HIPAA Compliance News

OCR Issues Guidance on Disclosures of PHI to Health Information Exchanges under HIPAA

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights has published new guidance on the Health Insurance Portability and Accountability Act (HIPAA) Rules covering disclosures of protected health information (PHI) to health information exchanges (HIEs) for the public health activities of a public health authority (PHA).

An HIE is an organization that enables the sharing of electronic PHI (ePHI) between more than two unaffiliated entities such as healthcare providers, health plans, and their business associates. HIEs’ share ePHI for treatment, payment, or healthcare operations, for public health reporting to PHAs, and for providing other functions and services such as patient record location and data aggregation and analysis.

HIPAA supports the use of HIEs and the sharing of health data to improve public health, which has been especially important during the COVID-19 public health emergency. The HIPAA Privacy Rule permits HIPAA-covered entities and their business associates to disclose protected health information to an HIE for reporting to a PHA that is engaged in public health, without requiring prior individual authorization.

Such disclosures are permitted under the following circumstances:

  • When disclosures are required by federal, state, local, or other laws that are enforceable in court
  • When the HIE is acting under a grant of authority or contract with a PHA for a public health activity
  • When the HIE is a business associate of the covered entity or another business associate, and wishes to provide ePHI to a PHA for public health purposes*

*The HIPAA Privacy Rule only permits an HIE which is a business associate of the covered entity or another business associate to disclose ePHI to a PHA for public health purposes if it is expressly stated that they can do so in the business associate agreement (BAA) with the covered entity. However, earlier this year in response to the COVID-19 public health emergency, OCR issued a notice of enforcement discretion stating no action will be taken against a business associate for good faith disclosures of ePHI to a PHA for public health purposes if they are not expressly permitted to disclose ePHI to a PHA in their BAA. In such cases, the business associate must inform the covered entity within 10 calendar days of the disclosure. The notice of enforcement discretion is only valid for the duration of the COVID-19 public health emergency. When the Secretary of the HHS declares the COVID-19 public health emergency over, such disclosures will no longer be permitted unless expressly permitted in the BAA.

Disclosures of ePHI by an HIE to a PHA should be limited to the minimum necessary information to achieve the purpose for the disclosure. A covered entity can rely on a PHA’s request to disclose a summary record to the PHA or HIE as being the minimum necessary PHI to achieve the public health purpose of the disclosure.

A covered entity is permitted by the HIPAA Privacy Rule to disclose ePHI to a PHA through an HIE, even if a direct request for the PHI is not received from the PHA, provided the covered entity knows that the PHA is using the HIE to collect such information, or that the HIE is acting on behalf of the PHA.

While the above disclosures of ePHI for public health purposes do not require authorizations to be obtained from the individuals whose PHI is being disclosed, those individuals must be notified about such disclosures. That can be achieved by stating disclosures of ePHI will occur for public health purposes in the organization’s Notice of Privacy Practices.

You can view the OCR guidance, which includes several examples related to COVID-19, on the HHS website, which can be accessed on this link (PDF).

The post OCR Issues Guidance on Disclosures of PHI to Health Information Exchanges under HIPAA appeared first on HIPAA Journal.

OCR HIPAA Audits Industry Report Identifies Common Areas of Noncompliance with the HIPAA Rules

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights has published its 2016-2017 HIPAA Audits Industry Report, highlighting areas where HIPAA-covered entities and their business associates are complying or failing to comply with the requirements of the Health Insurance Portability and Accountability Act.

The Health Information Technology for Economic and Clinical Health (HITECH) Act requires the HHS to conduct periodic audits of HIPAA covered entities and business associates to assess compliance with the HIPAA Rules. Between 2016 and 2017, the HHS conducted its second phase of compliance audits on 166 covered entities and 41 business associates to assess compliance with certain provisions of the HIPAA Privacy, Security, and Breach Notification Rules.

The 2016/2017 HIPAA compliance audits were conducted on a geographically representative, broad cross-section of covered entities and business associates and consisted of desk audits – remote reviews of HIPAA documentation – rather than on-site audits. All entities have since been notified of the findings of their individual audits.

The 2016-2017 HIPAA Audits Industry Report details the overall findings of the audits, including key aspects of HIPAA compliance that are proving problematic for covered entities and business associates.

In the report, OCR gives each audited entity a rating based on their level of compliance with each specific provision of the HIPAA Rules under assessment. A rating of 1 indicates the covered entity or business associate was fully compliant with the goals and objectives of the selected standards and implementation specifications. A rating of 2 means the entity substantially met the criteria and maintained adequate policies and procedures and could supply documentation or other evidence of compliance.

A rating of 3 means the entity minimally addressed the audited requirements and had made some attempt to comply, although had failed to comply fully or had misunderstood the HIPAA requirements. A rating of 4 means the entity made negligible efforts to comply, such as supplying policies and procedures for review that were copied directly from an association template or providing poor or generic documentation as evidence of training.  A rating of 5 means OCR was not provided with evidence of a serious attempt to comply with the HIPAA Rules.

The table below summarizes the audit results on key provisions of the HIPAA Rules. The blue and red figures indicate the most common rating in each category, with blue corresponding to mostly ratings of 1 or 2 (compliant) and red indicating implementation was inadequate, negligible, or absent.

The table clearly shows that most audited entities largely failed to successfully implement the HIPAA Rules requirements.

OCR 2016-2017 HIPAA Audits Industry ReportMost covered entities complied with the requirement of the Breach Notification Rule to send timely notifications in the event of a data breach. HIPAA requires those notifications to be sent within 60 days of the discovery of a data breach; however, most covered entities failed to include all the required information in their breach notifications.The audits revealed widespread compliance with the requirement to create and prominently post a Notice of Privacy Practices on their website. The Notice of Privacy Practices gives a clear, user friendly explanation of individuals’ rights with respect to their personal health information and details the organization’s privacy practices. However, most audited entities failed to include all the required content in their Notice of Privacy Practices.

The individual right of access is an important provision of the HIPAA Privacy Rule. Individuals have the right to obtain and inspect their health information. Most covered entities failed to properly implement the requirements of the HIPAA Right of Access, which includes providing access to or a copy of the PHI held within 30 days of receiving a request and only charging a reasonable cost-based fee for access.

The first phase of HIPAA compliance audits conducted by OCR in 2012 revealed widespread noncompliance with the requirement to conduct a comprehensive, organization-wide risk analysis to identify vulnerabilities and risks to the confidentiality, integrity, and availability of protected health information. In its enforcement activities over the past 11 years, a risk analysis failure is the most commonly cited HIPAA violation.

HIPAA covered entities are still failing in this important provision of the HIPAA Security Rule, with the latest round of audits revealing most audited entities failed to implement the HIPAA Security Rule requirements for risk analysis and risk management.

“The audit results confirm the wisdom of OCR’s increased enforcement focus on hacking and OCR’s Right of Access initiative,” said OCR Director Roger Severino. “We will continue our HIPAA enforcement initiatives until health care entities get serious about identifying security risks to health information in their custody and fulfilling their duty to provide patients with timely and reasonable, cost-based access to their medical records.”

You can view the full 2016-2017 HIPAA Audits Industry Report on this link: https://www.hhs.gov/sites/default/files/hipaa-audits-industry-report.pdf.

The post OCR HIPAA Audits Industry Report Identifies Common Areas of Noncompliance with the HIPAA Rules appeared first on HIPAA Journal.

FTC Settles 2019 Consumer Data Breach Case with SkyMed

Posted by HIPAA Journal

The Nevada-based emergency services provider SkyMed has reached a settlement with the Federal Trade Commission (FTC) following an audit of its information security practices in the wake of a 2019 data breach that exposed consumers’ personal information.

SkyMed was notified by security researcher Jeremiah Fowler in 2019 that it had a misconfigured Elasticsearch database that was leaking patient information. The lack of protection meant the records of 136,995 patients could be accessed over the internet without the need for any authentication. The database could be accessed using any Internet browser and personal information in the database could be downloaded, edited, or even deleted.

The database contained information such as patient names, addresses, email addresses, dates of birth, membership account numbers, and health information, according to Fowler. Fowler also identified artifacts related to ransomware in the database. When notified about the exposed database, SkyMed launched an investigation but found no evidence to indicate any information in the database had been misused.

It its breach notification, SkyMed explained, “Our investigation learned that some old data may have been exposed temporarily as we migrated data from an old system to a new system. At this time, the exposed data has been removed and appears to be limited to only a portion of our information and was restricted to names, street and email addresses, phone and membership ID numbers. There was no medical or payment-related information visible and no indication that the information has been misused.”

The FTC investigated the breach and conducted an audit to determine whether there had been a breach of the FTC Act. The FTC found multiple security and breach response failures. The FTC alleged SkyMed had not investigated whether the database had been accessed by unauthorized individuals during the time protections were not in place, and that the company failed to adequately review the database to determine what information it contained. SkyMed was therefore unable to determine whether any health information had potentially been compromised. When SkyMed confirmed that the database had been exposed, the company deleted the database to prevent any unauthorized access. SkyMed also failed to identify the individuals affected by the breach.

The FTC said every page of the SkyMed website displayed a “HIPAA Compliance” seal, which gave the impression that SkyMed’s privacy and security policies were in compliance with the standards demanded by the Health Insurance Portability and Accountability Act, yet the company had not undergone a third-party audit of its information security practices and no government agency had reviewed the HIPAA compliance claims. The FTC alleged SkyMed had deceived customers for more than 5 years by displaying the HIPAA Compliance seal on its company website.

“People who bought travel protection services trusted SkyMed with their personal health information, and SkyMed had an obligation to keep that information secure,” Andrew Smith, director of the FTC Bureau of Consumer Protection. The company’s security practices did not meet the required standards and those expected by its customers.

The FTC said “reasonable measures” to secure the personal information of individuals who signed up for its emergency services had not been implemented. SkyMed had not used any data loss prevention tools, there was a lack of access controls, and a failure to implement authentication for its networks. When a security breach occurred and a database containing personal information was exposed, SkyMed failed to detect the exposed database for 5 months, and only then because it was found by a security researcher.

The nature of the information exposed “has caused or is likely to cause substantial injury to customers,” explained the FTC. “[SkyMed] could have prevented or mitigated these information security failures through readily available, and relatively low-cost, measures.”

The FTC alleged SkyMed had engaged in unfair and/or deceptive acts or practices under Section 5 of the FTC Act, which included two counts of deception about HIPAA compliance and its breach response. SkyMed was also determined to have engaged in unfair information security practices.

Under the terms of the settlement, SkyMed is prohibited from misrepresenting its data security practices, data breach response, and how the company protects the privacy, security, integrity, and confidentiality of the personal information, and participation in any privacy or security program sponsored by a government or any third party, including any self-regulatory or standard setting organization.

SkyMed must send breach notifications to all impacted consumers and provide information about any information that has potentially been exposed. An information security program must be implemented, which must be coordinated by a designated, qualified employee. The program must include an organization-wide risk assessment to identify potential internal and external risks, and safeguards must be implemented to ensure those risks are mitigated and personal information is protected.

Logs of database access must be created and monitored, and data encryption must be implemented for sensitive data such as financial account information, passport numbers, and health information.  Access controls are required for all data repositories containing personal data and restrictions must be put in place to limit access to sensitive data. SkyMed is also required to certify annually that it is in compliance with the requirements detailed in the FTC settlement.

The post FTC Settles 2019 Consumer Data Breach Case with SkyMed appeared first on HIPAA Journal.

House Passes Bill Calling for HHS to Recognize Adoption of Cybersecurity Best Practices When Making Regulatory Determinations

Posted by HIPAA Journal

A new bill (HR 7988) has been passed by the House Energy and Commerce Committee which seeks to amend the HITECH Act to require the Department of Health and Human Services to recognize whether cybersecurity best practices have been adopted by HIPAA-covered entities and business associates when making certain determinations, such as financial penalties following security breaches or for other regulatory purposes.

The HIPAA Safe Harbor Bill, if signed into law, would reward covered entities and business associates that have met cybersecurity practices through reduced financial penalties and shorter compliance audits. The legislation calls for the HHS Secretary to consider whether the entity has adequately demonstrated recognized security practices have been in place for no less than 12 months, which may mitigate financial penalties, result in an early, favorable termination of an audit, or mitigate other remedies which may otherwise have been agreed with respect to resolving potential HIPAA Security Rule violations.

The bill defines ‘Recognized Security Practices’ as “standards, guidelines, best practices, methodologies, procedures, and processes developed under section 2(c)(15) of the National Institute of Standards and Technology Act, the approaches promulgated under section 405(d) of the Cybersecurity Act of 2015, and other programs and processes that address cybersecurity and that are developed, recognized, or promulgated through regulations under other statutory authorities.”

The bill also confirms that its aim is to reduce potential sanctions, penalties, and the length of audits when cybersecurity best practices are followed, and not to give the HHS the authority to increase audit lengths, fines, and penalties when an entity is discovered not to be in compliance with recognized security standards.

The bill easily passed the house vote and is expected to pass the Senate vote next week. The bill has received considerable support from many health IT industry stakeholder groups, including HITRUST. HITRUST believes the legislation will help to improve the cybersecurity posture of the healthcare industry, will encourage healthcare organizations to take a more proactive approach to HIPAA compliance, and will ensure entities that have achieved HITRUST Cybersecurity Standard Framework (CSF) Certification are recognized for their proactive approach to protecting healthcare data.

The bill also has the backing of the Healthcare and Public Health Sector Coordinating Council (HSCC), which believes the legislation will act as a positive incentive for health providers to increase investment in cybersecurity for the benefit of regulatory compliance and patient safety.

The post House Passes Bill Calling for HHS to Recognize Adoption of Cybersecurity Best Practices When Making Regulatory Determinations appeared first on HIPAA Journal.

HIPAA Privacy Rule Changes Proposed to Improve Care Coordination and Patient Rights

Posted by HIPAA Journal

The Department of Health and Human Services has issued a notice of proposed rulemaking detailing multiple HIPAA Privacy Rule changes that are intended to remove regulatory burdens, improve care coordination, and give patients better access to their protected health information (PHI).

OCR issued a request for public input on potential HIPAA Privacy Rule changes in December 2018 under the HHS’ Regulatory Sprint to Coordinated Care. The regulatory sprint was intended to accelerate transformation of the healthcare system and remove some of the barriers that have hampered the coordination of care, were making it difficult for healthcare providers to share patient information and placed an unnecessary burden on patients and their families who were trying to get their health information exchanged. In response to the request for information, the HHS received around 1,300 comments spanning 4,000 pages. The HHS has had to strike a balance between providing more flexibility to allow health information to be shared easily and ensuring the privacy and security of healthcare data.

“Our proposed changes to the HIPAA Privacy Rule will break down barriers that have stood in the way of commonsense care coordination and value-based arrangements for far too long,” said HHS Secretary Alex Azar. “As part of our broader efforts to reform regulations that impede care coordination, these proposed reforms will reduce burdens on providers and empower patients and their families to secure better health.”

HIPAA was initially signed into law in 1996 and the Privacy Rule took effect in 2003, prior to widespread adoption of electronic medical records and before many online and mobile services were available. The proposed updates are intended to remove some of the barriers to digital health, with definitions added for terms such as electronic health records and personal health applications.

Strengthening Patients’ Rights to their Own Healthcare Data

The HIPAA Privacy Rule gave patients the right to access their own healthcare data. The proposed changes will see those rights strengthened with regard to electronic protected health information (ePHI) and inspecting PHI in person. Individuals will be permitted to take notes and use personal resources to view and capture images of their own PHI, such as taking photographs of their own medical records and medical images. The time frame for providing patients with access to their own PHI has been shortened from 30 days to 15 days from the date of request and the identity verification burden on individuals has been eased.

Disclosures to Telecommunication Relay Services (TRS), which are used by the deaf and hard of hearing, are expressly permitted and TRS providers have been excluded from the definition of business associate.

The HHS has specified when ePHI must be provided to individuals at no cost – such as when ePHI is provided through online patient portals – and the permissible fee structure has been amended for responding to requests to direct healthcare records to a third party.

The HHS has also created a pathway for individuals to direct the sharing of ePHI in an EHR among covered health care providers and health plans. Covered entities will also be required to publish estimated fee structures on their websites for providing access to PHI and copies of PHI, as well as provide individuals with itemized bills for completed requests.

Improving Coordination of Care and Reducing the Administrative Burden

Several changes have been proposed to improve information sharing for care coordination and case management for individuals, which will make it easier for hospitals and physician practices to share patient information with other healthcare providers and social service and caregiving agencies.

If patients give their authorization for their healthcare provider or doctor to see their medical records from another healthcare provider, it will be the healthcare provider or doctor’s office that will be responsible for getting that information rather than the patient.

The privacy standard that permitted covered entities to make disclosures based on their professional judgement has been changed to permit uses and disclosures based on a covered entity’s good faith belief that a use or disclosure is in the best interests of the patient, which is more permissive.

Changes have also been proposed to remove the administrative burden on healthcare providers, such as long-awaited removal of the requirement to have patients sign a notice of privacy practices, instead they will only need to be provided with a notice of privacy practices. This change alone is expected to save the healthcare industry an estimated $3.2 billion over five years.

Changes have been proposed to improve the sharing of healthcare data in crises and emergencies. Currently, the HIPAA Privacy Rule permits covered entities to disclose patient health information to avert a serious and imminent threat to health or patient safety. The wording has been changed to avert threats when harm is ‘serious and reasonably foreseeable’. The change would make it easier for healthcare providers to share information when individuals have stated they are contemplating suicide, for instance, and would improve care coordination in emergencies such as the opioid and COVID-19 public health emergencies.

Commonsense, Bipartisan HIPAA Privacy Rules Changes

“Today’s announcement is a continuation of our ongoing work under my Regulatory Sprint to Coordinated Care to eliminate unnecessary regulatory barriers blocking patients from getting better care,” said HHS Deputy Secretary Eric Hargan. “These proposed changes reduce burden on providers and support new ways for them to innovate and coordinate care on behalf of patients, while ensuring that we uphold HIPAA’s promise of privacy and security.”

The HHS is accepting comments from all healthcare industry stakeholders, including patients and their families, healthcare providers, health plans, business associates, health IT vendors and government entities. Comments must be submitted within 60 days of the publication of the notice of proposed rulemaking in the Federal Register.

With President-Elect Biden due to take office in January, it is likely there will be significant amendments to the proposed HIPAA Privacy Rule changes; however, many of the updates have been proposed to address issues that have been proving problematic for hospitals, doctors, and patients for many years and are non-partisan, commonsense changes. HHS officials hope the incoming administration will understand the need for these HIPAA Privacy Rule changes and will provide the support to ensure they are implemented.

You can view the proposed 2020 HIPAA Privacy Rule changes on this link (PDF).

The post HIPAA Privacy Rule Changes Proposed to Improve Care Coordination and Patient Rights appeared first on HIPAA Journal.

October 2020 Healthcare Data Breach Report

Posted by HIPAA Journal

October saw well above average numbers of data breaches reported the HHS’ Office for Civil Rights. There were 63 reported breaches of 500 or more records, which is a 33.68% reduction from September but still 41.82% more breaches than the monthly average over the last 12 months. The elevated numbers of breaches can be partly explained by continued reports from healthcare organizations that were impacted by the ransomware attack on the cloud software firm Blackbaud.

Healthcare data breaches Sept 2019 to Oct 2020

The protected health information of more than 2.5 million individuals were exposed or compromised in those 63 breaches, which is 74.08% fewer records than September, but still 26.81% more than the monthly average number of breached records over the past 12 months.

Healthcare records breaches in the past 12 months

Largest Healthcare Data Breaches Reported in October 2020

Name of Covered Entity Covered Entity Type Type of Breach Individuals Affected Breach Cause
Luxottica of America Inc. Business Associate Hacking/IT Incident 829,454 Ransomware Attack
AdventHealth Orlando Healthcare Provider Hacking/IT Incident 315,811 Blackbaud Ransomware
Presbyterian Healthcare Services Healthcare Provider Hacking/IT Incident 193,223 Phishing Attack
Sisters of Charity of St. Augustine Health System Healthcare Provider Hacking/IT Incident 118,874 Blackbaud Ransomware
Timberline Billing Service, LLC Business Associate Hacking/IT Incident 116,131 Ransomware Attack
Greenwich Hospital Healthcare Provider Hacking/IT Incident 95,000 Blackbaud Ransomware
OSF HealthCare System Healthcare Provider Hacking/IT Incident 94,171 Blackbaud Ransomware
Geisinger Healthcare Provider Hacking/IT Incident 86,412 Blackbaud Ransomware
CCPOA Benefit Trust Fund Health Plan Hacking/IT Incident 80,000 Ransomware Attack
Ascend Clinical, LLC Healthcare Provider Hacking/IT Incident 77,443 Phishing and Ransomware Attack
Centerstone of Tennessee, Inc. Healthcare Provider Hacking/IT Incident 50,965 Phishing Attack
Georgia Department of Human Services Healthcare Clearing House Hacking/IT Incident 45,732 Phishing Attack
Connecticut Department of Social Services Health Plan Hacking/IT Incident 37,000 Phishing Attack
State of North Dakota Healthcare Provider Hacking/IT Incident 35,416 Phishing Attack
AdventHealth Shawnee Mission Healthcare Provider Hacking/IT Incident 28,766 Blackbaud Ransomware

Causes of October 2020 Healthcare Data Breaches

As the above table shows, the healthcare industry in the United States has faced a barrage of ransomware attacks. Two thirds of the largest 15 data breaches reported in October involved ransomware. CISA, the FBI, and the HHS issued a joint alert in October after credible evidence emerged indicating the Ryuk ransomware gang was targeting the healthcare industry, although that is not the only ransomware gang that is conducting attacks on the healthcare sector.

Phishing attacks continue to plague the healthcare industry. Phishing emails are often used to deliver Trojans such as Emotet and TrickBot, along with the Bazar Backdoor, which act as ransomware downloaders.

Phishing and ransomware attacks are classed as hacking/IT incidents on the HHS breach portal. In total there were 46 hacking/IT incidents reported to the HHS’ Office for Civil Rights in October – 73% of all reported breaches in October – and 2,450,645 records were breached in those incidents – 97.39% of all records breached in the month. The mean breach size was 53,275 records and the median breach size was 13,069 records.

There were 12 unauthorized access/disclosure incidents reported in October involving 54,862 healthcare records. The mean breach size was 4,572 records and the median breach size was 1,731 records. There were 4 reported cases of theft of paperwork or electronic devices containing PHI. The mean breach size was 4,290 records and the median breach size was 1,293 records. One incident was reported that involved the improper disposal of computer equipment that contained the ePHI of 4,290 individuals.

causes of October 2020 Healthcare Data Breaches

The graph below shows where the breached records were located. The high number of network server incidents shows the extent to which malware and ransomware was used in attacks. Almost a third of the attacks involved ePHI stored in email accounts, most of which were phishing attacks. Several breaches involved ePHI stored in more than one location.

Location of PHI in October 2020 Healthcare Data Breaches

Healthcare Data Breaches by Covered Entity Type

Healthcare providers were the worst affected covered entity type in October with 54 breaches reported, followed by health plans with 3 breaches and one breach at a healthcare clearinghouse. While there were only 5 data breaches reported by business associates of covered entities, business associates were involved in 23 data breaches in October, with 18 of the incidents being reported by the affected covered entity.

October 2020 Healthcare Data Breaches by Covered Entity Type

Healthcare Data Breaches by State

October’s 63 data breaches were spread across 27 states. Connecticut was the worst affected state with 7 breaches, followed by California and Texas with 5 each, Florida, Ohio, Pennsylvania, and Virginia with 4 apiece, Iowa and Washington with 3, and Arkansas, Michigan, New Mexico, New York, Tennessee, and Wisconsin with 2. A single breach was reported in each of Georgia, Hawaii, Illinois, Indiana, Kansas, Louisiana, Maine, Minnesota, Missouri, North Dakota, New Jersey, and South Carolina.

HIPAA Enforcement Activity in October 2020

2020 has seen more financial penalties imposed on covered entities and business associates than any other year since the HIPAA Enforcement Rule gave OCR the authority to issue financial penalties for noncompliance.  Up to October 30, 2020, OCR has announced 15 settlements to resolve HIPAA violation cases, including 4 financial penalties in October.

The health insurer Aetna paid a $1,000,000 penalty to resolve multiple HIPAA violations that contributed to the exposure of HIV medication information in a mailing. OCR investigators found issues with the technical and nontechnical evaluation in response to environmental or operational changes affecting the security of PHI, an identity check failure, a minimum necessary information failure, insufficient administrative, technical, and physical safeguards, and an impermissible disclosure of the PhI of 18,849 individuals.

The City of New Haven, CT paid a $202,400 penalty to resolve its HIPAA case with OCR that stemmed from a failure to promptly restrict access to systems containing ePHI following the termination of an employee. That failure resulted in an impermissible disclosure of the ePHI of 498 individuals. OCR also determined there had been a risk analysis failure and a failure to issue unique IDs to allow system activity to be tracked.

Two of the penalties were issued as part of OCR’s HIPAA Right of Access enforcement initiative, with the fines imposed for the failure to provide patients with timely access to their medical records at a reasonable cost. Dignity Health, dba St. Joseph’s Hospital and Medical Center, settled its case with OCR and paid a $160,000 penalty and NY Spine settled for $100,000.

State attorneys general also play a role in the enforcement of HIPAA compliance. October saw Franklin, TN-based Community Health Systems and its subsidiary CHSPCS LLC settle a multi-state action related to a breach of the ePHI of 6.1 million individuals in 2014. The investigators determined there had been a failure to implement and maintain reasonable security practices. The case was settled for $5 million.

The post October 2020 Healthcare Data Breach Report appeared first on HIPAA Journal.

HIPAA Right of Access Failure Results in $65,000 Fine for University of Cincinnati Medical Center

Posted by HIPAA Journal

The HHS’ Office for Civil Rights has announced its 18th HIPAA financial penalty of the year with the 12th fine under its HIPAA Right of Access enforcement initiative.

In 2019, OCR announced a new drive to ensure individuals are given timely access to their health records, at a reasonable cost, as mandated by the HIPAA Privacy Rule. It had become clear to OCR that healthcare providers were not always fully complying with this important HIPAA Privacy Rule provision and some patients were having trouble obtaining a copy of their medical records.

The latest financial penalty of $65,000 was imposed on the University of Cincinnati Medical Center, LLC (UCMC) and stemmed from a complaint received by OCR on May 30, 2019 from a patient who had sent a request to UCMC on February 22, 2019 asking for an electronic copy of the medical records maintained in UCMC’s electronic health record system to be sent to her lawyer.

The HIPAA Right of Access requires copies of medical records to be provided, on request, no later than 30 days after receipt of the request. 45 C.F.R. § 164.524 also states that an individual is permitted to have the requested records sent to a nominated third party, should they so wish.

The complaint was filed with OCR more than 13 weeks after the patient’s request. OCR intervened and UCMC finally provided the lawyer with the requested records on August 7, 2019, more than 5 months after the initial request was received.

After investigating the complaint, OCR determined UCMC had failed to respond to the patient’s request for a copy of her medical records in a timely manner and a financial penalty was deemed appropriate.

In addition to the financial penalty, UCMC is required to adopt a corrective action plan that includes developing, maintaining, and revising, as necessary, written policies and procedures to ensure compliance with 45 C.F.R. Part 160 and Subparts A and E of Part 164 of the HIPAA Privacy Rule. Those policies must be reviewed by OCR and implemented within 30 days of OCR’s approval.

The policies must be distributed to all members of the workforce and appropriate business associates and the policies must be reviewed and updated, as necessary, at least annually. Training materials must also be created and supplied to OCR for approval, and training provided to appropriate members of the workforce on the new policies.

UCMC is required to provide OCR with details of all business associates and/or vendors that receive, provide, bill for, or deny access to copies or inspection of records along with copies of business associate agreements, and UCMC must report all instances where requests for records have been denied. OCR will monitor UCMC closely for compliance for 2 years from the date of the resolution agreement.

“OCR is committed to enforcing patients’ right to access their medical records, including the right to direct electronic copies to a third party of their choice. HIPAA covered entities should review their policies and training programs to ensure they know and can fulfill all their HIPAA obligations whenever a patient seeks access to his or her records,” said Roger Severino, OCR Director, in a statement.

The post HIPAA Right of Access Failure Results in $65,000 Fine for University of Cincinnati Medical Center appeared first on HIPAA Journal.

Private Practitioner Pays $15,000 Penalty for HIPAA Right of Access Failure

Posted by HIPAA Journal

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) has announced its 11th financial penalty under its HIPAA Right of Access enforcement initiative. Dr. Rajendra Bhayani, a Regal Park, NY-based private practitioner specializing in otolaryngology has agreed to pay a financial penalty of $15,000 to settle the case and adopt a corrective action plan to address areas of noncompliance discovered by OCR during the investigation.

OCR launched an investigation after a complaint was received from a patient in September 2018 alleging Dr. Bhayani had failed to provider her with a copy of her medical records. The patient had sent a request to the otolaryngologist in July 2018, but two months later and the records had still not been provided.

OCR contacted Dr. Bhayani and provided technical assistance on the HIPAA Right of Access and closed the complaint; however, a second complaint was received from the patient a year after the first in July 2019 claiming she had still not been provided with her medical records. OCR intervened again and the records were eventually provided to the patient in September 2020, 26 months after the initial request. HIPAA requires medical records to be provided within 30 days of a request being received.

OCR determined the failure to provide the medical records was in violation of the requirements of the HIPAA Right of Access (45 C.F.R. § 164.524). Dr. Bhayani also failed to respond to letters sent by OCR on August 2, 2019 and October 22, 2019 requesting data. The failure to cooperate with OCR’s investigation of a complaint was in violation of 45 C.F.R. §160.310(b). OCR determined the violations warranted a financial penalty. Dr. Bhayani agreed to settle the case with no admission of liability.

“Doctor’s offices, large and small, must provide patients their medical records in a timely fashion.  We will continue to prioritize HIPAA Right of Access cases for enforcement until providers get the message,” said OCR Director Roger Severino.

The corrective action plan requires Dr. Bhayani to review and revise policies and procedures for providing individuals with access to their PHI in line with 45 C.F.R. § 164.524 and the policies must detail the methods used to calculate a reasonable, cost-based fee for providing access. Those policies must be submitted to OCR for review, and any changes requested by OCR must be implemented within 30 days. Dr. Bhayani is also required to provide privacy training to staff covering individual access to protected health information and the training materials must similarly be submitted to OCR for review and approval.

Every 90 days, Dr. Bhayani is required to send a list of all access requests to OCR, including the costs charged for dealing with the requests, along with details of any requests that have been denied. Any cases of staff members failing to comply with access requests must also be reported to OCR.

OCR will monitor Dr. Bhayani for two years from the date of the resolution agreement to ensure continued compliance with the HIPAA Right of Access.

The post Private Practitioner Pays $15,000 Penalty for HIPAA Right of Access Failure appeared first on HIPAA Journal.

Office for Civil Rights Announces 10th HIPAA Fine Under Right of Access Initiative

Posted by HIPAA Journal

The U.S. Department of Health and Human Services’ Office for Civil Rights has announced its 10th financial penalty under its HIPAA Right of Access enforcement initiative.

California-based Riverside Psychiatric Medical Group has agreed to pay a financial penalty of $25,000 to resolve a potential HIPAA Right of Access violation and will adopt a corrective action plan to ensure compliance with this important provision of the HIPAA Privacy Rule. The HHS will monitor Riverside Psychiatric Medical Group for 2 years to ensure continued compliance.

OCR launched an investigation following receipt of a complaint from a patient in March 2019 alleging Riverside Psychiatric Medical Group failed to provide a copy of her medical records after she had made several requests, with the first request made in February 2019.

OCR contacted Riverside Psychiatric Medical Group and provided technical assistance on how the practice could comply with the HIPAA Right of Access and the case was closed. A month later, in April 2019, a second complaint was received from the patient saying she had still not been provided with her medical records, despite OCR’s intervention.

OCR reopened the investigation and determined that Riverside Psychiatric Medical Group had potentially violated the HIPAA Right of Access after failing to take any action. Riverside Psychiatric Medical Group explained that the request for records included psychotherapy notes and, as such, the practice was not required to comply.

OCR explained that psychotherapy notes do not need to be provided to patients; however, in cases when requests are received, requestors must be provided with a written explanation as to why the requested records will not be provided, either entirely or in part and access should be provided to parts of medical records that do not include psychotherapy notes. Riverside Psychiatric Medical Group had not written to the patient to explain why the request had been denied.

After OCR’s second intervention, the patient was provided with a copy of her medical records in October 2019, as requested, minus the psychotherapy notes.

“When patients request copies of their health records, they must be given a timely response, not a run-around,” said OCR Director Roger Severino in a statement about the settlement.

The post Office for Civil Rights Announces 10th HIPAA Fine Under Right of Access Initiative appeared first on HIPAA Journal.