HIPAA Compliance News

Micky Tripathi and Robinsue Frohboese Head ONC and OCR at the HHS

The Biden administration has appointed Micky Tripathi as the National Coordinator for Health IT at the Department of Health and Human Services’ Office.

Tripathi will head the Office of the National Coordinator for Health IT, which is tasked with coordinating efforts to implement advanced health information technology to ensure the secure exchange of health information. The ONC is currently overseeing efforts to provide Americans with easy access to their health records through their smartphones and is implementing 21st Century Cures Act provisions that promote health IT interoperability and prohibit information blocking.

Tripathi has a wealth of experience in secure health information exchange and is aware of the current interoperability issues in the healthcare industry. Prior to joining the ONC, Tripathi was most recently the chief alliance officer at the healthcare analytics and software company Arcadia, where he was responsible for developing partnerships to enhance healthcare with advanced IT technology.

Tripathi has also served as manager of the strategy and management consulting firm Boston Consulting Group (BCG), CEO of the Massachusetts eHealth Collaborative, was the founding president and CEO of the Indiana Health information Exchange, and has served on the boards of the HL7 FHIR Foundation, Datica, Sequoia Project, CommonWell Health Alliance, and the CARIN Alliance.

“I can personally attest to Micky’s industry-wide leadership on healthcare interoperability and to his vision for the value that shared, timely, and accurate data provides for improving healthcare delivery and reducing costs. No one is better suited for this absolutely critical mission,” said Sean Carroll, CEO, Arcadia.

Tripathi replaces former President Trump appointment Donald Rucker, M.D., who held the position for the previous 4 years.

The HHS has also confirmed that Robinsue Frohboese has taken on the role of Acting Director of the HHS’ Office for Civil Rights, the main enforcer of HIPAA compliance. Frohboese previously served as principal deputy director of OCR and takes over from acting director March Bell, who replaced the former OCR Director Roger Severino on January 15, 2020.

Frohboese has played a key role in many civil rights initiatives and OCR’s implementation of the HIPAA Privacy Rule.

Prior to taking on the role of principal deputy at OCR, Frohboese worked for 17 years in the Special Litigation Section of the Civil Rights Division of the U.S. Department of Justice, first as Senior Trial Attorney and subsequently as Deputy Chief.

The post Micky Tripathi and Robinsue Frohboese Head ONC and OCR at the HHS appeared first on HIPAA Journal.

HIPAA Enforcement by State Attorneys General

The Department of Health and Human Services’ Office for Civil Rights is the main enforcer of HIPAA compliance; however, state Attorneys General also play a role in enforcing compliance with the Health Insurance Portability and Accountability Act Rules.

The Health Information Technology for Clinical and Economic Health (HITECH) Act gave state attorneys general the authority to bring civil actions on behalf of state residents who have been impacted by violations of the HIPAA Privacy and Security Rules and can obtain damages on behalf of state residents.

The Connecticut Attorney General was the first to exercise this right in 2010 against Health Net Inc. for the loss of unencrypted hard drive containing the electronic protected health information 1.5 million individuals and delayed breach notifications. The case was settled for $250,000. The Vermont Attorney General followed suit with a similar action against Health Net in 2011 that was settled for $55,000, and Indiana brought a civil action against Wellpoint Inc. in 2011 that was settled for $100,000.

State Attorney HIPAA cases were relatively rare occurrences, with only 11 settlements reached with covered entities and business associates to resolve HIPAA violations between 2010 and 2015. HIPAA enforcement by state attorneys general was stepped up in 2017 with 5 settlements and again in 2018 when 12 cases resulted in financial penalties for violations of the HIPAA Rules.

In 2019 and 2020, a total of 5 cases have resulted in financial penalties, although those penalties have been sizeable, and four of the five cases were multistate actions against HIPAA covered entities and business associates where several state attorneys general participated in the actions. These multistate actions allow state attorneys general to pool their resources and investigate potential violations of HIPAA and state laws more efficiently.

When civil actions are brought against covered entities or business associates by state Attorneys General, they are separate from any Office for Civil Rights actions.

Several data breaches have resulted in settlements being reached at both the federal and state level. Community Health Systems/CHSPSC, Anthem Inc., Premera Blue Cross, Aetna, Cottage Health System, University of Rochester Medical Center, and Medical Informatics Engineering have all settled cases with OCR and state attorneys general to resolve potential HIPAA violations.

In many of the state AG enforcement actions below, the financial penalties resolve violations of federal (HIPAA) and state laws. Over the years there have been several cases where HIPAA Rules have been violated, but the decision was taken to bring actions for violations of equivalent provisions in state laws.

HIPAA Enforcement by State Attorneys General in 2020

Year State Entity Amount Individuals affected Reason for Investigation Findings
2020 Multistate (28 states) Community Health Systems / CHSPSC LLC $5,000,000 6.1 million Hacked by Chinese APT group Failure to implement and maintain reasonable security practices
2020 Multistate (43 states) Anthem Inc $39.5 million 78.8 million Phishing attack and major data breach Multiple violations of HIPAA and state laws
2020 California Anthem Inc $8.7 million 78.8 million Phishing attack and major data breach Multiple violations of HIPAA and state laws

HIPAA Enforcement by State Attorneys General in 2019

Year State Entity Amount Individuals affected Reason for Investigation Findings
2019 Multistate (30 states) Premera Blue Cross $10,000,000 10.4 million Hacking incident and major data breach Multiple violations of HIPAA and state laws
2019 Multistate (16 states) Medical Informatics Engineering $900,000 3.5 million Breach of NoMoreClipboard data Multiple violations of HIPAA and state laws
2019 California Aetna $935,000 1,991 2 mailings exposed PHI (Afib, HIV) Impermissible Disclosure of sensitive health information

HIPAA Enforcement by State Attorneys General in 2018

Year State Entity Amount Individuals affected Reason for Investigation Findings
2018 Massachusetts McLean Hospital $75,000 1,500 Loss of backup tapes Insufficient risk assessment, failure to encrypt data, delayed breach notifications
2018 New Jersey EmblemHealth $100,000 6,443 (81,000) Mailing error exposed SSNs Impermissible disclosure of PHI/ lack of staff training
2018 New Jersey Best Transcription Medical $200,000 1,650 Exposure of ePHI in Internet Risk assessment and risk management failure, breach notification failure
2018 Multistate (CT, NJ, DC) Aetna 640170.59 13,160 2 mailings exposed PHI (Afib, HIV) Impermissible Disclosure of sensitive health information
2018 Massachusetts UMass Memorial Medical Group / UMass Memorial Medical Center $230,000 15,000 Multiple data breaches Failure to secure ePHI
2018 New York Arc of Erie County $200,000 3,751 Exposure of ePHI on Internet Failure to secure ePHI
2018 New Jersey Virtua Medical Group $417,816 1,654 Exposure of ePHI on Internet Multiple violations of the HIPAA Rules
2018 New York EmblemHealth $575,000 81,122 Mailing error exposed SSNs Impermissible disclosure of PHI / lack of staff training
2018 New York Aetna $1,150,000 12,000 2 mailings exposed PHI (Afib, HIV) Impermissible Disclosure of sensitive health information

HIPAA Enforcement by State Attorneys General in 2017

Year State Entity Amount Individuals affected Reason for Investigation Findings
2017 California Cottage Health System $2,000,000 More than 54,000 Exposure of PHI on Internet Failure to safeguard personal information
2017 Massachusetts Multi-State Billing Services $100,000 2,600 Theft of unencrypted laptop computer Failure to safeguard personal information
2017 New Jersey Horizon Healthcare Services Inc $1,100,000 3.7 million Theft of 2 unencrypted laptop computers Failure to safeguard personal information
2017 Vermont SAManage USA, Inc. $264,000 660 Exposure of PHI on Internet Failure to secure ePHI / breach notification failure
2017 New York CoPilot Provider Support Services, Inc $130,000 221,178 Delayed breach notification Violation of breach notification requirements

HIPAA Enforcement by State Attorneys General (2010-2016)

Year State Entity Amount Individuals affected Reason for Investigation Findings
2015 New York University of Rochester Medical Center $15,000 3,403 List of patients provided to nurse who took it to a new employer Impermissible disclosure of ePHI
2015 Connecticut Hartford Hospital/ EMC Corporation $90,000 8,883 Theft of unencrypted laptop containing PHI Lack of Business Associate Agreement / failure to encrypt ePHI
2014 Massachusetts Women & Infants Hospital of Rhode Island $150,000 12,000 Loss of backup tapes containing PHI Failure to safeguard ePHI / Lack of staff training
2014 Massachusetts Boston Children’s Hospital $40,000 2,159 Loss of laptop containing PHI Failure to encrypt ePHI
2014 Massachusetts Beth Israel Deaconess Medical Center $100,000 3,796 Loss of laptop containing PHI Failure to encrypt ePHI
2013 Massachusetts Goldthwait Associates $140,000 67,000 Mishandling of PHI Improper disposal of PHI
2012 Minnesota Accretive Health $2,500,000 24,000 Mishandling of PHI Failure to safeguard PHI
2012 Massachusetts South Shore Hospital $750,000 800,000 Loss of backup tapes containing PHI Failure to safeguard PHI
2011 Vermont Health Net Inc. $55,000 1,500,000 Loss of unencrypted hard drive/delayed breach notifications Failure to safeguard PHI / Violation of breach notification requirements
2011 Indiana WellPoint Inc. $100,000 32,000 Failure to report breach in a reasonable timeframe Violation of breach notification requirements
2010 Connecticut Health Net Inc. $250,000 1,500,000 Loss of unencrypted hard drive Failure to safeguard PHI / Violation of breach notification requirements

The post HIPAA Enforcement by State Attorneys General appeared first on HIPAA Journal.

OCR Announces Enforcement Discretion Regarding Use of Online or Web-based Scheduling Applications for COVID-19 Vaccination Appointments

The Department of Health and Human Services’ Office for Civil Rights has announced it will be exercising enforcement discretion and will not impose financial penalties on HIPAA-covered entities or their business associates for violations of the HIPAA Rules in connection with the good faith use of online or web-based scheduling applications (WBSAs) for scheduling individual appointments for COVID-19 vaccinations.

The notice of enforcement discretion applies to the use of WBSAs for the limited purpose of scheduling individual appointments for COVID-19 vaccinations during the COVID-19 public health emergency. The notification is effectively immediately, is retroactive to December 11, 2020, and will remain in effect for the duration of the COVID-19 nationwide public health emergency.

A WBSA is a non-public facing online or web-based application that allows individual appointments to be scheduled in connection with large scale COVID-19 vaccination. The purpose of a WBSA is to allow covered healthcare providers to rapidly schedule large numbers of appointments for COVID-19 vaccinations.

A WBSA, and the data created, received, maintained, or transmitted by the WBSA, should only be accessible to the intended parties, such as the healthcare provider or pharmacy providing the vaccinations, an authorized person scheduling appointments, or a WBSA workforce member that requires access to the solution and/or data for providing technical support.

The notice of enforcement discretion does not apply to an appointment scheduling application that connects directly to electronic health record (EHR) systems.

A WBSA may not meet all requirements of the HIPAA Rules and would therefore not be permitted for use in connection with electronic protected health information (ePHI) under normal circumstances. It is also possible that the vendor of a WBSA may not be aware that their solution is being used by healthcare providers in connection with ePHI, which would see the vendor classified as a business associate under HIPAA.

While the notice of enforcement discretion is in effect, OCR will not impose penalties against HIPAA covered entities, their business associates, and WBSA vendors that meet the definition of business associate under the HIPAA Rules for good faith uses of WBSAs for scheduling COVID-19 vaccination appointments.

While penalties will not be imposed, OCR encourages the use of reasonable safeguards to protect the privacy of individuals and the security of ePHI. That means the ePHI collected and entered into the WBSA should be limited to the minimum necessary information, encryption technology should be used if available, and all privacy settings should be enabled. That includes adjusting the calendar display to hide names or only show initials. If a vendor stores ePHI, the storage should only be temporary and ePHI should be destroyed no later than 30 days after the appointment. The WBSA vendor should be instructed not to disclose any ePHI in a manner inconsistent with the HIPAA Rules.

These reasonable safeguards are encouraged by OCR. “Failure to implement the recommended reasonable safeguards above will not, in itself, cause OCR to determine that a covered health care provider or its business associate failed to act in good faith for purposes of this Notification,” explained OCR in the notification.

Bad faith uses are not covered by the notification include:

  1. Use of a WBSA where the vendor prohibits its use for scheduling healthcare services.
  2. Using the WBSA for scheduling appointments other than COVID-19 vaccinations.
  3. Using a solution that does not have access controls to limit access to ePHI to authorized individuals.
  4. Screening individuals for COVID-19 prior to in-person healthcare visits.
  5. Use of public-facing WBSAs.

“OCR is using all available means to support the efficient and safe administration of COVID-19 vaccines to as many people as possible,” said March Bell, Acting OCR Director.

The post OCR Announces Enforcement Discretion Regarding Use of Online or Web-based Scheduling Applications for COVID-19 Vaccination Appointments appeared first on HIPAA Journal.

2020 Healthcare Data Breach Report: 25% Increase in Breaches in 2020

More large healthcare data breaches were reported in 2020 than in any other year since the HITECH Act called for the U.S. Department of Health and Human Services’ Office for Civil Rights to start publishing healthcare data breach figures on its website.

In 2020, healthcare data breaches of 500 or more records were reported at a rate of more than 1.76 per day. 2020 saw 642 large data breaches reported by healthcare providers, health plans, healthcare clearing houses and business associates of those entities – 25% more than 2019, which was also a record-breaking year.

More than twice the number of data breaches are now being reported than 6 years ago and three times the number of data breaches that occurred in 2010.

Key Takeaways

  • 25% year-over-year increase in healthcare data breaches.
  • Healthcare data breaches have doubled since 2014.
  • 642 healthcare data breaches of 500 or more records were reported in 2020.
  • 76 data breaches of 500 or more healthcare records were reported each day in 2020.
  • 2020 saw more than 29 million healthcare records breached.
  • One breach involved more than 10 million records and 63 saw more than 100K records breached.
  • Hacking/IT incidents accounted for 67% of data breaches and 92% of breached records.
  • 3,705 data breaches of 500 or more records have been reported since October 2009.
  • 78 million healthcare records have been breached since October 2009.

U.S. Healthcare Data Breaches 2009 to 2020

2020 was the third worst year in terms of the number of breached healthcare records, with 29,298,012 records reported as having been exposed or impermissibly disclosed in 2020. While that is an alarming number of records, it is 29.71% fewer than in 2019. 266.78 million healthcare records have been breached since October 2009 across 3,705 reported data breaches of 500 or more records.

U.S. Healthcare data breaches - exposed records 2009-2020

The Largest Healthcare Data Breaches in 2020

The largest healthcare data breach of 2020 was a ransomware attack on the cloud service provider Blackbaud Inc. The actual number of records exposed and obtained by the hackers has not been made public, but more than 100 of Blackbaud’s healthcare clients were affected and more than 10 million records are known to have been compromised. The breach does not appear on the OCR breach portal, as each entity affected has reported the breach separately.

Prior to deploying ransomware, the hackers stole the fundraising and donor databases of many of its clients which included information such as names, contact information, dates of birth, and some clinical information. Victims included Trinity Health (3.3 million records), Inova Health System (1 million records), and Northern Light Health Foundation (657,392 records).

The Florida-based business associate MEDNAX Services Inc, a provider of revenue cycle management and other administrative services to its affiliated physician practice groups, experienced the largest phishing attack of the year. Hackers gained access to its Office 365 environment and potentially obtained the ePHI of 1,670 individuals, including Social Security numbers, driver’s license numbers, and health insurance and financial information.

Magellan Health’s million-record data breach also started with a phishing email but and ended with ransomware being deployed. The breach affected several of its affiliated entities and potentially saw patient information stolen.

Dental Care Alliance, a dental support organization with more than 320 affiliated dental practices across 20 states, had its systems hacked and the dental records of more than 1 million individuals were potentially stolen.

63 security incidents were reported in 2020 by HIPAA-covered entities and business associates that involved 100,000 or more healthcare records.

Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach
Trinity Health Business Associate 3,320,726 Hacking/IT Incident
MEDNAX Services, Inc. Business Associate 1,290,670 Hacking/IT Incident
Inova Health System Healthcare Provider 1,045,270 Hacking/IT Incident
Magellan Health Inc. Health Plan 1,013,956 Hacking/IT Incident
Dental Care Alliance, LLC Business Associate 1,004,304 Hacking/IT Incident
Luxottica of America Inc. Business Associate 829,454 Hacking/IT Incident
Northern Light Health Business Associate 657,392 Hacking/IT Incident
Health Share of Oregon Health Plan 654,362 Theft
Florida Orthopaedic Institute Healthcare Provider 640,000 Hacking/IT Incident
Elkhart Emergency Physicians, Inc. Healthcare Provider 550,000 Improper Disposal
Aetna ACE Health Plan 484,157 Hacking/IT Incident
Saint Luke’s Foundation Healthcare Provider 360,212 Hacking/IT Incident
NorthShore University HealthSystem Healthcare Provider 348,746 Hacking/IT Incident
SCL Health – Colorado Healthcare Provider 343,493 Hacking/IT Incident
AdventHealth Healthcare Provider 315,811 Hacking/IT Incident
Nuvance Health Healthcare Provider 314,829 Hacking/IT Incident
Magellan Rx Management Business Associate 314,704 Hacking/IT Incident
The Baton Rouge Clinic Healthcare Provider 308,169 Hacking/IT Incident
Allegheny Health Network Healthcare Provider 299,507 Hacking/IT Incident
Northeast Radiology Healthcare Provider 298,532 Hacking/IT Incident

Main Causes of 2020 Healthcare Data Breaches

Hacking and other IT incidents dominated the healthcare data breach reports in 2020. 429 hacking/IT-related data breaches were reported in 2020, which account for 66.82% of all reported breaches and 91.99% of all breached records. These incidents include exploitation of vulnerabilities and phishing, malware, and ransomware attacks, with the latter having increased considerably in recent months.

causes of 2020 healthcare data breaches

A recent report from Check Point revealed there was a 71% increase in ransomware attacks on healthcare providers in October, and a further 45% increase in healthcare cyberattacks in the last two months of 2020. Some of the year’s largest and most damaging breaches to affect the healthcare industry in 2020 involved ransomware. In many cases, systems were taken out of action for weeks and patient services were affected. Ryuk, Sodinokibi (REvil), Conti, and Egregor ransomware have been the main culprits, with the healthcare industry heavily targeted during the pandemic.

Unauthorized access/disclosure incidents accounted for 22.27% of the year’s breaches and 2.69% of breached records. These incidents include the accessing of healthcare records my malicious insiders, snooping on medical records by healthcare workers, accidental disclosures of PHI to unauthorised individuals, and human error that exposes patient data.

Breach Type Number of breaches Records breached

Mean Records Breached

Median Records Breached
Hacking/IT Incident 429 26,949,956 62,820 8,000
Unauthorized Access/Disclosure 143 787,015 5,504 1,713
Theft 39 806,552 20,681 1,319
Improper Disposal 16 584,980 36,561 1,038
Loss 15 169,509 11,301 2,298

Location of Breached Protected Health Information

The increased use of encryption and cloud services for storing data have helped to reduce the number of loss/theft incidents, which used to account for the majority of reported breaches. Phishing attacks are still a leading cause of data breaches in healthcare and are often the first step in a multi-stage attack that sees malware or ransomware deployed.

Email account breaches were reported at a rate of more than 1 every two days in 2020, but email-related breaches took second spot this year behind breaches of network servers. Network servers often store large amounts of patient data and are a prime target for hackers and ransomware gangs.

While the majority of healthcare data breaches have involved electronic protected health information, a significant percentage of breaches in 2020 involved paper/film copies of protected health information which were obtained by unauthorized individuals, lost, or disposed of in an insecure manner.

Location of compromised data in healthcare data breaches 2020

Which Entities Suffered the Most Data Breaches in 2020?

The pie chart below shows the breakdown of HIPAA covered entities affected by data breaches of 500 or more records in 2020. Healthcare providers suffered the most breaches with 497 reported incidents. Business associates reported 73 data breaches, but it should be noted that in many cases a breach was experienced at the business associate, but the incident was reported by the covered entities affected. In total, 258 of the year’s breaches had some business associate involvement, which is 40.19% of all breaches. There were 70 breaches reported by health plans, and 2 breaches reported by healthcare clearinghouses.

2020 healthcare data breaches in the United States by Entity type

2020 Healthcare Data Breaches by State

South Dakota, Vermont, Wyoming residents survived 2020 without experiencing any healthcare data breaches, but there were breaches reported by entities based in all other states and the District of Columbia.

California was the worst affected state with 51 breaches, followed by Florida and Texas with 44, New York with 43, and Pennsylvania with 39.

State No. Breaches State No. Breaches State No. Breaches State No. Breaches
California 51 Virginia 18 New Jersey 9 Kansas 3
Florida 44 Indiana 17 South Carolina 9 Nebraska 3
Texas 44 Massachusetts 17 Washington 9 West Virginia 3
New York 43 Maryland 16 Delaware 8 District of Columbia 2
Pennsylvania 39 North Carolina 16 Utah 8 Idaho 2
Ohio 27 Colorado 14 Louisiana 6 Nevada 2
Iowa 26 Missouri 14 Maine 6 Oklahoma 2
Michigan 21 Arizona 12 New Mexico 6 Mississippi 1
Georgia 20 Arkansas 12 Oregon 5 Montana 1
Illinois 20 Kentucky 12 Hawaii 4 New Hampshire 1
Minnesota 20 Wisconsin 12 Alabama 3 North Dakota 1
Connecticut 19 Tennessee 10 Alaska 3 Rhode Island 1

HHS HIPAA Enforcement in 2020

2020 was a busy year in terms of HIPAA enforcement. The HHS’ Office for Civil Rights, the main enforcer of HIPAA compliance, conducted 19 HIPAA compliance investigations that resulted in financial penalties. More penalties were agreed with HIPAA covered entities and business associates in 2020 than in any other year since OCR started enforcing HIPAA compliance.  $13,554,900 was paid in penalties across the 19 cases.

It can take several years from the start of an investigation before a financial penalty is levied. Some of the largest settlements of the year date back to breaches that were experienced in 2015 or earlier; however, the large increase in financial penalties in 2020 is largely due to a HIPAA enforcement drive launched by OCR in late 2019 to tackle noncompliance with the HIPAA Right of Access. There were 11 settlements reached with healthcare providers in 2020 to resolve cases where individuals were not provided with timely access to their medical records.

You can view a summary of OCR’s 2020 HIPAA enforcement actions in this post.

State AG HIPAA Enforcement in 2020

OCR is not the only enforcer of HIPAA compliance. State attorney generals also have the authority to take action against entities found not to be in compliance with the HIPAA Rules. There has been a trend for state attorneys general to work together and pool resources in their legal actions for noncompliance with the HIPAA Rules. In 2020, two multi-state actions were settled with HIPAA covered entities/business associates to resolve violations of the HIPAA Rules.

The health insurer Anthem Inc. settled a case that stemmed from its 78.8 million-record data breach in 2015 and paid financial penalties totalling $48.2 million to resolve multiple potential violations of HIPAA and state laws.

CHSPSC LLC, a Tennessee-based management company that provides services to subsidiary hospital operator companies and other affiliates of Community Health Systems, also settled a multi-state action and paid a financial penalty of $5 million to resolve alleged HIPAA violations. The case stemmed from a 2014 data breach that saw the ePHI of 6,121,158 individuals stolen by hackers.

About This Report

The Health Insurance Portability and Accountability Act (HIPAA) requires all healthcare data breaches to be reported to the HHS’ Office for Civil Rights. A summary of breaches of 500 or more records is published by the HHS Office for Civil Rights. This report was compiled using data on the HHS website on 01/19/21 and includes data breaches currently under investigation and archived cases.

The post 2020 Healthcare Data Breach Report: 25% Increase in Breaches in 2020 appeared first on HIPAA Journal.

December 2020 Healthcare Data Breach Report

2020 ended with healthcare data breaches being reported at a rate of 2 per day, which is twice the rate of breaches in January 2020. Healthcare data breaches increased 31.9% month over month and were also 31.9% more than the 2020 monthly average.

There may still be a handful more breaches to be added to the OCR breach portal for 2020 but, as it stands, 565 healthcare data breaches of 500 or more records have been reported to OCR in 2020. That is more than any other year since the HITECH Act required OCR to start publishing data breach summaries on its website.

2020 Healthcare Data Breaches

December was the second worst month of 2020 in terms of the number of breached records. 4,241,603 healthcare records were exposed, compromised, or impermissibly disclosed across the month’s 62 reported data breaches. That represents a 272.35% increase in breached records from November and 92.25% more than the monthly average in 2020. For comparison purposes, there were 41 reported breaches in December 2019 and 397,862 healthcare records were breached.

healthcare records breached in 2020

Largest Healthcare Data Breaches Reported in December 2020

Name of Covered Entity State Covered Entity Type Individuals Affected Type of Breach Cause
MEDNAX Services, Inc. FL Business Associate 1,290,670 Hacking/IT Incident Phishing attack
Dental Care Alliance, LLC FL Business Associate 1,004,304 Hacking/IT Incident Unspecified hacking incident
Aetna ACE CT Health Plan 484,157 Hacking/IT Incident Phishing attack (business associate)
Allegheny Health Network PA Healthcare Provider 299,507 Hacking/IT Incident Ransomware attack (Blackbaud)
AMITA Health IL Healthcare Provider 261,054 Hacking/IT Incident Ransomware attack (Blackbaud)
Community Eye Care, LLC NC Health Plan 149,804 Hacking/IT Incident Email account breach
GenRx Pharmacy AZ Healthcare Provider 137,110 Hacking/IT Incident Ransomware attack
Wilmington Surgical Associates, P.A. NC Healthcare Provider 114,834 Hacking/IT Incident Ransomware attack
Agency for Community Treatment Services, Inc. FL Healthcare Provider 73,825 Hacking/IT Incident Ransomware attack
Sonoma Valley Healthcare District CA Healthcare Provider 69000 Hacking/IT Incident Ransomware attack

There were two healthcare data breaches reported in December that each impacted more than 1 million individuals. The largest breach was a phishing attack on the Florida-based business associate, MEDNAX Services, Inc. MEDNAX provides revenue cycle management and other administrative services to its affiliated physician practice groups. Hackers gained access to its Microsoft Office 365-hosted email system after employees responded to phishing emails. The compromised accounts contained the protected health information of 1,290,670 patients of its clients.

Dental Care Alliance is a Sarasota, FL-based dental support organization with more than 320 affiliated dental practices in 20 U.S. states. Little information has been released about the exact nature of the cyberattack, other than hackers gaining access to its systems and viewing files containing patient information.

Causes of December 2020 Healthcare Data Breaches

Ransomware gangs continue to target healthcare organizations and attacks have increased considerably in recent months. 5 of the worst data breaches reported in December involved ransomware, as did many of the smaller breaches. Several healthcare providers have only just reported being affected by the ransomware attack on Blackbaud Inc., which was discovered by the cloud service provide in May 2020.

Phishing continues to be a major cause of healthcare data breaches. There were 13 data breaches involving unauthorized accessing of email accounts, the majority of which used credentials stolen in phishing attacks. While most of the month’s breaches involved unauthorized accessing of electronic protected health information, 17.75% of the month’s breaches involved paper records and films, highlighting the importance of also protecting physical records.

cvauses of December 2020 healthcare data breaches

33 hacking/IT incidents were reported to OCR in December 2020. Those incidents accounted for 98.39% of the month’s breached records (4,173,519 records). An average of 126,470 records were breached per incident with a median breach size of 8,000 records per incident.

There were 21 unauthorized access/disclosure incidents reported to OCR which involved a total of 57,837 records. The average breach size was 2,754 records and the median breach size was 1,020 records.

There were 7 theft and loss incidents reported (5 theft/2 loss). The average breach size was 1,392 records and the median breach size was 856 records. There was also one incident involving the improper disposal of 501 records.

Location of PHI in December 2020 healthcare data breaches

Entities Reporting Data Breaches in December 2020

Healthcare providers were the worst affected covered entity in December 2020 with 39 breaches reported, but there was a major increase in data breaches reported by health plans. 17 health plans reported breaches of 500 or more records in December, which is a 183% increase from November.

There were 6 data breaches reported by business associates of HIPAA covered entities, but 40% of the month’s breaches (25) had some business associate involvement. In many cases, the breach was experienced by the business associate but was reported by the covered entity.

December 2020 healthcare data breaches by covered entity type

December 2020 Healthcare Data Breaches by State

HIPAA covered entities and business associates in 58% of U.S. states reported data breaches in December. Florida was the worst affected of the 29 states with 9 reported data breaches. Pennsylvania also had a particularly bad month with 7 reported breaches, followed by Missouri and Texas with 4, and Illinois, North Carolina, and Tennessee with 3.

There were two breaches reported in each of Arizona, Connecticut, Georgia, Massachusetts, Minnesota, Ohio, and Wisconsin, and one breach reported in each of Arkansas, California, Colorado, Delaware, Indiana, Iowa, Kentucky, Louisiana, Maine, Mississippi, Nebraska, Oregon, Utah, Virginia, and West Virginia.

HIPAA Enforcement in December 2020

2020 has been a busy year in terms of HIPAA enforcement. More financial penalties were imposed on HIPAA covered entities and their business associates to resolve potential HIPAA violations in 2020 than in any other year since the HHS was given the authority to enforce HIPAA compliance.  19 settlements were reached to resolve cases where HIPAA Rules appeared to have been violated.

OCR announced one further financial penalty in December – The 13th financial penalty under its HIPAA Right of Access initiative. Peter Wrobel, M.D., P.C., dba Elite Primary Care, agreed to pay OCR a $36,000 to resolve a case involving the failure to provide two patients with timely access to their medical records.

You can read more about 2020 HIPAA enforcement in our end of year summary.

The post December 2020 Healthcare Data Breach Report appeared first on HIPAA Journal.

Excellus Health Plan Settles HIPAA Violation Case and Pays $5.1 Million Penalty

The Department of Health and Human Services’ Office for Civil Rights has announced the health insurer Excellus Health Plan has agreed to pay a $5.1 million penalty to settle a HIPAA violation case stemming from a 2015 data breach that affected 9.3 million individuals.

The breach in question was discovered by Excellus Health Plan in 2015, the same year that massive data breaches were discovered by the health insurers Anthem Inc. (78.8 million records) and Premera Blue Cross (10.6 million records). All three entities have now settled breach investigations with OCR and have paid substantial financial penalties.

Excellus Health Plan, doing business as Excellus BlueCross BlueShield and Univera Healthcare, serves individuals in upstate and western New York. In August 2015, the health insurer discovered hackers had gained access to its computer systems. The breach investigation revealed access to its systems was first gained around December 23, 2013 and continued until May 11, 2015. The breach was reported to OCR on September 9, 2015.

The hackers installed malware on its systems, performed reconnaissance, and were found to have accessed the healthcare data of around 7 million Excellus Health Plan members and approximately 2.5 million members of Lifetime Healthcare, its non-BlueCross subsidiary. The information accessed by the hackers included names, contact information, dates of birth, Social Security numbers, health plan ID numbers, claims data, financial account information, and clinical treatment information.

OCR launched an investigation of the breach in June 2016 to determine whether Excellus Health Plan was in compliance with the HIPAA Privacy, Security, and Breach Notification Rules. The investigation identified five standards of the HIPAA Rules where Excellus was potentially noncompliant.

OCR determined the health plan had failed to conduct an accurate and thorough organization-wide risk analysis to identify risks and vulnerabilities to the confidentiality, integrity, and availability of the electronic protected health information (ePHI) of its members.  Sufficient measures had not been implemented to reduce risks and vulnerabilities to ePHI to a reasonable and appropriate level, and technical policies and procedures that only allow authorized persons and software programs to access systems containing ePHI were insufficient. As a result of these issues, unauthorized individuals gained access to the PHI of 9,358,891 of its members. It took Excellus more than 18 months to discover its systems had been breached. OCR found policies and procedures requiring regular reviews of information system activity to be lacking.

The financial penalty was agreed with OCR to avoid further investigation and formal proceedings, and the settlement was reached with no admission of liability or wrongdoing. In addition to paying the financial penalty, Excellus is required to adopt a corrective action plan that covers all areas of potential noncompliance identified by OCR during the investigation. Excellus will also be monitored closely by OCR for 2 years to ensure continued compliance with the HIPAA Rules.

“Hacking continues to be the greatest threat to the privacy and security of individuals’ health information.  In this case, a health plan did not stop hackers from roaming inside its health record system undetected for over a year which endangered the privacy of millions of its beneficiaries,” said OCR Director Roger Severino. “We know that the most dangerous hackers are sophisticated, patient, and persistent.  Health care entities need to step up their game to protect the privacy of people’s health information from this growing threat.”

This is the second HIPAA enforcement action to be announced by OCR in 2021. Earlier this month, OCR said a $200,000 settlement had been reached with Banner Health to resolve potential HIPAA Right of Access violations. The Excellus settlement comes just a few hours after the 5th Circuit Court of Appeals vacated a $4.3 million Civil Monetary Penalty imposed by OCR on University of Texas M.D. Anderson Cancer Center that stemmed from three incidents involving the loss/theft of portable devices containing ePHI between 2012 and 2013.

The two HIPAA settlements in January follow on from a record year of HIPAA enforcement that saw 19 financial penalties paid by HIPAA covered entities and business associates to resolve potential violations of HIPAA Rules.

The post Excellus Health Plan Settles HIPAA Violation Case and Pays $5.1 Million Penalty appeared first on HIPAA Journal.

What are the Penalties for HIPAA Violations?

Penalties for HIPAA violations can be issued by the Department of Health and Human Services’ Office for Civil Rights (OCR) and state attorneys general. In addition to financial penalties, covered entities are required to adopt a corrective action plan to bring policies and procedures up to the standards demanded by HIPAA. 

The Health Insurance Portability and Accountability Act of 1996 placed a number of requirements on HIPAA-covered entities to safeguard the Protected Health Information (PHI) of patients, and to strictly control when PHI can be divulged, and to whom.

Since the Enforcement Final Rule of 2006, OCR has had the power to issue financial penalties (and/or corrective action plans) to covered entities that fail to comply with HIPAA Rules.

Financial penalties for HIPAA violations were updated by the HIPAA Omnibus Rule, which introduced charges in line with the Health Information Technology for Economic and Clinical Health Act (HITECH). The Omnibus Rule took effect from March 26, 2013.

Since the introduction of the Omnibus Rule, the new penalties for HIPAA violations apply to healthcare providers, health plans, healthcare clearinghouses and all other covered entities, as well as business associates (BAs) of covered entities that are found to have violated HIPAA Rules.

Financial penalties are intended to act as a deterrent to prevent the violation of HIPAA laws, while also ensuring covered entities are held accountable for their actions – or lack of them – when it comes to protecting the privacy of patients and the confidentiality of health data, and providing patients with access to their health records on request.

The penalty structure for a violation of HIPAA laws is tiered, based on the knowledge a covered entity had of the violation. The OCR sets the penalty based on a number of “general factors” and the seriousness of the HIPAA violation.

Ignorance of HIPAA Rules is no excuse for failing to comply with HIPAA Rules.  It is the responsibility of each covered entity to ensure that HIPAA Rules are understood and followed. In cases when a covered entity is discovered to committed a willful violation of HIPAA laws, the maximum fines apply.

What Constitutes a HIPAA Violation?

There is much talk of HIPAA violations in the media, but what constitutes a HIPAA violation? A HIPAA violation is when a HIPAA covered entity – or a business associate – fails to comply with one or more of the provisions of the HIPAA Privacy, Security, or Breach Notification Rules.

A violation may be deliberate or unintentional. An example of an unintentional HIPAA violation is when too much PHI is disclosed and the minimum necessary information standard is violated. When PHI is disclosed, it must be limited to the minimum necessary information to achieve the purpose for which it is disclosed. Financial penalties for HIPAA violations can be issued for unintentional HIPAA violations, although the penalties will be at a lower rate to willful violations of HIPAA Rules.

An example of a deliberate violation is unnecessarily delaying the issuing of breach notification letters to patients and exceeding the maximum timeframe of 60 days following the discovery of a breach to issue notifications – A violation of the HIPAA Breach Notification Rule.

Many HIPAA violations are the result of negligence, such as the failure to perform an organization-wide risk assessment. Financial penalties for HIPAA violations have frequently been issued for risk assessment failures.

Penalties for HIPAA violations can potentially be issued for all HIPAA violations, although OCR typically resolves most cases through voluntary compliance, issuing technical guidance, or accepting a covered entity or business associate’s plan to address the violations and change policies and procedures to prevent future violations from occurring. Financial penalties for HIPAA violations are reserved for the most serious violations of HIPAA Rules.

What Happens if you Violate HIPAA? – HIPAA Violation Classifications

What happens if you violate HIPAA? That depends of the severity of the violation. OCR prefers to resolve HIPAA violations using non-punitive measures, such as with voluntary compliance or  issuing technical guidance to help covered entities address areas of non-compliance. However, if the violations are serious, have been allowed to persist for a long time, or if there are multiple areas of noncompliance, financial penalties may be appropriate.

The four categories used for the penalty structure are as follows:

  • Tier 1: A violation that the covered entity was unaware of and could not have realistically avoided, had a reasonable amount of care had been taken to abide by HIPAA Rules
  • Tier 2: A violation that the covered entity should have been aware of but could not have avoided even with a reasonable amount of care. (but falling short of willful neglect of HIPAA Rules)
  • Tier 3: A violation suffered as a direct result of “willful neglect” of HIPAA Rules, in cases where an attempt has been made to correct the violation
  • Tier 4: A violation of HIPAA Rules constituting willful neglect, where no attempt has been made to correct the violation

In the case of unknown violations, where the covered entity could not have been expected to avoid a data breach, it may seem unreasonable for a covered entities to be issued with a fine. OCR appreciates this, and has the discretion to waive a financial penalty. The penalty cannot be waived if the violation involved willful neglect of Privacy, Security and Breach Notification Rules.

HIPAA Violation Penalty Structure

Each category of violation carries a separate HIPAA penalty. It is up to OCR to determine a financial penalty within the appropriate range. OCR considers a number of factors when determining penalties, such as the length of time a violation was allowed to persist, the number of people affected and the nature of the data exposed. An organization´s willingness to assist with an OCR investigation is also taken into account. The general factors that can affect the level of financial penalty also include prior history, the organization’s financial condition and the level of harm caused by the violation.

  • Tier 1: Minimum fine of $100 per violation up to $50,000
  • Tier 2: Minimum fine of $1,000 per violation up to $50,000
  • Tier 3: Minimum fine of $10,000 per violation up to $50,000
  • Tier 4: Minimum fine of $50,000 per violation

The above fines for HIPAA violations are those stipulated by the HITECH Act. It should be noted that these are adjusted annually to take inflation into account. The civil monetary penalties for 2018 and 2019, adjusted for inflation, can be viewed on this link. 

The HITECH Act increased the possible penalties for HIPAA violations to strengthen enforcement of HIPAA compliance and to give HIPAA covered entities a greater incentive to press forward with their compliance programs. OCR interpreted the text of the HITECH Act to mean that maximum and minimum penalties should be set in each of the four penalty tiers based on the level of culpability. However, there were some ambiguities with respect to the maximum possible annual fines in each of the violation tiers. OCR interpreted HITECH requirements to mean that the maximum penalty in each violation category should be $1,500,000 per year for violations of an identical provision. However, in April 2019, OCR re-evaluated the HITECH Act text and interpreted the maximum fines differently. From April 2019 onward, the maximum fines that can be applied for violations of an identical provision in a calendar year are different in each penalty tier.  The maximum fine per violation category, per year, is still $1,500,000 for a Tier 4 violation. The maximum annual fine has been reduced in each of the other tiers, as detailed in the infographic below.

A data breach or security incident that results from any violation could see separate fines issued for different aspects of the breach under multiple security and privacy standards. A fine of $50,000 could, in theory, be issued for any violation of HIPAA rules; however minor.

A fine may also be applied on a daily basis. For example, if a covered entity has been denying patients the right to obtain copies of their medical records, and had been doing so for a period of one year, the OCR may decide to apply a penalty per day that the covered entity has been in violation of the law. The penalty would be multiplied by 365, not by the number of patients that have been refused access to their medical records.

Attorneys General Can Also Issue HIPAA Violation Fines

Since the introduction of the HITECH Act (Section 13410(e) (1)) in February 2009, state attorneys general have the authority to hold HIPAA-covered entities accountable for the exposure of the PHI of state residents and can file civil actions with the federal district courts. HIPAA violation fines can be issued up to a maximum level of $25,000 per violation category, per calendar year. The minimum fine applicable is $100 per violation.

A covered entity suffering a data breach affecting residents in multiple states may be ordered to pay HIPAA violation fines to attorneys general in multiple states. At present only a few U.S states – Connecticut, Massachusetts, Indiana, Vermont and Minnesota – have so far taken action against HIPAA offenders, but since attorneys general offices are able to retain a percentage of the fines issued, more attorneys general may decide to issue penalties for HIPAA violations.

Can HIPAA Violations be Criminal?

When a HIPAA-covered entity of business associate violates HIPAA Rules, civil penalties can be imposed. When healthcare professionals violate HIPAA, it is usually their employer that receives the penalty, but not always. If healthcare professionals knowingly obtain or use protected health information for reasons that are not permitted by the HIPAA Privacy Rule, they may be found to be criminally liable for the HIPAA violation under the criminal enforcement provision of the Administrative Simplification subtitle of HIPAA.

Criminal HIPAA violations are prosecuted by the Department of Justice, which is increasingly taking action against individuals that have knowingly violated HIPAA Rules. There have been several cases that have resulted in substantial fines and prison sentences.

Criminal HIPAA violations include theft of patient information for financial gain and wrongful disclosures with intent to cause harm. A lack of understanding of HIPAA requirements may not be a valid defense. When an individual “knowingly” violates HIPAA, knowingly means that they have some knowledge of the facts that constitute the offense, not that they definitely know that they are violating HIPAA Rules.

Criminal Penalties for HIPAA Violations

Criminal penalties for HIPAA violations are divided into three separate tiers, with the term – and an accompanying fine – decided by a judge based on the facts of each individual case. As with OCR, a number of general factors are considered which will affect the penalty issued. If an individual has profited from the theft, access or disclosure of PHI, it may be necessary for all moneys received to be refunded, in addition to the payment of a fine.

The tiers of criminal penalties for HIPAA violations are:

Tier 1:   Reasonable cause or no knowledge of violation – Up to 1 year in jail

Tier 2:   Obtaining PHI under false pretenses – Up to 5 years in jail

Tier 3:   Obtaining PHI for personal gain or with malicious intent – Up to 10 years in jail

In recent months, the number of employees discovered to be accessing or stealing PHI – for various reasons – has increased. The value of PHI on the black market is considerable, and this can be a big temptation for some individuals. It is therefore essential that controls are put in place to limit the opportunity for individuals to steal patient data, and for systems and policies to be put in place to ensure improper access and theft of PHI is identified promptly.

All staff likely to come into contact with PHI as part of their work duties should be informed of the HIPAA criminal penalties and that violations will not only result in loss of employment, but potentially also a lengthy jail term and a heavy fine.

State attorneys general are cracking down on data theft and are keen to make examples out of individuals found to have violated HIPAA Privacy Rules. A jail term for the theft of HIPAA data is therefore highly likely.

Employee Sanctions for HIPAA Violations

Not all HIPAA violations are as a result of insider theft, and many Covered Entities and Business Associates apply a scale of employee sanctions for HIPAA violations depending on factors such as whether the violation was intentional or accidental, whether it was reported by the employee as soon as the violation was realized,  and the magnitude of the breach. Some Covered Entities also apply employee sanctions for HIPAA violations on employees who were aware a violation (by another employee) had occurred, but failed to report it.

Employee sanctions for HIPAA Violations vary in gravity from further training to dismissal. The decision should be taken in consultation with HIPAA Privacy and Security Officers, who may have to conduct interviews with the employee, investigate audit trails and review telephone logs – including the telephone logs of the employee´s mobile phone. Because of the expense and disruption attributable to applying employee sanctions for HIPAA violations, it is worthwhile dedicating more resources to initial employee training in order to prevent HIPAA violations – whether intentional or accidental – from occurring.

Receiving a Civil Penalty for Unknowingly Violating HIPAA

Although it was mentioned above that OCR has the discretion to waive a civil penalty for unknowingly violating HIPAA, ignorance of the HIPAA regulations is not regarded as a justifiable excuse for failing to implement the appropriate safeguards. In April 2017, the remote cardiac monitoring service CardioNet was fined $2.5 million for failing to fully understand the HIPAA requirements and subsequently failing to conduct a complete risk assessment.

As a result of the incomplete risk assessment, the PHI of 1,391 individuals was potentially disclosed without authorization when a laptop containing the data was stolen from a car parked outside an employee´s home. Speaking after details of the fine had been announced, OCR Director Roger Severino described the civil penalty for unknowingly violating HIPAA as a penalty for disregarding security.

It may also be possible for a CE or BA to receive a civil penalty for unknowingly violating HIPAA if the state in which the violation occurs allows individuals to bring legal action against the person(s) responsible for the violation. Although HIPAA lacks a private right of action, individuals can still use the regulations to establish a standard of care under common law. Several cases of this nature are currently in progress.

HIPAA Compliance Audits are Likely to Result in Penalties for HIPAA Violations

If a CE or BA is found not to have complied with HIPAA regulations, OCR has the authority to issue penalties for HIPAA noncompliance – even if there has been no breach of PHI or no complaint.

After much delay, OCR is now conducting the second phase of HIPAA compliance audits. The audits are not being conducted specifically to find HIPAA violations and to issue financial penalties, although if serious violations of HIPAA Rules are discovered, financial penalties may be deemed appropriate.

The first phase of HIPAA compliance audits was conducted in 2011/2012 and revealed many covered entities were struggling with compliance. OCR provided technical assistance to help those entities correct areas of noncompliance and no penalties for HIPAA violations were issued.

Now, 5 years on, covered entities have had ample time to develop their compliance programs. This time around, OCR is not expected to be so lenient.

One of the biggest areas of noncompliance with HIPAA Rules discovered during the first phase of compliance audits was the failure to conduct a comprehensive, organization-wide risk assessment.

The risk assessment is fundamental to developing a good security posture. If a risk assessment is not conducted, a covered entity will be unaware whether any security vulnerabilities exist that pose a risk to the confidentiality, integrity, and availability of ePHI. Those risks will therefore not be managed and reduced to an acceptable level.

A look at the penalties for HIPAA violations issued by OCR shows just how common risk assessment violations occur. Risk assessment failures frequently attract financial penalties.

The failure to complete Business Associate Agreements (BAAs) with third-party service providers can attract penalties for HIPAA noncompliance. Several covered entities have been fined for failing to revise BAAs written before September 2014, when all existing contracts were invalidated by the Final Omnibus Rule. In September 2016, the Care New England Health System was fined $400,000 for HIPAA noncompliance that included the failure to revise a BAA originally signed in March 2005.

BAAs are a key area that OCR will be keeping an eye on throughout its audit program. BAAs – contracts that lay out the permitted uses and allowable disclosures of PHI – should be signed with every third party service provider with whom PHI is disclosed (including lawyers).

Penalties for HIPAA Violations

 

OCR Penalties for HIPAA violations 2008-2020

When deciding on an appropriate settlement, OCR considers the severity of the violation, the extent of noncompliance with HIPAA Rules, the number of individuals impacted and the impact a breach has had on those individuals. OCR also considers the financial position of the covered entity. Punitive measures may be necessary, but penalties for HIPAA violations should not result in a covered entity being forced out of business.

The purpose of these penalties for HIPAA violations is in part to punish covered entities for serious violations of HIPAA Rules, but also to send a message to other healthcare organizations that noncompliance with HIPAA Rules is not acceptable.

 

Penalty amounts in OCR HIPAA settlements and CMPs

OCR HIPAA Fines 2020

2020 saw more financial penalties imposed on HIPAA covered entities and business associates than in any other year since OCR started enforcing HIPAA compliance. 19 settlements were reached to resolve potential violations of the HIPAA Rules. OCR continued with its HIPAA Right of Access enforcement initiative that commenced in late 2019 and by year end had settled 11 cases where patients had not been provided with timely access to their medical records for a reasonable cost-based fee.

2020 saw the second largest settlement to resolve HIPAA violations. The health insurer Premera Blue Cross paid OCR $6,850,000 to resolve potential HIPAA violations discovered during the investigation of its 2015 breach of the ePHI of 10,466,692 individuals.

2020 OCR HIPAA Settlements

Covered Entity Reason Individuals Impacted Amount
Peter Wrobel, M.D., P.C., dba Elite Primary Care HIPAA Right of Access failure 2 $36,000
University of Cincinnati Medical Center HIPAA Right of Access failure 1 $65,000
Dr. Rajendra Bhayani HIPAA Right of Access failure 1 $15,000
Riverside Psychiatric Medical Group HIPAA Right of Access failure 1 $25,000
City of New Haven, CT Failure to terminate access rights; risk analysis failure; failure to implement Privacy Rule policies; failure to issue unique IDs to allow system activity to be tracked; impermissible disclosure the PHI of 498 individuals 498 $202,400
Aetna Lack of technical and nontechnical evaluation in response to environmental or operational changes; identity check failure; minimum necessary information failure; impermissible disclosure of 18,849 records; lack of administrative, technical, and physical safeguards 18,849 $1,000,000
NY Spine HIPAA Right of Access failure 1 $100,000
Dignity Health, dba St. Joseph’s Hospital and Medical Center HIPAA Right of Access failure 1 $160,000
Premera Blue Cross Risk assessment failure; risk management failure; insufficient hardware and software controls; unauthorized access to the PHI of 10,466,692 individuals 10,466,692 $6,850,000
CHSPSC LLC Failure to conduct a risk analysis; failures to implement information system activity reviews, security incident procedures, and access controls, and a breach of the ePHI of more than 6 million individuals 6,121,158 $2,300,000
Athens Orthopedic Clinic PA Failure to conduct a risk analysis; lack of risk management and audit controls; failure to maintain HIPAA policies and procedures; business associate agreement failure; and the failure to provide HIPAA Privacy Rule training to the workforce. 208,557 $1,500,000
Housing Works, Inc. HIPAA Right of Access failure 1 $38,000
All Inclusive Medical Services, Inc. HIPAA Right of Access failure 1 $15,000
Beth Israel Lahey Health Behavioral Services HIPAA Right of Access failure 1 $70,000
King MD HIPAA Right of Access failure 1 $3,500
Wise Psychiatry, PC HIPAA Right of Access failure 1 $10,000
Lifespan Health System Affiliated Covered Entity Lack of encryption; insufficient device and media controls;ack of business associate agreements; impermissible disclosure of 20,431 patients’ ePHI 20,431 $1,040,000
Metropolitan Community Health Services dba Agape Health Services Longstanding, systemic noncompliance with the HIPAA Security Rule 1,263 $25,000

OCR HIPAA Fines 2019

HIPAA enforcement continued at a high level in 2019. Eight settlements were reached with HIPAA covered entities and business associates to resolve HIPAA violations and two civil monetary penalties were issued. The financial penalties were imposed to resolve similar violations of HIPAA Rules as previous years, but 2019 also saw the first financial penalties issued under OCR’s new HIPAA Right of Access initiative. Two covered entities settled cases over the failure to provide patients with a copy of their medical records, in the requested format, in a reasonable time frame.

2019 OCR HIPAA Settlements

Covered Entity Reason Individuals Impacted Amount
West Georgia Ambulance Risk analysis failure; no security awareness training program; failure to implement HIPAA Security Rule policies and procedures. 500 $65,000
Korunda Medical, LLC HIPAA Right of Access failure. 1 or more $85,000
Sentara Hospitals Breach notification failure; business associate agreement failure 577 $2,175,000
University of Rochester Medical Center Loss of flash drive/laptop; no encryption; risk analysis failure; risk management failure; lack of device media controls. 43 $3,000,000
Elite Dental Associates Social media disclosure; notice of privacy practices; impermissible PHI disclosure. Unconfirmed $10,000
Bayfront Health St Petersburg HIPAA Right of Access failure 1 $85,000
Medical Informatics Engineering Risk analysis failure; impermissible disclosure of 3.5 million records 3,500,000 $100,000
Touchstone Medical imaging No BAAs; insufficient access rights; risk analysis failure; failure to respond to a security incident; breach notification failure; media notification failure; impermissible disclosure of 307,839 individuals’ PHI. 307,839 $3,000,000

2019 OCR Civil Monetary Penalties

Covered Entity Reason Individuals Impacted Amount
Texas Department of Aging and Disability Services Risk analysis failure; access control failure; information system activity monitoring failure; impermissible disclosure of 6,617 patients ePHI 6,617 $1,600,000
Jackson Health System Multiple Privacy Rule, Security Rule, and Breach Notification Rule violations 25,661 $2,154,000

OCR HIPAA Fines 2018

There was a year-over-year increase in HIPAA violation penalties in 2018. 11 financial penalties were agreed in 2018: 10 settlements and one civil monetary penalty. Two records were broken in 2018. 2018 saw the largest ever HIPAA settlement agreed – A $16 million financial penalty for Anthem Inc., to resolve HIPAA violations discovered during the investigation of its 78.8 million record breach in 2015. HIPAA covered entities also paid more in fines than in any other year since OCR started enforcing compliance with HIPAA Rules: $28,683,400.

2018 OCR HIPAA Settlements

Covered Entity Reason Individuals Impacted Amount
Cottage Health Risk analysis and risk management failures; No BAA 62,500 $3,000,000
Pagosa Springs Medical Center Failure to terminate employee access; No BAA 557+ $111,400
Advanced Care Hospitalists Impermissible PHI Disclosure; No BAA; Insufficient security measures; No HIPAA compliance efforts prior to April 1, 2014 9,255 $500,000
Allergy Associates of Hartford PHI disclosure to reporter; No sanctions against employee 1 $125,000
Anthem Inc Risk analysis failure; Insufficient reviews of system activity; Failure to respond to a detected breach; Insufficient technical controls to prevent unauthorized ePHI access 78,800,000 $16,000,000
Boston Medical Center Filming patients without consent Unspecified $100,000
Brigham and Women’s Hospital Filming patients without consent Unspecified $384,000
Massachusetts General Hospital Filming patients without consent Unspecified $515,000
Filefax, Inc. Impermissible disclosure of physical PHI – Left unprotected in truck 2,150 $100,000
Fresenius Medical Care North America 5 breaches: Investigation revealed risk analysis failures; Impermissible disclosure of ePHI; Lack of policies covering electronic devices; Lack of encryption; Insufficient security policies; Insufficient physical safeguards 521 $3,500,000

2018 Civil Monetary Penalties for HIPAA Violations

Covered Entity Reason Individuals Impacted Amount
University of Texas MD Anderson Cancer Center 3 breaches resulting in an impermissible disclosure of ePHI; No Encryption 34,883 $4,348,000

OCR HIPAA Fines 2017

A summary of the 2017 OCR penalties for HIPAA violations.

2017 OCR HIPAA Settlements

Covered Entity Breach Summary Individuals Impacted Settlement Amount
Memorial Healthcare System Impermissible access of PHI by employees; Impermissible disclosure of PHI to affiliated physicians’ offices 115,143 $5,500,000
Cardionet Theft of an unencrypted laptop computer 1,391 $2,500,000
Memorial Hermann Health System Disclosure of patient’s PHI to the media 1 $2,400,000
21st Century Oncology Multiple HIPAA violations 2,213,597 $2,300,000
MAPFRE Life Insurance Company of Puerto Rico Theft of an unencrypted USB storage device 2,209 $2,200,000
Presense Health Delayed breach notifications 836 $475,000
Metro Community Provider Network Lack of a security management process to safeguard ePHI 3,200 $400,000
Luke’s-Roosevelt Hospital Center Inc. Impermissible disclosure of PHI to patient’s employer 1 $387,000
The Center for Children’s Digestive Health Lack of a business associate agreement N/A $31,000

2017 Civil Monetary Penalties for HIPAA Violations

Covered Entity Breach Summary Individuals Impacted Penalty Amount
Children’s Medical Center of Dallas Theft of unencrypted devices 6,262 $3,200,000

OCR HIPAA Fines 2016

2016 was a record year for financial penalties to resolve violations of HIPAA Rules. 2016 saw 12 settlements agreed and one civil monetary penalty issued by OCR.

2016 OCR HIPAA Settlements

Covered Entity Breach Summary Individuals Impacted Settlement Amount
Feinstein Institute for Medical Research Improper disclosure of research participants’ PHI 13,000 $3,900,000
Advocate Health Care Network Theft of desktop computers; Loss of laptop; Improper accessing of data at business associate 3,994,175 $5,550,000
University of Mississippi Medical Center Unprotected network drive 10,000 $2,750,000
Oregon Health & Science University Loss of unencrypted laptop; Storage on cloud server without BAA 4,361 $2,700,000
New York Presbyterian Hospital Filming of patients by TV crew Unconfirmed $2,200,000
North Memorial Health Care of Minnesota Theft of laptop computer; Improper disclosure to business associate 299,401 $1,550,000
St. Joseph Health PHI made available through search engines 31,800 $2,140,500
Raleigh Orthopaedic Clinic, P.A. of North Carolina Improper disclosure to business associate 17,300 $750,000
University of Massachusetts Amherst (UMass) Malware infection 1,670 $650,000
Catholic Health Care Services of the Archdiocese of Philadelphia Theft of mobile device 412 $650,000
Care New England Health System Loss of two unencrypted backup tapes 14,000 $400,000
Complete P.T., Pool & Land Physical Therapy, Inc. Improper disclosure of PHI (website testimonials) Unconfirmed $25,000

 2016 Civil Monetary Penalties for HIPAA Violations

Covered Entity Breach Summary Individuals Impacted Penalty Amount
Lincare, Inc. Improper disclosure (unprotected documents) 278 $239,800

 

The post What are the Penalties for HIPAA Violations? appeared first on HIPAA Journal.

M.D. Anderson Cancer Center Has $4.3 Million OCR HIPAA Fine Overturned on Appeal

The U.S. Court of Appeals for the Fifth Circuit has overturned a $4,348,000 HIPAA violation penalty imposed on University of Texas M.D. Anderson Cancer Center by the Department of Health and Human Services’ Office for Civil Rights.

The Civil Monetary Penalty was imposed on M.D. Anderson in 2018 following an investigation of three data breaches that were reported to the Office for Civil Rights between 2013 and 2014 that involved the loss/theft of unencrypted devices between 2012 and 2013. Two unencrypted flash drives containing the ePHI of 2,264 and 3,598 patients were lost, and an unencrypted laptop computer containing the ePHI of 29,021 patients was stolen.

The Office for Civil Rights investigation concluded that M.D. Anderson was in violation of two provisions of the HIPAA Rules. The first violation was the failure to implement encryption or adopt an alternative and equivalent method to limit access to ePHI stored on electronic devices, and the second prohibits unauthorized disclosures of ePHI.

HIPAA penalties are tiered and are based on the level of culpability, with the Office for Civil Rights determining M.D. Anderson had reasonable cause to know it was in violation of the HIPAA Rules. OCR calculated the appropriate penalties to be $1,348,000 for the of lack of encryption and $1.5 million per year for the impermissible disclosures of ePHI.

M.D. Anderson contested the financial penalties and after two unsuccessful reviews, OCR imposed the civil monetary penalties on the Texas healthcare provider in June 2018. M.D. Anderson then petitioned the 5th Circuit Court of Appeals to review the ruling in April 2019.

M.D. Anderson maintained that the HHS’ Office for Civil Rights is a federal agency and exceeded its authority by imposing the civil monetary penalties, since M.D. Anderson is a state agency and is therefore not a ‘person’ covered by the Enforcement Provision of the Health Insurance Portability and Accountability Act. M.D. Anderson also alleged the financial penalty was excessive. At the time it was the third largest HIPAA penalty to be imposed on a single covered entity for violations of the HIPAA Rules.

The two failed reviews resulted in the case going before an Administrative Law Judge (ALJ) who refused to rule on whether HIPAA, the HITECH Act, any other statute applied, nor whether the civil monetary penalty was arbitrary or capricious.

The 5th Circuit explained, “For the sake of today’s decision, we assume that M.D. Anderson is such a “person” and that the enforcement provision therefore applies. The petition for review nonetheless must be granted for an independent reason: the CMP violates the Administrative Procedure Act (“APA”).”

After reviewing the financial penalty, the Court of Appeals ruled that the Office for Civil Rights had acted arbitrarily, and its decision was capricious and contrary to law for at least four independent reasons. As required by HIPAA, M.D. Anderson had implemented a mechanism for encryption as early as 2006, but the Office for Civil Rights failed to demonstrate that M.D. Anderson had not done enough to secure the ePHI of its patients. It was only possible to demonstrate that three employees had failed to abide by M.D. Anderson’s encryption policies.

The Court of Appeals also found issue with the impermissible disclosure aspect of the decision. The HIPAA definition of disclosure suggests an affirmative act rather than a passive loss of information, and also that ePHI would need to be disclosed to someone outside the covered entity, when that could not be determined in this case.

The Court of Appeals also found the decision to fine some covered entities for loss/theft incidents and not others was inconsistent. Regarding the penalty amount, under the “reasonable cause” penalty tier, the maximum fine for violations of an identical provision during a calendar year may not exceed $100,000. The ALJ and the Departmental Appeals Board nevertheless determined that the per-year statutory cap was $1,500,000.

Following the petition to the Court of Appeals, the HHS’ Office for Civil Rights conceded that the $4,348,000 financial penalty could not be justified and asked the Court of Appeals to reduce the fine by a factor of ten to $450,000.

The Court of Appeals concluded that the Government had offered no lawful basis for the civil monetary penalties, vacated the CMP order, and remanded the matter for further proceedings consistent with the court’s opinion.

The post M.D. Anderson Cancer Center Has $4.3 Million OCR HIPAA Fine Overturned on Appeal appeared first on HIPAA Journal.

2020 HIPAA Violation Cases and Penalties

The Department of Health and Human Services’ Office for Civil Rights (OCR) settled 19 HIPAA violation cases in 2020. More financial penalties were issued in 2020 than in any other year since the Department of Health and Human Services was given the authority to enforce HIPAA compliance.

Penalties for Noncompliance with the HIPAA Right of Access

In late 2019, the OCR announced a new HIPAA enforcement initiative to tackle noncompliance with the Right of Access standard of the HIPAA Privacy Rule. Since then, OCR has been highly active and has imposed 14 financial penalties for noncompliance, 11 of which were announced in 2020.

The HIPAA Right of Access standard – 45 C.F.R. § 164.524(a) – gives patients the right to access, inspect, and obtain a copy of their own protected health information in a designated record set.  When a request is received from an individual or their personal representative, the records must be provided within 30 days. A reasonable, cost-based fee may be charged for providing a copy of the requested records. A request for access to an individual’s health records may be denied, but only in very limited circumstances.

OCR investigates complaints from individuals who allege they have been denied access to their health records, have not received records within 30 days, or have been charged excessive amounts for copies of their records. The financial penalties imposed by OCR in 2020 for HIPAA Right of Access violations ranged from $15,000 to $160,000 and stemmed from refusals to provide copies of records or long delays. In many cases, records were only provided after OCR intervened.

2020 HIPAA Right of Access Enforcement Actions

Covered Entity Penalty Outcome
Dignity Health, dba St. Joseph’s Hospital and Medical Center $160,000 Settlement
NY Spine $100,000 Settlement
Beth Israel Lahey Health Behavioral Services $70,000 Settlement
University of Cincinnati Medical Center $65,000 Settlement
Housing Works, Inc. $38,000 Settlement
Peter Wrobel, M.D., P.C., dba Elite Primary Care $36,000 Settlement
Riverside Psychiatric Medical Group $25,000 Settlement
Dr. Rajendra Bhayani $15,000 Settlement
All Inclusive Medical Services, Inc. $15,000 Settlement
Wise Psychiatry, PC $10,000 Settlement
King MD $3,500 Settlement

Other 2020 HIPAA Violation Penalties

The remaining HIPAA violation penalties issued in 2020 were issued for noncompliance with several provisions of the HIPAA Rules. The penalty amounts reflect the seriousness of the violations, the harm caused, number of individuals affected, the level of cooperation with OCR, the voluntary actions taken to address the violations, and the ability of the entity to pay. In each of the HIPAA violation cases below, OCR discovered multiple violations of the HIPAA Rules.

Covered Entity Amount Outcome
Premera Blue Cross $6,850,000 Settlement
CHSPSC LLC $2,300,000 Settlement
Athens Orthopedic Clinic $1,500,000 Settlement
Lifespan Health System Affiliated Covered Entity $1,040,000 Settlement
Aetna $1,000,000 Settlement
City of New Haven, CT $202,400 Settlement
Steven A. Porter, M.D $100,000 Settlement
Metropolitan Community Health Services dba Agape Health Services $25,000 Settlement

Second Largest HIPAA Violation Penalty for Premera Blue Cross

The largest HIPAA violation penalty of 2020 was imposed on the health insurer Premera Blue Cross. Premera Blue Cross was investigated over data breach in which the protected health information of 10,466,692 individuals was obtained by hackers.

During the investigation OCR discovered multiple potential violations of the HIPAA Security Rule. Premera Blue Cross had failed to conduct a comprehensive risk analysis, had not reduced risks to the confidentiality, integrity, and availability of ePHI to a reasonable and appropriate level, and had implemented insufficient hardware and software controls.

Premera Blue Cross agreed to pay a financial penalty of $6,850,000 to resolve the case and adopted a corrective action plan to address all areas of noncompliance.

In addition to the OCR penalty, Premera Blue Cross settled a multi-state action for $10 million and a class action lawsuit filed on behalf of victims of the breach for $74 million.

The financial penalty was the second largest ever to be issued by OCR. The largest HIPAA violation penalty – $16 million – was paid by Anthem Inc. in 2018 and resolved an investigation into its 78.8 million record data breach that was discovered in 2015. Following on from that settlement, in 2020 Anthem Inc settled a multi-state action and paid $48.2 million in penalties. Anthem also settled a class action lawsuit filed on behalf of victims of the breach in 2018 for $115 million.

CHSPSC LLC

CHSPSC LLC, a Tennessee-based management company that provides services to many subsidiary hospital operator companies and other affiliates of Community Health Systems, suffered a cyberattack in April 2014 in which compromised admin credentials were used by hackers to gain access to its systems. The hackers stole the ePHI of 6,121,158 individuals.

OCR investigated and found systemic noncompliance with the HIPAA Security Rule. CHSPSC had failed to conduct a comprehensive risk analysis, was not conducting information system activity reviews, and had implemented insufficient access controls and security incident response procedures. When notified about the cyberattack by the FBI, it took CHSPSC two months to respond.

CHSPSC LLC settled the case, paid a $2,300,000 penalty, and adopted a corrective action plan to address all areas of noncompliance. Community Health Systems and CHSPSC LLC also settled a multi-state action with 28 state Attorneys General over the breach for $5,000,000.

Athens Orthopedic Clinic

The Athens, GA-based healthcare provider Athens Orthopedic Clinic suffered a cyberattack in 2016 in which a hacker stole a database containing the PHI of 208,557 patients and demanded payment not to release the stolen data. When payment was not received the database was published.

OCR’s investigation into the breach uncovered systemic noncompliance with the HIPAA Rules. Athens Orthopedic Clinic had failed to conduct a comprehensive risk analysis, had not implemented security procedures to reduce risks to ePHI to a reasonable and appropriate level, had failed to implement appropriate hardware, software, and procedures for recording and analyzing information system activity, and did not implement HIPAA policies until August 2016.

OCR also found the clinic had not entered into business associate agreements with three vendors and did not provide HIPAA Privacy Rule training to the entire workforce until January 15, 2018.

Athens Orthopedic Clinic agreed to settle the case, paid a $1.5 million penalty, and adopted a corrective action plan to address all areas of noncompliance.

Lifespan Health System Affiliated Covered Entity

Lifespan Health System Affiliated Covered Entity is a Rhode Island not-for-profit health system with many healthcare provider affiliates in the state. In February 2017, an unencrypted laptop computer was stolen from an employee’s vehicle. The laptop contained the ePHI of 20,431 patients.

OCR investigated the breach and discovered systemic noncompliance with the HIPAA Rules. Lifespan had conducted a risk analysis and determined encryption was required for its mobile devices due to the high risk of data exposure, but failed to implement encryption on mobile devices. Movement of the devices in and out of its facilities was not tracked and there was no comprehensive inventory of mobile devices. OCR also found that there was no business associate agreement between Lifespan Corporation and Lifespan ACE.

Lifespan ACE agreed to settle the case, paid a $1,040,000 penalty, and adopted a corrective action plan to address all areas of noncompliance.

Aetna

Aetna Life Insurance Company and its affiliated covered entity (Aetna) were investigated by OCR after reporting three data breaches in 2017. The first breach involved the exposure of the protected health information of 5,002 plan members over the Internet, and the other two breaches involved mailings in which sensitive PHI could be viewed through the windows of the envelopes. In the first mailing to 11,887 individuals the words ‘HIV medication’ could be viewed through the windows of the envelopes. In the second mailing to 1,600 individuals, the name and logo of an atrial fibrillation study could be viewed.

OCR determined Aetna had not performed periodic technical and nontechnical evaluations of operational changes affecting the security of their ePHI, procedures had not been implemented to verify the identity of individuals or entities looking to access their ePHI, disclosures of ePHI had not been limited to the minimum necessary information to achieve the purpose for the disclosures, and there was a lack of appropriate administrative, technical, and physical safeguards to ensure the privacy of ePHI.

Aetna agreed to settle the case, paid a $1 million penalty, and agreed to adopt a corrective action plan to address all areas of noncompliance.

Other penalties related to be breach include a $1.15 million settlement with the New York Attorney General, a $935,000 settlement with the California Attorney General, and similar settlements with Connecticut ($99,959), the District of Columbia ($175,000), and New Jersey ($365,211.59). A class action lawsuit filed on behalf of victims of the breach was settled for $17.2 million.

City of New Haven, CT

In January 2017, the City of New Haven in Connecticut reported a data breach of the ePHI of 498 individuals to OCR. The city had terminated an employee in 2016 during her probationary period. The former employee returned to the New Haven Heath Department with her union representative after she had been terminated, used her work key to access her old office, and locked herself inside. She used her login credentials to access a work computer and copied data onto a USB drive before leaving.

In addition to failing to terminate the former employee’s access rights, OCR discovered a comprehensive risk analysis had not been performed, the city had failed to implement HIPAA Privacy Rule policies, and had not issued unique IDs to allow system activity to be tracked.

The City of New Haven settled the case, paid a $202,400 financial penalty, and agreed to adopt a corrective action plan to address all areas of noncompliance.

Steven A. Porter, M.D

The medical practice of Steven A. Porter, M.D in Ogden, UT provides gastroenterological services to more than 3,000 patients. On November 13, 2013, OCR received a breach notification alleging Dr. Porter’s electronic medical record company was impermissibly using patients’ electronic medical records by blocking the practice’s access to ePHI until a $50,000 bill was paid.

OCR investigated and found serious violations of the HIPAA Security Rule at the practice. At the time of the investigation, a risk analysis had never been performed and risks to the confidentiality, integrity, and availability of ePHI had not been managed and reduced to a reasonable and acceptable level. The practice had also allowed Dr. Porter’s EHR company to create, receive, maintain, or transmit ePHI on behalf of the practice, without entering into a business associate agreement.

Dr. Porter settled the case, paid a $100,00 financial penalty, and agreed to adopt a corrective action plan to address all areas of noncompliance.

Metropolitan Community Health Services / Agape Health Services

Metropolitan Community Health Services is a Washington, NC-based Federally Qualified Health Center that provides integrated medical, dental, behavioral health & pharmacy services for adults and children. Operating as Agape Health Services, Metro provides discounted medical services to the underserved population in rural North Carolina.

In June 2011, Metro notified OCR about a breach of the PHI of 1,263 patients. OCR conducted a compliance review and identified longstanding, systemic noncompliance with the HIPAA Security Rule.

Prior to the breach, Metro had not implemented HIPAA Security Rule policies and procedures, had failed to conduct an accurate risk analysis, and had not provided security awareness training to its workforce for more than 16 years.

Metro settled the case, paid a $25,000 penalty, and agreed to adopt a corrective action plan to address all areas of noncompliance.

Further information on HIPAA Penalties

You can view a summary of the HIPAA violation penalties in previous years on this link.

The post 2020 HIPAA Violation Cases and Penalties appeared first on HIPAA Journal.