Posted by Steve Alder

Ernest Health, the operator of rehabilitation and long-term acute care hospitals in Arizona, California, Colorado, Idaho, Indiana, Montana, New Mexico, Ohio, South Carolina, Texas, Utah, Wisconsin, and Wyoming, has started notifying patients about a recent data security incident involving their personal and protected health information.

Ernest Health identified unauthorized activity in its computer systems on February 1, 2024, and the forensic investigation confirmed there had been unauthorized access to systems containing patient data between January 16, 2024, and February 4, 2024, and files were acquired in the attack that included patient information. For the majority of the affected individuals, the compromised data was limited to names, addresses, dates of birth, medical record numbers, health insurance plan member IDs, claims data, diagnosis, and prescription information. Some patients also had their Social Security and/or driver’s license numbers compromised.

The security incident affected patients at multiple hospitals in the network, including:

  • Advanced Care Hospital of Southern New Mexico
  • Denver Regional Rehabilitation Hospital
  • Greenwood Regional Rehabilitation Hospital
  • Lafayette Regional Rehabilitation Hospital
  • Mountain Valley Regional Rehabilitation Hospital
  • Northern Colorado Rehabilitation Hospital
  • Northern Idaho Rehabilitation Hospital
  • Northern Utah Rehabilitation Hospital
  • Rehabilitation Hospital of Southern New Mexico
  • Rehabilitation Hospital of the Northwest
  • Summa Rehabilitation Hospital
  • Trustpoint Rehabilitation Hospital of Lubbock

Notification letters started to be mailed to the affected individuals on March 29, 2024, and complimentary credit monitoring and identity theft protection services have been offered for two years. The data breach has been reported to regulators, but it is currently unclear how many patients have been affected.

The post Malicious Actor Steals Patient Data from Multiple Ernest Health Hospitals appeared first on HIPAA Journal.

City of Hope Cyberattack Affects 827,000 Individuals

Posted by Steve Alder

City of Hope, a non-profit clinical research and cancer treatment center in Duarte, California, has confirmed that the personal and protected health information of 827,149 individuals was compromised in a 2023 cyberattack. Suspicious activity was detected within some of its systems on October 13, 2023, and after securing the systems and implementing mitigation measures, a forensic investigation was launched to determine the nature and scope of the incident. A third-party cybersecurity firm assisted with the investigation and confirmed there had been unauthorized access to some of its systems between September 19, 2023, and October 12, 2023. During that time, copies of certain files were exfiltrated from its systems.

The delay in issuing notifications was due to the time required to conduct a detailed review of all files on the compromised systems to determine the extent of the data breach. The investigation is ongoing, but City of Hope has confirmed that the files contained personal and protected health information. The types of data involved varied from individual to individual and included names in combination with one or more of the following data elements: contact information such as phone numbers and email addresses, dates of birth, Social Security numbers, driver’s license numbers, other government identification numbers, financial information such as bank account numbers and credit card details, health insurance information, medical records, medical histories, diagnoses/conditions, health insurance information, and unique internal patient identifiers.

City of Hope said additional and enhanced safeguards were implemented promptly and a leading cybersecurity firm was engaged to review the security of its network, systems, and data. The affected individuals are now being notified by mail. City of Hope is offering two years of complimentary credit monitoring and identity theft protection services to the individuals who had their data exposed in the attack.

The post City of Hope Cyberattack Affects 827,000 Individuals appeared first on HIPAA Journal.

Lamoille Health Partners Settles Class Action Data Breach Lawsuit for $540,000

Posted by Steve Alder

Lamoille Health Partners, a Vermont health system serving patients in Lamoille County, has agreed to settle a lawsuit that was filed in response to a June 2022 ransomware attack in which the protected health information of 59,381 patients was exposed and potentially stolen. Hackers gained access to the Lamoille Health Partners network between June 12, 2022, and June 13, 2022, and used ransomware to encrypt files. The attack exposed names, addresses, dates of birth, Social Security numbers, health insurance information, and medical treatment information. The affected individuals were notified about the breach in August 2022 and individuals who had their Social Security numbers exposed were offered complimentary identity protection and credit monitoring services.

A lawsuit – Marshall v Lamoille Health Partners Inc. – was filed in the U.S. District Court for the District of Vermont on September 1, 2022, in response to the breach that alleged Lamoille Health Partners was negligent by failing to implement reasonable and appropriate cybersecurity measures and follow security best practices. The lawsuit also alleged there was an unnecessary delay in notifying the affected individuals and that Lamoille Health Partners was not compliant with the HIPAA Rules. The lawsuit claimed the plaintiff, Patricia Marshall, and the class faced an imminent and ongoing risk of identity theft and fraud due to their sensitive information being in the hands of cybercriminals.

Lamoille Health Partners has not admitted to any wrongdoing and disagrees with the claims; however, a settlement was proposed to bring the legal action to an end. Under the terms of the proposed settlement, a $540,000 fund will be created to cover claims from individuals who were affected by the breach. Class members can submit claims of up to $5,000 to cover unreimbursed, documented out-of-pocket expenses incurred as a result of the breach, including bank fees, credit expenses, travel expenses, costs of credit monitoring services, and unauthorized charges. In addition, all class members will be entitled to a pro-rata payment which will be distributed after attorneys’ fees and legal costs have been deducted and claims have been paid. The payment is anticipated to be around $50 per class member.

Important Dates:

  • Deadline for exclusion/objection: May 30, 2024
  • Deadline for submitting claims: June 20, 2024
  • Final approval hearing: September 30, 2024

The post Lamoille Health Partners Settles Class Action Data Breach Lawsuit for $540,000 appeared first on HIPAA Journal.

New Jersey Nursing Facility to Pay $100,000 CMP to Resolve HIPAA Right of Access Violation

Posted by Steve Alder

The HHS’ Office for Civil Rights has announced another financial penalty has been imposed for a violation of the HIPAA Right of Access. Essex Residential Care, LLC, which does business as Hackensack Meridian Health, West Caldwell Care Center in New Jersey, has been ordered to pay a civil monetary penalty of $100,000 to resolve the alleged violation.

Hackensack Meridian Health operates skilled nursing facilities in New Jersey, including the West Caldwell Care Center. In May 2020, OCR received a complaint from the son of a mother who had received care at West Caldwell Care Center who alleged he had not been provided with a copy of her medical records within the 30 days allowed by the HIPAA Privacy Rule.

Son Not Provided with His Mother’s Records within 30 Days

The complainant was the personal representative of his mother and therefore should have been provided with a copy of his mother’s medical records. The complainant first asked for a copy of the records on April 19, 2020, via email, and on April 23, 2020, an administrator at West Caldwell Care Center advised him that the records could not be provided without a copy of a power of attorney, medical proxy or similar document executed by the mother, confirming that he was her personal representative.

The appropriate documentation was provided but West Caldwell Care Center still did not provide the requested records, which led to him filing a complaint with OCR. On October 15, 2020, OCR notified West Caldwell Care Center that an investigation had been opened as a result of the complaint and the correspondence included a data request pursuant to the investigation.

West Caldwell Care Center responded and acknowledged that the records had not been provided within the allowed 30 days and, in response to OCR’s investigation, sent the requested records in late November, which were received by the complainant on December 1, 2020, 161 days after the initial request was made.

West Caldwell Care Center Disagreed with OCR’s Determination

Most HIPAA Right of Access investigations are informally settled with OCR, a financial penalty is paid, and the covered entity agrees to adopt a corrective action plan which includes updates to its policies and procedures and training on HIPAA policies for staff members. In this case, West Caldwell Care Center’s attorney disagreed with OCR’s proposed resolution of the investigation. OCR then notified West Caldwell Care Center that the investigation had uncovered preliminary indications of non-compliance with the HIPAA Right of Access, and OCR provided West Caldwell Care Center with the opportunity to submit evidence of mitigating factors.

West Caldwell Care Center acknowledged that the complainant was not provided with the requested records, but the records were provided to another facility to which his mother had been transferred. West Caldwell Care Center also said that at the time of the initial request, there was ongoing litigation due to the non-payment of care costs. As another mitigating factor, West Caldwell Care Center said it was dealing with the COVID-19 pandemic, and that the complainant filed a complaint with OCR exactly 30 days after the request was made before West Caldwell Care Center’s response to the initial request was due. West Caldwell Care Center accepted that the matter should have been handled differently.

$100,000 Civil Monetary Penalty Imposed

OCR determined that West Caldwell Care Center failed to provide the requested records within the 30 days allowed by the HIPAA Privacy Rule and that the delay from June 23, 2020, to December 1, 2020, was a violation of the HIPAA Right of Access. The maximum civil monetary penalty was $206,080 based on the reasonable cause penalty tier (see: What are the penalties for HIPAA violations); however, per OCR’s reinterpretation of the language of the HITECH Act and its subsequent Notice of Enforcement Discretion, the penalty was capped at $100,000.

West Caldwell Care Center argued that a civil monetary penalty was not permitted because the violation was not due to wilful neglect and was timely corrected and that imposing a civil monetary penalty would be arbitrary and capricious and would violate the Administrative Procedure Act (APA). OCR disagreed that the violation was timely corrected and said the affirmative defense requirements were not met, and that the penalty was appropriate and reasonable given that the violation did not violate the APA and that the civil penalty amount was reasonable given the substantial delay providing the requested records.

West Caldwell Care Center said its staff believed they had responded in the allowed time frame by transferring the records to another facility; however, OCR’s view was that the records were not provided to the personal representative as required by HIPAA. West Caldwell Care Center was advised of its right to request a hearing with an administrative law judge; but on advice from its legal counsel, chose to waive that right.

“A patient’s timely access to health records is paramount for medical care. The Office for Civil Rights continues to receive complaints from individuals and personal representatives on behalf of individuals who do not receive timely access to their health records,” commented OCR Director Melanie Fontes Rainer. “OCR will continue to vigorously enforce this essential right to ensure compliance by health care facilities across the country.”

This is the fourth financial penalty imposed by OCR in 2024 to resolve alleged HIPAA violations and its 145th financial penalty to date. OCR has now fined 48 HIPAA-regulated entities for failing to provide patients or their personal representatives with timely access to the requested medical records that they are legally entitled to obtain.

The post New Jersey Nursing Facility to Pay $100,000 CMP to Resolve HIPAA Right of Access Violation appeared first on HIPAA Journal.