HIPAA Compliance News

M.D. Anderson Cancer Center Has $4.3 Million OCR HIPAA Fine Overturned on Appeal

The U.S. Court of Appeals for the Fifth Circuit has overturned a $4,348,000 HIPAA violation penalty imposed on University of Texas M.D. Anderson Cancer Center by the Department of Health and Human Services’ Office for Civil Rights.

The Civil Monetary Penalty was imposed on M.D. Anderson in 2018 following an investigation of three data breaches that were reported to the Office for Civil Rights between 2013 and 2014 that involved the loss/theft of unencrypted devices between 2012 and 2013. Two unencrypted flash drives containing the ePHI of 2,264 and 3,598 patients were lost, and an unencrypted laptop computer containing the ePHI of 29,021 patients was stolen.

The Office for Civil Rights investigation concluded that M.D. Anderson was in violation of two provisions of the HIPAA Rules. The first violation was the failure to implement encryption or adopt an alternative and equivalent method to limit access to ePHI stored on electronic devices, and the second prohibits unauthorized disclosures of ePHI.

HIPAA penalties are tiered and are based on the level of culpability, with the Office for Civil Rights determining M.D. Anderson had reasonable cause to know it was in violation of the HIPAA Rules. OCR calculated the appropriate penalties to be $1,348,000 for the of lack of encryption and $1.5 million per year for the impermissible disclosures of ePHI.

M.D. Anderson contested the financial penalties and after two unsuccessful reviews, OCR imposed the civil monetary penalties on the Texas healthcare provider in June 2018. M.D. Anderson then petitioned the 5th Circuit Court of Appeals to review the ruling in April 2019.

M.D. Anderson maintained that the HHS’ Office for Civil Rights is a federal agency and exceeded its authority by imposing the civil monetary penalties, since M.D. Anderson is a state agency and is therefore not a ‘person’ covered by the Enforcement Provision of the Health Insurance Portability and Accountability Act. M.D. Anderson also alleged the financial penalty was excessive. At the time it was the third largest HIPAA penalty to be imposed on a single covered entity for violations of the HIPAA Rules.

The two failed reviews resulted in the case going before an Administrative Law Judge (ALJ) who refused to rule on whether HIPAA, the HITECH Act, any other statute applied, nor whether the civil monetary penalty was arbitrary or capricious.

The 5th Circuit explained, “For the sake of today’s decision, we assume that M.D. Anderson is such a “person” and that the enforcement provision therefore applies. The petition for review nonetheless must be granted for an independent reason: the CMP violates the Administrative Procedure Act (“APA”).”

After reviewing the financial penalty, the Court of Appeals ruled that the Office for Civil Rights had acted arbitrarily, and its decision was capricious and contrary to law for at least four independent reasons. As required by HIPAA, M.D. Anderson had implemented a mechanism for encryption as early as 2006, but the Office for Civil Rights failed to demonstrate that M.D. Anderson had not done enough to secure the ePHI of its patients. It was only possible to demonstrate that three employees had failed to abide by M.D. Anderson’s encryption policies.

The Court of Appeals also found issue with the impermissible disclosure aspect of the decision. The HIPAA definition of disclosure suggests an affirmative act rather than a passive loss of information, and also that ePHI would need to be disclosed to someone outside the covered entity, when that could not be determined in this case.

The Court of Appeals also found the decision to fine some covered entities for loss/theft incidents and not others was inconsistent. Regarding the penalty amount, under the “reasonable cause” penalty tier, the maximum fine for violations of an identical provision during a calendar year may not exceed $100,000. The ALJ and the Departmental Appeals Board nevertheless determined that the per-year statutory cap was $1,500,000.

Following the petition to the Court of Appeals, the HHS’ Office for Civil Rights conceded that the $4,348,000 financial penalty could not be justified and asked the Court of Appeals to reduce the fine by a factor of ten to $450,000.

The Court of Appeals concluded that the Government had offered no lawful basis for the civil monetary penalties, vacated the CMP order, and remanded the matter for further proceedings consistent with the court’s opinion.

The post M.D. Anderson Cancer Center Has $4.3 Million OCR HIPAA Fine Overturned on Appeal appeared first on HIPAA Journal.

2020-2021 HIPAA Violation Cases and Penalties

The Department of Health and Human Services’ Office for Civil Rights (OCR) settled 19 HIPAA violation cases in 2020. More financial penalties were issued in 2020 than in any other year since the Department of Health and Human Services was given the authority to enforce HIPAA compliance. $13,554,900 was paid to OCR to settle the HIPAA violation cases. 2021 saw a slight reduction in the number of settlements and fines for HIPAA violations, with 14 enforcement actions announced by OCR. Even so, 2021 had the second-highest number of HIPAA fines of any year since OCR started enforcing compliance with the HIPAA Rules.

While the number of penalties was still high in 2021, there was a sizeable reduction in penalty amounts which totaled $5,982,150 for the year, and $5,100,000 of that total came from just one enforcement action. The reason for this is that most of the penalties were for violations of the HIPAA Right of Access, and were in response to investigations of complaints filed by patients who had not been provided with timely access to their medical records, rather than penalties for violations of multiple HIPAA Rules that impacted large numbers of individuals. The $5,100,000 penalty, imposed on Excellus Health Plan, was so large because there were multiple violations of the HIPAA Rules, over multiple years, that led to a breach of the ePHI of 9,358,891 individuals.

Penalties for Noncompliance with the HIPAA Right of Access

In late 2019, OCR announced a new HIPAA enforcement initiative to tackle non-compliance with the Right of Access standard of the HIPAA Privacy Rule. Since then, OCR has been rigorously enforcing compliance with the HIPAA Right of Access and as of December 2021, has imposed 25 penalties for HIPAA Right of Access violations totaling $1,564,650. The fines range from $3,500 to $200,000. There have been 24 settlements and one civil monetary penalty, with many of the fines imposed on small healthcare providers.

The HIPAA Right of Access standard – 45 C.F.R. § 164.524(a) – gives patients the right to access, inspect, and obtain a copy of their own protected health information in a designated record set.  When a request is received from an individual or their personal representative, the records must be provided within 30 days. A reasonable, cost-based fee may be charged for providing a copy of the requested records. A request for access to an individual’s health records may be denied, but only in very limited circumstances.

OCR investigates complaints from individuals who allege they have been denied access to their health records, have not received records within 30 days, or have been charged excessive amounts for copies of their records. The financial penalties imposed by OCR in 2020 for HIPAA Right of Access violations ranged from $15,000 to $160,000 and stemmed from refusals to provide copies of records or long delays. In many cases, records were only provided after OCR intervened.

2021 HIPAA Right of Access Enforcement Actions

Covered Entity Penalty Outcome
Banner Health 200,000 Settlement
Rainrock Treatment Center LLC (dba monte Nido Rainrock) 160,000 Settlement
Dr. Robert Glaser 100,000 Civil Monetary Penalty
Children’s Hospital & Medical Center 80,000 Settlement
Renown Health 75,000 Settlement
Sharpe Healthcare 70,000 Settlement
Arbour Hospital 65,000 Settlement
Advanced Spine & Pain Management 32,150 Settlement
Denver Retina Center 30,000 Settlement
Village Plastic Surgery 30,000 Settlement
Wake Health Medical Group 10,000 Settlement

Other 2021 HIPAA Violation Penalties

Covered Entity Penalty Outcome
Excellus Health Plan $5,100,000 Settlement
AEON Clinical Laboratories (Peachstate) $25,000 Settlement

Only two HIPAA enforcement actions in 2021 were not the result of HIPAA Right of Acess violations.

Excellus Health Plan

Rochester, New York-based Excellus Health Plan, a member of the Blue Cross Blue Shield Association, was investigated to identify potential HIPAA compliance issues following a report of a data breach of 9,358,891 records in 2015. It was one of three mega data breaches to be reported by health plans that year, Anthem Inc and Premera Blue Cross being the other two, both of which had settled their cases and paid sizeable penalties.

Excellus discovered the breach in August 2015, with its investigation revealing hackers had access to its systems between December 23, 2013, and May 11, 2015. The breach was reported to OCR on September 9, 2015. Malware had been installed which allowed the hackers to exfiltrate the data of around 7 million Excellus Health Plan members and approximately 2.5 million members of Lifetime Healthcare, its non-BlueCross subsidiary, which included names, contact information, dates of birth, Social Security numbers, health plan ID numbers, claims data, financial account information, and clinical treatment information.

OCR’s investigation uncovered multiple HIPAA violations, including the failure to conduct an accurate and thorough organization-wide risk analysis, the failure to reduce risks and vulnerabilities to ePHI to a reasonable and appropriate level, and a lack of technical policies and procedures to limit data access to authorized persons and software programs. Excellus chose to settle the case and paid a $5,100,000 penalty and agreed to implement a comprehensive Corrective Action Plan to address all areas of non-compliance.

Peachstate Health Management LLC, dba AEON Clinical Laboratories

The enforcement action against Peachstate Health Management is notable because this was the first OCR investigation to result in a financial penalty for HIPAA violations identified in a company that was not the initial subject of the investigation.

OCR launched an investigation after receiving a report from the Department of Veteran Affairs in 2015 about a data breach involving its business associate, Authentidate Holding Corporation (AHC). AHC managed the VA’s Telehealth Services Program and suffered a data breach. While investigating, OCR learned that AHC had entered into a reverse merger with Peachstate Health Management on January 27, 2016, which saw Peachstate acquired by AHC. Peachstate is a CLIA-certified laboratory that provides clinical and genetic testing services through its publicly traded parent company, AEON Global Health Corporation (AGHC).

OCR then launched an investigation of Peachstate to assess HIPAA Privacy and Security Rule compliance and found multiple violations of the HIPAA Rules. OCR identified multiple HIPAA Security Rule failures, including risk assessment, risk management, audit controls failures, as well as the failure to maintain documentation of HIPAA Security Rule policies and procedures. The case was settled for $25,000, and a corrective action plan was agreed to resolve the HIPAA violations.

2020 HIPAA Right of Access Enforcement Actions

Covered Entity Penalty Outcome
Dignity Health, dba St. Joseph’s Hospital and Medical Center $160,000 Settlement
NY Spine $100,000 Settlement
Beth Israel Lahey Health Behavioral Services $70,000 Settlement
University of Cincinnati Medical Center $65,000 Settlement
Housing Works, Inc. $38,000 Settlement
Peter Wrobel, M.D., P.C., dba Elite Primary Care $36,000 Settlement
Riverside Psychiatric Medical Group $25,000 Settlement
Dr. Rajendra Bhayani $15,000 Settlement
All Inclusive Medical Services, Inc. $15,000 Settlement
Wise Psychiatry, PC $10,000 Settlement
King MD $3,500 Settlement

Other 2020 HIPAA Violation Penalties

The remaining HIPAA violation penalties issued in 2020 were issued for non-compliance with several provisions of the HIPAA Rules. The penalty amounts reflect the seriousness of the violations, the harm caused, the number of individuals affected, the level of cooperation with OCR, the voluntary actions taken to address the violations, and the ability of the entity to pay. In each of the HIPAA violation cases below, OCR discovered multiple violations of the HIPAA Rules.

Covered Entity Amount Outcome
Premera Blue Cross $6,850,000 Settlement
CHSPSC LLC $2,300,000 Settlement
Athens Orthopedic Clinic $1,500,000 Settlement
Lifespan Health System Affiliated Covered Entity $1,040,000 Settlement
Aetna $1,000,000 Settlement
City of New Haven, CT $202,400 Settlement
Steven A. Porter, M.D $100,000 Settlement
Metropolitan Community Health Services dba Agape Health Services $25,000 Settlement

Second Largest HIPAA Violation Penalty for Premera Blue Cross

The largest HIPAA violation penalty of 2020 was imposed on the health insurer Premera Blue Cross. Premera Blue Cross was investigated over a data breach in which the protected health information of 10,466,692 individuals was obtained by hackers.

During the investigation, OCR discovered multiple potential violations of the HIPAA Security Rule. Premera Blue Cross had failed to conduct a comprehensive risk analysis, had not reduced risks to the confidentiality, integrity, and availability of ePHI to a reasonable and appropriate level, and had implemented insufficient hardware and software controls.

Premera Blue Cross agreed to pay a financial penalty of $6,850,000 to resolve the case and adopted a corrective action plan to address all areas of noncompliance.

In addition to the OCR penalty, Premera Blue Cross settled a multi-state action for $10 million and a class action lawsuit filed on behalf of victims of the breach for $74 million.

The financial penalty was the second-largest ever to be issued by OCR. The largest HIPAA violation penalty – $16 million – was paid by Anthem Inc. in 2018 and resolved an investigation into its 78.8 million record data breach that was discovered in 2015. Following on from that settlement, in 2020 Anthem Inc settled a multi-state action and paid $48.2 million in penalties. Anthem also settled a class action lawsuit filed on behalf of victims of the breach in 2018 for $115 million.

CHSPSC LLC

CHSPSC LLC, a Tennessee-based management company that provides services to many subsidiary hospital operator companies and other affiliates of Community Health Systems, suffered a cyberattack in April 2014 in which compromised admin credentials were used by hackers to gain access to its systems. The hackers stole the ePHI of 6,121,158 individuals.

OCR investigated and found systemic noncompliance with the HIPAA Security Rule. CHSPSC had failed to conduct a comprehensive risk analysis, was not conducting information system activity reviews, and had implemented insufficient access controls and security incident response procedures. When notified about the cyberattack by the FBI, it took CHSPSC two months to respond.

CHSPSC LLC settled the case, paid a $2,300,000 penalty, and adopted a corrective action plan to address all areas of noncompliance. Community Health Systems and CHSPSC LLC also settled a multi-state action with 28 state Attorneys General over the breach for $5,000,000.

Athens Orthopedic Clinic

The Athens, GA-based healthcare provider Athens Orthopedic Clinic suffered a cyberattack in 2016 in which a hacker stole a database containing the PHI of 208,557 patients and demanded payment not to release the stolen data. When payment was not received the database was published.

OCR’s investigation into the breach uncovered systemic noncompliance with the HIPAA Rules. Athens Orthopedic Clinic had failed to conduct a comprehensive risk analysis, had not implemented security procedures to reduce risks to ePHI to a reasonable and appropriate level, had failed to implement appropriate hardware, software, and procedures for recording and analyzing information system activity, and did not implement HIPAA policies until August 2016.

OCR also found the clinic had not entered into business associate agreements with three vendors and did not provide HIPAA Privacy Rule training to the entire workforce until January 15, 2018.

Athens Orthopedic Clinic agreed to settle the case, paid a $1.5 million penalty, and adopted a corrective action plan to address all areas of noncompliance.

Lifespan Health System Affiliated Covered Entity

Lifespan Health System Affiliated Covered Entity is a Rhode Island not-for-profit health system with many healthcare provider affiliates in the state. In February 2017, an unencrypted laptop computer was stolen from an employee’s vehicle. The laptop contained the ePHI of 20,431 patients.

OCR investigated the breach and discovered systemic noncompliance with the HIPAA Rules. Lifespan had conducted a risk analysis and determined encryption was required for its mobile devices due to the high risk of data exposure but failed to implement encryption on mobile devices. The movement of the devices in and out of its facilities was not tracked and there was no comprehensive inventory of mobile devices. OCR also found that there was no business associate agreement between Lifespan Corporation and Lifespan ACE.

Lifespan ACE agreed to settle the case, paid a $1,040,000 penalty, and adopted a corrective action plan to address all areas of noncompliance.

Aetna

Aetna Life Insurance Company and its affiliated covered entity (Aetna) were investigated by OCR after reporting three data breaches in 2017. The first breach involved the exposure of the protected health information of 5,002 plan members over the Internet, and the other two breaches involved mailings in which sensitive PHI could be viewed through the windows of the envelopes. In the first mailing to 11,887 individuals the words ‘HIV medication’ could be viewed through the windows of the envelopes. In the second mailing to 1,600 individuals, the name and logo of an atrial fibrillation study could be viewed.

OCR determined Aetna had not performed periodic technical and non-technical evaluations of operational changes affecting the security of their ePHI, procedures had not been implemented to verify the identity of individuals or entities looking to access their ePHI, disclosures of ePHI had not been limited to the minimum necessary information to achieve the purpose for the disclosures, and there was a lack of appropriate administrative, technical, and physical safeguards to ensure the privacy of ePHI.

Aetna agreed to settle the case, paid a $1 million penalty, and agreed to adopt a corrective action plan to address all areas of noncompliance.

Other penalties related to be breach include a $1.15 million settlement with the New York Attorney General, a $935,000 settlement with the California Attorney General, and similar settlements with Connecticut ($99,959), the District of Columbia ($175,000), and New Jersey ($365,211.59). A class action lawsuit filed on behalf of victims of the breach was settled for $17.2 million.

City of New Haven, CT

In January 2017, the City of New Haven in Connecticut reported a data breach of the ePHI of 498 individuals to OCR. The city had terminated an employee in 2016 during her probationary period. The former employee returned to the New Haven Health Department with her union representative after she had been terminated, used her work key to access her old office, and locked herself inside. She used her login credentials to access a work computer and copied data onto a USB drive before leaving.

In addition to failing to terminate the former employee’s access rights, OCR discovered a comprehensive risk analysis had not been performed, the city had failed to implement HIPAA Privacy Rule policies, and had not issued unique IDs to allow system activity to be tracked.

The City of New Haven settled the case, paid a $202,400 financial penalty, and agreed to adopt a corrective action plan to address all areas of noncompliance.

Steven A. Porter, M.D

The medical practice of Steven A. Porter, M.D in Ogden, UT provides gastroenterological services to more than 3,000 patients. On November 13, 2013, OCR received a breach notification alleging Dr. Porter’s electronic medical record company was impermissibly using patients’ electronic medical records by blocking the practice’s access to ePHI until a $50,000 bill was paid.

OCR investigated and found serious violations of the HIPAA Security Rule at the practice. At the time of the investigation, a risk analysis had never been performed and risks to the confidentiality, integrity, and availability of ePHI had not been managed and reduced to a reasonable and acceptable level. The practice had also allowed Dr. Porter’s EHR company to create, receive, maintain, or transmit ePHI on behalf of the practice, without entering into a business associate agreement.

Dr. Porter settled the case, paid a $100,00 financial penalty, and agreed to adopt a corrective action plan to address all areas of noncompliance.

Metropolitan Community Health Services / Agape Health Services

Metropolitan Community Health Services is a Washington, NC-based Federally Qualified Health Center that provides integrated medical, dental, behavioral health & pharmacy services for adults and children. Operating as Agape Health Services, Metro provides discounted medical services to the underserved population in rural North Carolina.

In June 2011, Metro notified OCR about a breach of the PHI of 1,263 patients. OCR conducted a compliance review and identified longstanding, systemic noncompliance with the HIPAA Security Rule.

Prior to the breach, Metro had not implemented HIPAA Security Rule policies and procedures, had failed to conduct an accurate risk analysis, and had not provided security awareness training to its workforce for more than 16 years.

Metro settled the case, paid a $25,000 penalty, and agreed to adopt a corrective action plan to address all areas of noncompliance.

Further information on HIPAA Penalties

You can view a summary of the HIPAA violation penalties in previous years on this link.

The post 2020-2021 HIPAA Violation Cases and Penalties appeared first on HIPAA Journal.

OCR Continues HIPAA Right of Access Crackdown with $200,000 Fine

The HHS’ Office for Civil Rights (OCR) is continuing to crackdown on healthcare providers that are not providing patients with timely access to their medical records. Yesterday, OCR announced a settlement had been agreed with Banner Health to resolve a HIPAA Right of Access investigation. Banner Health agreed to pay $200,000 to settle the case.

The HIPAA Privacy Rule gives individuals the right to access, inspect, and obtain a copy of their own protected health information. When a request is received, HIPAA-covered entities are required to provide a copy of the requested records within 30 days.

In late 2019, OCR announced it was cracking down on noncompliance with this important provision of HIPAA. Since then, 14 financial penalties have been imposed on covered entities that have failed to provide patients with timely access to their medical records.

Phoenix, AZ-based Banner Health is one of the largest health care systems in the United States. The non-profit health system operates 30 hospitals and many primary care, urgent care, and specialty care facilities.

OCR received two complaints from patients of Banner Health affiliated covered entities alleging long delays receiving copies of medical records. The first patient submitted a request to Banner Estrella Medical Center in December 2017 and was not provided with the requested records until May 2018. A second complaint was received alleging another patient had to wait 5 months for an electronic copy of his records. The request was submitted to Banner Gateway Medical Center in September 2019 and he did not receive the records until February 2020.

The $200,000 financial penalty is the largest HIPAA fine imposed on a HIPAA-covered entity by OCR under its HIPAA Right of Access enforcement initiative. In addition to paying the financial penalty, Banner Health has agreed to adopt a corrective action plan that includes reviewing and revising written policies on health record access, implementing those policies, and providing training to staff on the new policies.  OCR will monitor Banner Health for 2 years to ensure compliance.

“This first resolution of the year signals that our Right of Access Initiative is still going strong and that providers of all sizes need to respect the right of patients to have timely access to their medical records,” said OCR Director Roger Severino.

The post OCR Continues HIPAA Right of Access Crackdown with $200,000 Fine appeared first on HIPAA Journal.

HITECH Act Amendment Creating Cybersecurity Safe Harbor Signed into Law

On January 5, 2020, President Trump added his signature to a bill (HR 7898) that amends the Health Information Technology for Economic and Clinical Health Act (HITECH Act) and creates a safe harbor for companies that have implemented recognized security best practices prior to experiencing a data breach.

While the bill does not go as far as preventing the Department of Health and Human Services’ Office for Civil Rights from imposing financial penalties for HIPAA compliance issues that contributed to a data breach, the amendment requires OCR to take into consideration the security measures that were in place to reduce cybersecurity risk in the 12 months prior to a data breach.

The main aim of the bill is to incentivize healthcare organizations to adopt an established, formalized, and recognized cybersecurity framework and adhere to industry security best practices, as doing so will provide a degree of insulation against regulatory enforcement actions.

The bill requires the HHS to consider an entity’s use of recognized security best practices when investigating reported data breaches and considering HIPAA enforcement penalties or other regulatory actions. If an entity has adopted the NIST Cybersecurity Framework or HITRUST CSF for example, it will be taken into consideration when calculating fines related to security breaches. Adoption of security best practices will mitigate remedies that would otherwise be agreed between an entity and the HHS to resolve potential violations of the HIPAA Security Rule.

The bill also requires the HHS to decrease the extent and length of audits if an entity is determined to have achieved industry-standard security best practices and makes it clear that the HHS is not authorized to increase fines for entities found not to have adhered to recognized security practices.

Recognized security practices are defined as “the standards, guidelines, best practices, methodologies, procedures, and processes developed under section 2(c)(15) of the National Institute of Standards and Technology (NIST) Act, the approaches promulgated under section 405(d) of the Cybersecurity Act of 2015, and other programs and processes that address cybersecurity and that are developed, recognized, or promulgated through regulations under other statutory authorities. Such practices shall be determined by the covered entity or business associate, consistent with the HIPAA Security Rule.”

The healthcare industry is extensively targeted by hackers and healthcare data breaches are becoming much more common. Each year, the number of successful cyberattacks on healthcare organizations and their business associates increases and 2020 was no exception. 2020 was the worst ever year for healthcare industry data breaches by far. It is also worth noting that 2020 saw more HIPAA penalties imposed on HIPAA covered entities and business associates by the HHS’ Office for Civil Rights than any other year since the HHS was given the authority to impose financial penalties for HIPAA violations.

Healthcare organizations and HIPAA business associates that have not yet adopted a common cybersecurity framework or other recognized security practices should consider doing so now. Adoption of recognized security practices will help to reduce the risk of a data breach as well as the negative consequences if a data breach does occur.

The post HITECH Act Amendment Creating Cybersecurity Safe Harbor Signed into Law appeared first on HIPAA Journal.

OCR Announces its 19th HIPAA Penalty of 2020

The Department of Health and Human Services’ Office for Civil Rights (OCR) has settled a HIPAA Right of Access compliance case with Peter Wrobel, M.D., P.C., doing business as Elite Primary Care.

Elite Primary Care is a provider of primary health services in Georgia. OCR launched a compliance investigation following receipt of a compliant from an Elite Primary Care patient on April 22, 2019 who alleged he had been denied access to his health records. OCR contacted the practice and provided technical assistance on the HIPAA Right of Access on May 2, 2019. OCR advised the practice to review the facts of the request and provide access to the requested records if the request met the requirements of the HIPAA Privacy Rule.

The patient subsequently submitted a request for access in writing which was received by the practice on June 5, 2019. The patient filed a second complaint with OCR on October 9, 2019, as the practice continued to deny him access to his requested records.

Elite Primary Care sent the patient’s medical records to his new healthcare provider on November 21, 2019 and provided the patient with a copy of those records on May 8, 2020.

OCR concluded the delay in providing the patient with a copy of his requested records was in violation of the HIPAA Right of Access (45 C.F.R. § 164.524).

Under the terms of the settlement, Elite Primary Care will pay a financial penalty of $36,000 and adopt a corrective action plan that includes developing, implementing, maintaining, and revising, as necessary, written policies and procedures related to the HIPAA Right of Access provision of the HIPAA Privacy Rule. Once those policies and procedures have been checked by OCR, training will be provided to relevant members of its workforce.

The settlement was agreed with no admission of liability. OCR will monitor Elite Primary Care for 2 years to ensure continued compliance.

This is the thirteenth settlement to be announced by OCR under its HIPAA Right of Access enforcement initiative and the nineteenth HIPAA financial penalty to be announced in 2020.

“OCR created the Right of Access Initiative to address the many instances where patients have not been given timely access to their medical records.  Health care providers, large and small, must ensure that individuals get timely access to their health records, and for a reasonable cost-based fee,” said OCR Director Roger Severino.

The post OCR Announces its 19th HIPAA Penalty of 2020 appeared first on HIPAA Journal.

November 2020 Healthcare Data Breach Report

For the second successive month, the number of reported healthcare data breaches has fallen; however, it should be noted that the number of breaches reported in October 2020 was almost three times the average monthly number due, in a large part, to the ransomware attack on the cloud service provider Blackbaud.

November saw 47 data breaches of 500 or more healthcare records reported to the HHS’ Office for Civil Rights by HIPAA-covered entities and business associates, 25.39% fewer than October. Even with that reduction, breaches are still well above the 12-month average of 41 data breaches a month (Median = 38 breaches).

 

The number of healthcare records exposed in healthcare data breaches similarly fell for the second successive month. In November, 1,139,151 healthcare records were exposed or impermissibly disclosed, a 54.73% fall from October. The average number of monthly breached healthcare records over the past 12 months is 1,885,959 records and the median is 1,101,902 records.

Exposed healthcare records past 12 months

Largest Healthcare Data Breaches Reported in November 2020

Name of Covered Entity State Covered Entity Type Individuals Affected Type of Breach Cause
AspenPointe, Inc. CO Healthcare Provider 295,617 Hacking/IT Incident Ransomware attack
Lawrence General Hospital MA Healthcare Provider 176,587 Hacking/IT Incident Unspecified data security incident
Alamance Skin Center NC Healthcare Provider 100,000 Loss Ransomware attack
Mercy Iowa City IA Healthcare Provider 92,795 Hacking/IT Incident Phishing
Bayhealth Medical Center, Inc. DE Healthcare Provider 78,006 Hacking/IT Incident Blackbaud ransomware attack
Tufts Health Plan MA Health Plan 60,545 Hacking/IT Incident Phishing attack on vendor
Bruce L. Boros, M.D., P.A. DBA Advanced Urgent Care FL Healthcare Provider 58,823 Unauthorized Access/Disclosure Ransomware attack
Methodist Hospital of Southern California CA Healthcare Provider 39,881 Hacking/IT Incident Blackbaud ransomware attack
One Touch Point WI Business Associate 28,658 Unauthorized Access/Disclosure unknown
People Incorporated MN Healthcare Provider 27,500 Hacking/IT Incident phishing
Chesapeake Regional Healthcare VA Healthcare Provider 24,000 Hacking/IT Incident Blackbaud ransomware attack
Seeley Enterprises Company OH Healthcare Provider 16,196 Hacking/IT Incident Ransomware attack
Golden Gate Regional Center CA Business Associate 11,315 Hacking/IT Incident Ransomware attack
Galstan & Ward Family and Cosmetic Dentistry VA Healthcare Provider 10,759 Hacking/IT Incident Ransomware attack
Kaiser Foundation Health Plan of Georgia, Inc. GA Health Plan 10,205 Unauthorized Access/Disclosure Unknown

Causes of November 2020 Healthcare Data Breaches

Hacking/IT incidents continue to dominate the breach reports, both in terms of the number of breaches and the number of breached records. There were 23 hacking/IT incidents reported in November – 48.94% of all breaches reported in the month. 867,983 records were exposed or stolen in those breaches – 76.2% of all records breached in November. The average breach size was 37,738 records and the median breach size was 8,000 records.

There were 19 data breaches classed as unauthorized access/disclosure incidents – 40.43% of the month’s data breaches. 166,115 healthcare records were improperly accessed or impermissibly disclosed in those incidents – 14.58% of the breached records in November. The average breach size was 8,723 records and the median breach size was 3,557 records.

There were 4 loss/theft incidents (2/2) reported in November involving 103,053 records – 8.51% of the month’s breaches and 103,053 healthcare records were exposed or stolen in those incidents – 9.05% of records breached in November. The average breach size was 25,763 records and the median breach size was 1,265 records. There was one incident involving the improper disposal of paperwork that contained the PHI of an estimated 2,000 individuals.

 

The chart below shows the location of breached protected health information. Up until September 2020, email was the most common location of breached patient data, with the majority of those breaches the result of phishing attacks. That changed in September due to the ransomware attack on Blackbaud. Entities impacted by that data breach continue to submit breach reports, albeit at a low level, with network server incidents remaining high due to the healthcare industry continuing to be targeted by ransomware gangs. Phishing attacks continue to be a problem in healthcare, with 13 large data breaches reported involving PHI stored in email accounts.

Healthcare Data Breaches by Covered Entity Type

Healthcare providers were the worst affected covered entity in November. 34 healthcare providers reported data breaches and 6 data breaches were reported by health plans.

7 data breaches were reported by business associates of HIPAA covered entities; however, 16 breaches in total had some business associate involvement, with 9 of those breaches reported by the covered entity.

Healthcare Data Breaches by State

The November data breaches were reported by HIPAA-covered entities and business associates in 23 states and the District of Columbia. Ohio was the worst affected state with 5 breaches reported, followed by Georgia and Maine with 4, and California, Florida, and Texas with 3 breaches.

Two healthcare data breaches of 500 or more records were reported by entities based in Arkansas, Delaware, Illinois, Kentucky, Maryland, Michigan, and Virginia. One breach was reported in each of Alabama, Colorado, Iowa, Idaho, Louisiana, Minnesota, North Carolina, New Mexico, Pennsylvania, Wisconsin, and the District of Columbia.

HIPAA Enforcement Activity in November 2020

There were three HIPAA enforcement actions announced by the HHS’ Office for Civil Rights in November, all of which were part of its HIPAA Right of Access enforcement initiative. OCR announced the new enforcement initiative in 2019 to crack down on healthcare providers that fail to provide patients with timely access to their health records for a reasonable cost-based fee.

In all three cases, the healthcare providers did not provide a copy of the requested records within the 30-day time frame demanded by the HIPAA Privacy Rule.

University of Cincinnati Medical Center settled with OCR and paid a $65,000 penalty, Riverside Psychiatric Medical Group paid a $25,000 penalty, and Dr. Rajendra Bhayani paid a $15,000 penalty. Under this enforcement initiative, OCR has imposed 12 financial penalties on covered entities, 10 of which have been in 2020.

The post November 2020 Healthcare Data Breach Report appeared first on HIPAA Journal.

OCR Issues Guidance on Disclosures of PHI to Health Information Exchanges under HIPAA

The Department of Health and Human Services’ Office for Civil Rights has published new guidance on the Health Insurance Portability and Accountability Act (HIPAA) Rules covering disclosures of protected health information (PHI) to health information exchanges (HIEs) for the public health activities of a public health authority (PHA).

An HIE is an organization that enables the sharing of electronic PHI (ePHI) between more than two unaffiliated entities such as healthcare providers, health plans, and their business associates. HIEs’ share ePHI for treatment, payment, or healthcare operations, for public health reporting to PHAs, and for providing other functions and services such as patient record location and data aggregation and analysis.

HIPAA supports the use of HIEs and the sharing of health data to improve public health, which has been especially important during the COVID-19 public health emergency. The HIPAA Privacy Rule permits HIPAA-covered entities and their business associates to disclose protected health information to an HIE for reporting to a PHA that is engaged in public health, without requiring prior individual authorization.

Such disclosures are permitted under the following circumstances:

  • When disclosures are required by federal, state, local, or other laws that are enforceable in court
  • When the HIE is acting under a grant of authority or contract with a PHA for a public health activity
  • When the HIE is a business associate of the covered entity or another business associate, and wishes to provide ePHI to a PHA for public health purposes*

*The HIPAA Privacy Rule only permits an HIE which is a business associate of the covered entity or another business associate to disclose ePHI to a PHA for public health purposes if it is expressly stated that they can do so in the business associate agreement (BAA) with the covered entity. However, earlier this year in response to the COVID-19 public health emergency, OCR issued a notice of enforcement discretion stating no action will be taken against a business associate for good faith disclosures of ePHI to a PHA for public health purposes if they are not expressly permitted to disclose ePHI to a PHA in their BAA. In such cases, the business associate must inform the covered entity within 10 calendar days of the disclosure. The notice of enforcement discretion is only valid for the duration of the COVID-19 public health emergency. When the Secretary of the HHS declares the COVID-19 public health emergency over, such disclosures will no longer be permitted unless expressly permitted in the BAA.

Disclosures of ePHI by an HIE to a PHA should be limited to the minimum necessary information to achieve the purpose for the disclosure. A covered entity can rely on a PHA’s request to disclose a summary record to the PHA or HIE as being the minimum necessary PHI to achieve the public health purpose of the disclosure.

A covered entity is permitted by the HIPAA Privacy Rule to disclose ePHI to a PHA through an HIE, even if a direct request for the PHI is not received from the PHA, provided the covered entity knows that the PHA is using the HIE to collect such information, or that the HIE is acting on behalf of the PHA.

While the above disclosures of ePHI for public health purposes do not require authorizations to be obtained from the individuals whose PHI is being disclosed, those individuals must be notified about such disclosures. That can be achieved by stating disclosures of ePHI will occur for public health purposes in the organization’s Notice of Privacy Practices.

You can view the OCR guidance, which includes several examples related to COVID-19, on the HHS website, which can be accessed on this link (PDF).

The post OCR Issues Guidance on Disclosures of PHI to Health Information Exchanges under HIPAA appeared first on HIPAA Journal.

OCR HIPAA Audits Industry Report Identifies Common Areas of Noncompliance with the HIPAA Rules

The Department of Health and Human Services’ Office for Civil Rights has published its 2016-2017 HIPAA Audits Industry Report, highlighting areas where HIPAA-covered entities and their business associates are complying or failing to comply with the requirements of the Health Insurance Portability and Accountability Act.

The Health Information Technology for Economic and Clinical Health (HITECH) Act requires the HHS to conduct periodic audits of HIPAA covered entities and business associates to assess compliance with the HIPAA Rules. Between 2016 and 2017, the HHS conducted its second phase of compliance audits on 166 covered entities and 41 business associates to assess compliance with certain provisions of the HIPAA Privacy, Security, and Breach Notification Rules.

The 2016/2017 HIPAA compliance audits were conducted on a geographically representative, broad cross-section of covered entities and business associates and consisted of desk audits – remote reviews of HIPAA documentation – rather than on-site audits. All entities have since been notified of the findings of their individual audits.

The 2016-2017 HIPAA Audits Industry Report details the overall findings of the audits, including key aspects of HIPAA compliance that are proving problematic for covered entities and business associates.

In the report, OCR gives each audited entity a rating based on their level of compliance with each specific provision of the HIPAA Rules under assessment. A rating of 1 indicates the covered entity or business associate was fully compliant with the goals and objectives of the selected standards and implementation specifications. A rating of 2 means the entity substantially met the criteria and maintained adequate policies and procedures and could supply documentation or other evidence of compliance.

A rating of 3 means the entity minimally addressed the audited requirements and had made some attempt to comply, although had failed to comply fully or had misunderstood the HIPAA requirements. A rating of 4 means the entity made negligible efforts to comply, such as supplying policies and procedures for review that were copied directly from an association template or providing poor or generic documentation as evidence of training.  A rating of 5 means OCR was not provided with evidence of a serious attempt to comply with the HIPAA Rules.

The table below summarizes the audit results on key provisions of the HIPAA Rules. The blue and red figures indicate the most common rating in each category, with blue corresponding to mostly ratings of 1 or 2 (compliant) and red indicating implementation was inadequate, negligible, or absent.

The table clearly shows that most audited entities largely failed to successfully implement the HIPAA Rules requirements.

OCR 2016-2017 HIPAA Audits Industry ReportMost covered entities complied with the requirement of the Breach Notification Rule to send timely notifications in the event of a data breach. HIPAA requires those notifications to be sent within 60 days of the discovery of a data breach; however, most covered entities failed to include all the required information in their breach notifications.The audits revealed widespread compliance with the requirement to create and prominently post a Notice of Privacy Practices on their website. The Notice of Privacy Practices gives a clear, user friendly explanation of individuals’ rights with respect to their personal health information and details the organization’s privacy practices. However, most audited entities failed to include all the required content in their Notice of Privacy Practices.

The individual right of access is an important provision of the HIPAA Privacy Rule. Individuals have the right to obtain and inspect their health information. Most covered entities failed to properly implement the requirements of the HIPAA Right of Access, which includes providing access to or a copy of the PHI held within 30 days of receiving a request and only charging a reasonable cost-based fee for access.

The first phase of HIPAA compliance audits conducted by OCR in 2012 revealed widespread noncompliance with the requirement to conduct a comprehensive, organization-wide risk analysis to identify vulnerabilities and risks to the confidentiality, integrity, and availability of protected health information. In its enforcement activities over the past 11 years, a risk analysis failure is the most commonly cited HIPAA violation.

HIPAA covered entities are still failing in this important provision of the HIPAA Security Rule, with the latest round of audits revealing most audited entities failed to implement the HIPAA Security Rule requirements for risk analysis and risk management.

“The audit results confirm the wisdom of OCR’s increased enforcement focus on hacking and OCR’s Right of Access initiative,” said OCR Director Roger Severino. “We will continue our HIPAA enforcement initiatives until health care entities get serious about identifying security risks to health information in their custody and fulfilling their duty to provide patients with timely and reasonable, cost-based access to their medical records.”

You can view the full 2016-2017 HIPAA Audits Industry Report on this link: https://www.hhs.gov/sites/default/files/hipaa-audits-industry-report.pdf.

The post OCR HIPAA Audits Industry Report Identifies Common Areas of Noncompliance with the HIPAA Rules appeared first on HIPAA Journal.

FTC Settles 2019 Consumer Data Breach Case with SkyMed

The Nevada-based emergency services provider SkyMed has reached a settlement with the Federal Trade Commission (FTC) following an audit of its information security practices in the wake of a 2019 data breach that exposed consumers’ personal information.

SkyMed was notified by security researcher Jeremiah Fowler in 2019 that it had a misconfigured Elasticsearch database that was leaking patient information. The lack of protection meant the records of 136,995 patients could be accessed over the internet without the need for any authentication. The database could be accessed using any Internet browser and personal information in the database could be downloaded, edited, or even deleted.

The database contained information such as patient names, addresses, email addresses, dates of birth, membership account numbers, and health information, according to Fowler. Fowler also identified artifacts related to ransomware in the database. When notified about the exposed database, SkyMed launched an investigation but found no evidence to indicate any information in the database had been misused.

It its breach notification, SkyMed explained, “Our investigation learned that some old data may have been exposed temporarily as we migrated data from an old system to a new system. At this time, the exposed data has been removed and appears to be limited to only a portion of our information and was restricted to names, street and email addresses, phone and membership ID numbers. There was no medical or payment-related information visible and no indication that the information has been misused.”

The FTC investigated the breach and conducted an audit to determine whether there had been a breach of the FTC Act. The FTC found multiple security and breach response failures. The FTC alleged SkyMed had not investigated whether the database had been accessed by unauthorized individuals during the time protections were not in place, and that the company failed to adequately review the database to determine what information it contained. SkyMed was therefore unable to determine whether any health information had potentially been compromised. When SkyMed confirmed that the database had been exposed, the company deleted the database to prevent any unauthorized access. SkyMed also failed to identify the individuals affected by the breach.

The FTC said every page of the SkyMed website displayed a “HIPAA Compliance” seal, which gave the impression that SkyMed’s privacy and security policies were in compliance with the standards demanded by the Health Insurance Portability and Accountability Act, yet the company had not undergone a third-party audit of its information security practices and no government agency had reviewed the HIPAA compliance claims. The FTC alleged SkyMed had deceived customers for more than 5 years by displaying the HIPAA Compliance seal on its company website.

“People who bought travel protection services trusted SkyMed with their personal health information, and SkyMed had an obligation to keep that information secure,” Andrew Smith, director of the FTC Bureau of Consumer Protection. The company’s security practices did not meet the required standards and those expected by its customers.

The FTC said “reasonable measures” to secure the personal information of individuals who signed up for its emergency services had not been implemented. SkyMed had not used any data loss prevention tools, there was a lack of access controls, and a failure to implement authentication for its networks. When a security breach occurred and a database containing personal information was exposed, SkyMed failed to detect the exposed database for 5 months, and only then because it was found by a security researcher.

The nature of the information exposed “has caused or is likely to cause substantial injury to customers,” explained the FTC. “[SkyMed] could have prevented or mitigated these information security failures through readily available, and relatively low-cost, measures.”

The FTC alleged SkyMed had engaged in unfair and/or deceptive acts or practices under Section 5 of the FTC Act, which included two counts of deception about HIPAA compliance and its breach response. SkyMed was also determined to have engaged in unfair information security practices.

Under the terms of the settlement, SkyMed is prohibited from misrepresenting its data security practices, data breach response, and how the company protects the privacy, security, integrity, and confidentiality of the personal information, and participation in any privacy or security program sponsored by a government or any third party, including any self-regulatory or standard setting organization.

SkyMed must send breach notifications to all impacted consumers and provide information about any information that has potentially been exposed. An information security program must be implemented, which must be coordinated by a designated, qualified employee. The program must include an organization-wide risk assessment to identify potential internal and external risks, and safeguards must be implemented to ensure those risks are mitigated and personal information is protected.

Logs of database access must be created and monitored, and data encryption must be implemented for sensitive data such as financial account information, passport numbers, and health information.  Access controls are required for all data repositories containing personal data and restrictions must be put in place to limit access to sensitive data. SkyMed is also required to certify annually that it is in compliance with the requirements detailed in the FTC settlement.

The post FTC Settles 2019 Consumer Data Breach Case with SkyMed appeared first on HIPAA Journal.