HIPAA Compliance News

HIPAA Right of Access Failure Results in $65,000 Fine for University of Cincinnati Medical Center

Posted by HIPAA Journal

The HHS’ Office for Civil Rights has announced its 18th HIPAA financial penalty of the year with the 12th fine under its HIPAA Right of Access enforcement initiative.

In 2019, OCR announced a new drive to ensure individuals are given timely access to their health records, at a reasonable cost, as mandated by the HIPAA Privacy Rule. It had become clear to OCR that healthcare providers were not always fully complying with this important HIPAA Privacy Rule provision and some patients were having trouble obtaining a copy of their medical records.

The latest financial penalty of $65,000 was imposed on the University of Cincinnati Medical Center, LLC (UCMC) and stemmed from a complaint received by OCR on May 30, 2019 from a patient who had sent a request to UCMC on February 22, 2019 asking for an electronic copy of the medical records maintained in UCMC’s electronic health record system to be sent to her lawyer.

The HIPAA Right of Access requires copies of medical records to be provided, on request, no later than 30 days after receipt of the request. 45 C.F.R. § 164.524 also states that an individual is permitted to have the requested records sent to a nominated third party, should they so wish.

The complaint was filed with OCR more than 13 weeks after the patient’s request. OCR intervened and UCMC finally provided the lawyer with the requested records on August 7, 2019, more than 5 months after the initial request was received.

After investigating the complaint, OCR determined UCMC had failed to respond to the patient’s request for a copy of her medical records in a timely manner and a financial penalty was deemed appropriate.

In addition to the financial penalty, UCMC is required to adopt a corrective action plan that includes developing, maintaining, and revising, as necessary, written policies and procedures to ensure compliance with 45 C.F.R. Part 160 and Subparts A and E of Part 164 of the HIPAA Privacy Rule. Those policies must be reviewed by OCR and implemented within 30 days of OCR’s approval.

The policies must be distributed to all members of the workforce and appropriate business associates and the policies must be reviewed and updated, as necessary, at least annually. Training materials must also be created and supplied to OCR for approval, and training provided to appropriate members of the workforce on the new policies.

UCMC is required to provide OCR with details of all business associates and/or vendors that receive, provide, bill for, or deny access to copies or inspection of records along with copies of business associate agreements, and UCMC must report all instances where requests for records have been denied. OCR will monitor UCMC closely for compliance for 2 years from the date of the resolution agreement.

“OCR is committed to enforcing patients’ right to access their medical records, including the right to direct electronic copies to a third party of their choice. HIPAA covered entities should review their policies and training programs to ensure they know and can fulfill all their HIPAA obligations whenever a patient seeks access to his or her records,” said Roger Severino, OCR Director, in a statement.

The post HIPAA Right of Access Failure Results in $65,000 Fine for University of Cincinnati Medical Center appeared first on HIPAA Journal.

Private Practitioner Pays $15,000 Penalty for HIPAA Right of Access Failure

Posted by HIPAA Journal

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) has announced its 11th financial penalty under its HIPAA Right of Access enforcement initiative. Dr. Rajendra Bhayani, a Regal Park, NY-based private practitioner specializing in otolaryngology has agreed to pay a financial penalty of $15,000 to settle the case and adopt a corrective action plan to address areas of noncompliance discovered by OCR during the investigation.

OCR launched an investigation after a complaint was received from a patient in September 2018 alleging Dr. Bhayani had failed to provider her with a copy of her medical records. The patient had sent a request to the otolaryngologist in July 2018, but two months later and the records had still not been provided.

OCR contacted Dr. Bhayani and provided technical assistance on the HIPAA Right of Access and closed the complaint; however, a second complaint was received from the patient a year after the first in July 2019 claiming she had still not been provided with her medical records. OCR intervened again and the records were eventually provided to the patient in September 2020, 26 months after the initial request. HIPAA requires medical records to be provided within 30 days of a request being received.

OCR determined the failure to provide the medical records was in violation of the requirements of the HIPAA Right of Access (45 C.F.R. § 164.524). Dr. Bhayani also failed to respond to letters sent by OCR on August 2, 2019 and October 22, 2019 requesting data. The failure to cooperate with OCR’s investigation of a complaint was in violation of 45 C.F.R. §160.310(b). OCR determined the violations warranted a financial penalty. Dr. Bhayani agreed to settle the case with no admission of liability.

“Doctor’s offices, large and small, must provide patients their medical records in a timely fashion.  We will continue to prioritize HIPAA Right of Access cases for enforcement until providers get the message,” said OCR Director Roger Severino.

The corrective action plan requires Dr. Bhayani to review and revise policies and procedures for providing individuals with access to their PHI in line with 45 C.F.R. § 164.524 and the policies must detail the methods used to calculate a reasonable, cost-based fee for providing access. Those policies must be submitted to OCR for review, and any changes requested by OCR must be implemented within 30 days. Dr. Bhayani is also required to provide privacy training to staff covering individual access to protected health information and the training materials must similarly be submitted to OCR for review and approval.

Every 90 days, Dr. Bhayani is required to send a list of all access requests to OCR, including the costs charged for dealing with the requests, along with details of any requests that have been denied. Any cases of staff members failing to comply with access requests must also be reported to OCR.

OCR will monitor Dr. Bhayani for two years from the date of the resolution agreement to ensure continued compliance with the HIPAA Right of Access.

The post Private Practitioner Pays $15,000 Penalty for HIPAA Right of Access Failure appeared first on HIPAA Journal.

Office for Civil Rights Announces 10th HIPAA Fine Under Right of Access Initiative

Posted by HIPAA Journal

The U.S. Department of Health and Human Services’ Office for Civil Rights has announced its 10th financial penalty under its HIPAA Right of Access enforcement initiative.

California-based Riverside Psychiatric Medical Group has agreed to pay a financial penalty of $25,000 to resolve a potential HIPAA Right of Access violation and will adopt a corrective action plan to ensure compliance with this important provision of the HIPAA Privacy Rule. The HHS will monitor Riverside Psychiatric Medical Group for 2 years to ensure continued compliance.

OCR launched an investigation following receipt of a complaint from a patient in March 2019 alleging Riverside Psychiatric Medical Group failed to provide a copy of her medical records after she had made several requests, with the first request made in February 2019.

OCR contacted Riverside Psychiatric Medical Group and provided technical assistance on how the practice could comply with the HIPAA Right of Access and the case was closed. A month later, in April 2019, a second complaint was received from the patient saying she had still not been provided with her medical records, despite OCR’s intervention.

OCR reopened the investigation and determined that Riverside Psychiatric Medical Group had potentially violated the HIPAA Right of Access after failing to take any action. Riverside Psychiatric Medical Group explained that the request for records included psychotherapy notes and, as such, the practice was not required to comply.

OCR explained that psychotherapy notes do not need to be provided to patients; however, in cases when requests are received, requestors must be provided with a written explanation as to why the requested records will not be provided, either entirely or in part and access should be provided to parts of medical records that do not include psychotherapy notes. Riverside Psychiatric Medical Group had not written to the patient to explain why the request had been denied.

After OCR’s second intervention, the patient was provided with a copy of her medical records in October 2019, as requested, minus the psychotherapy notes.

“When patients request copies of their health records, they must be given a timely response, not a run-around,” said OCR Director Roger Severino in a statement about the settlement.

The post Office for Civil Rights Announces 10th HIPAA Fine Under Right of Access Initiative appeared first on HIPAA Journal.

Wakefern Food Corporation Settles HIPAA Breach Case with NJ Attorney General for $235,000

Posted by HIPAA Journal

Wakefern Food Corporation has agreed to pay $235,000 in civil financial penalties to resolve allegations of violations of federal and state laws related to a data breach involving the protected health information of 9,700 customers of two ShopRite supermarkets in Millville, Cumberland County and Kingston, New York. In addition to the financial penalties, the settlement requires improvements to be made to data security practices.

Wakefern Food Corporation is the parent company of Union Lake Supermarket, LLC, which owns the Shoprite store in Millville and ShopRite Supermarkets, Inc., which owns the ShopRite store in Kingston, NY.

In 2016, Wakefern replaced electronic devices that were used to collect customer signatures and purchase information at the two locations. The old devices were disposed of in regular dumpsters without first destroying the devices or purging/clearing the stored data to ensure sensitive information could not be recovered. The devices contained the protected health information of 9,700 customers of the two stores including names, contact information, zip codes, driver’s license numbers, dates of birth, prescription numbers, prescription types, pickup and delivery dates.

After receiving reports about the improper disposal of ePHI, the New Jersey Division of Consumer Affairs launched an investigation and determined the disposal of the devices was in violation of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule and there had been multiple violations of the state’s fraud act. Staff at the stores had also not been provided with appropriate training on the handling and disposal of sensitive information.

“Pharmacies have a legal obligation to protect the privacy and security of the patient information they collect, and to properly dispose of that information when the time comes,” said New Jersey Attorney General Gurbir S. Grewal. “Those who compromise consumers’ private health information face serious consequences.”

Wakefern has agreed to pay $209,856.50 in civil penalties and $25,143.50 for reimbursement of attorneys’ fees and investigative costs and will implement protective measures to ensure future data branches are prevented. Those measures include appointing a chief privacy officer, executing a business associate agreement with ShopRite Supermarkets, Union Lake, and each of the members that operate pharmacies within the supermarkets, and ensuring appropriate measures are implemented to safeguard protected health information. Each of the ShopRite stores that has a pharmacy is required to appoint a HIPAA privacy officer and HIPAA security officer to oversee compliance and online training must be provided for those officers on their privacy and security roles.

“New Jersey consumers have a right to know that when they purchase a prescription medication at the neighborhood supermarket, their most private information will be fully protected under the law and not carelessly left to fall into the wrong hands,” said Paul R. Rodríguez, Acting Director of the Division of Consumer Affairs. “This settlement ensures that ShopRite supermarket pharmacies will be trained and monitored for HIPAA compliance to avoid future conduct that place consumers at risk for privacy invasion and identity theft.”

The post Wakefern Food Corporation Settles HIPAA Breach Case with NJ Attorney General for $235,000 appeared first on HIPAA Journal.

ONC Extends Deadline for Compliance with its Information Blocking and Interoperability Rule

Posted by HIPAA Journal

The deadline for compliance with the information blocking and health IT certification requirements of the 21st Century Cures Act has been extended due to the ongoing COVID-19 pandemic.

On October 29, 2020, the US Department of Health and Human Services’ (HHS) Office of the National Coordinator for Health IT (ONC) announced the release of an interim final rule with comment period that extended the compliance dates and timeframes for meeting certain information blocking and Conditions and Maintenance of Certification (CoC/MoC) requirements.

The ONC’s Cures Act Final Rule, released on March 9, 2020, defined exceptions to the information blocking provision of the 21st Century Cures Act and adopted new Health IT certification requirements which, through the use of application programming interfaces (APIs), would enhance patients’ access to their own health data through their smartphones at no cost.

Compliance deadlines were set for 2020, but health IT stakeholders expressed concern about meeting the deadlines due to the COVID-19 pandemic. On April 21, 2020, ONC announced that it would be exercising enforcement discretion with respect to the compliance deadlines and provided a further three months after the initial compliance dates for meeting all of the new requirements under the ONC Health IT Certification Program.

Due to the ongoing COVID-19 pandemic, ONC has now provided the healthcare ecosystem with further flexibility and time to respond to the COVID-19 public health emergency and has further extended to the compliance deadlines outlined in its April 2020 enforcement discretion announcement.

“We are hearing that while there is strong support for advancing patient access and clinician coordination through the provisions in the final rule, stakeholders also must manage the needs being experienced during the current pandemic,” said Don Rucker, MD, national coordinator for health IT. “To be clear, ONC is not removing the requirements advancing patient access to their health information that are outlined in the Cures Act Final Rule. Rather, we are providing additional time to allow everyone in the health care ecosystem to focus on COVID-19 response”.

The new compliance deadlines are now as follows:

April 5, 2021

  • Information blocking provisions (45 CFR Part 171)
  • Information Blocking CoC/MoC requirements (§ 170.401)
  • Assurances CoC/MoC requirements (§ 170.402, except for § 170.402(b)(2) as it relates to § 170.315(b)(10))
  • API CoC/MoC requirement (§ 170.404(b)(4)) – compliance for current API criteria
  • Communications CoC/MoC requirements (§ 170.403) (except for § 170.403(b)(1) – where we removed the notice requirement for 2020)

December 31, 2022

  • 2015 Edition health IT certification criteria updates (except for § 170.315(b)(10) – EHI export, which is extended until December 31, 2023)
  • New standardized API functionality (§ 170.315(g)(10))

The deadline for submission of initial attestations (§ 170.406) and submission of initial plans and results of real world testing (§ 170.405(b)(1) and (2)) has been extended by one calendar year.

The post ONC Extends Deadline for Compliance with its Information Blocking and Interoperability Rule appeared first on HIPAA Journal.

Failure to Terminate Former Employee’s Access Rights Results in $202,000 HIPAA Fine for New Haven, CT

Posted by HIPAA Journal

The City of New Haven, Connecticut has agreed to pay a $202,400 financial penalty to the Department of Health and Human Services’ Office for Civil Rights to resolve a HIPAA violation case.

An OCR investigation was launched in May 2017 following receipt of a data breach notification from New Haven on January 24, 2017. OCR investigated whether the data breach was linked to potential violations of HIPAA Rules.

During the investigation, OCR discovered the New Haven Health Department had terminated an employee on July 27, 2016 during her probationary period. The former employee returned to the New Haven Heath Department on July 27, 2016 with her union representative and used her work key to access her old office, where she locked herself inside with her union representative.

While in her office, the former employee logged into her old computer using her username and password and copied information from her computer onto a USB drive. She also removed personal items and documents from the office, and then exited the premises. A file on the computer contained the protected health information of 498 patients, including names, addresses, dates of birth, race/ethnicity, gender, and sexually transmitted disease test results. That file was downloaded onto the USB drive. The actions of the former employee were witnessed by an intern.

OCR investigators also determined that the former employee had shared her login credentials with an intern, who continued to use those credentials to access PHI on the network after the employee had been terminated.

Had the New Haven Health Department deactivated the former employee’s login credentials at the time of her termination, a data breach would have been prevented. If all users had been given their own, unique login credentials, it would have been possible to accurately determine the system activity of each individual and identify their interactions with electronic protected health information.

OCR concluded that between December 1, 2014 to December 31, 2018, HIPAA Privacy Rule policies and procedures had not been implemented, New Haven had not implemented procedures for terminating access to ePHI when the employment of, or other arrangement with, a workforce member ends, and New Haven had failed to assign unique usernames and passwords to track user identity.

An accurate organization-wide risk assessment had not been performed to identify the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information and there had been an impermissible disclosure of the PHI of 498 individuals.

In addition to the financial penalty, the City of New Haven has agreed to adopt a corrective action plan to address all areas of noncompliance. OCR will monitor the City of New Haven for HIPAA compliance for two years from the date of the resolution agreement.

“Medical providers need to know who in their organization can access patient data at all times. When someone’s employment ends, so must their access to patient records,” said OCR Director Roger Severino.

The settlement is the 4th to be announced by OCR in October 2020, and the 15th HIPAA financial penalty of 2020.

The post Failure to Terminate Former Employee’s Access Rights Results in $202,000 HIPAA Fine for New Haven, CT appeared first on HIPAA Journal.

Aetna Slapped with $1 Million HIPAA Fine for Three Data Breaches

Posted by HIPAA Journal

Aetna Life Insurance Company and the affiliated covered entity (Aetna) has agreed to settle multiple potential HIPAA violations with the Department of Health and Human Services’ Office for Civil Rights (OCR) that were discovered during the investigation of three data breaches that occurred in 2017.

The first of those data breaches was reported to OCR in June 2017 and concerned the exposure of the protected health information (PHI) of health plan members over the Internet. Two web services were used to display health plan-related documents to its members, but those documents could be accessed over the Internet without the need for any login credentials.

The lack of authentication allowed the documents to be indexed by search engines and displayed in search results. Aetna’s investigation revealed the PHI of 5,002 individuals had been exposed, which included names, insurance identification numbers, claim payment amounts, procedures service codes, and dates of service.

The second two HIPAA breaches involved the exposure and impermissible disclosure of highly sensitive information in two mailings to plan members. In both mailings, window envelopes had been used which allowed PHI to be viewed without opening the envelopes.

The first mailing in July 2017 saw benefit notices sent to 11,887 individuals who were receiving HIV medication, either for treatment or prophylaxis. The words “HIV medication” could be seen through the windows of the envelope, along with the name and address of each individual.

The second mailing, sent in September 2017, concerned a research study on individuals with an irregular heart rhythm. Through the windows of the envelope the name and logo of the atrial fibrillation research study were clearly visible along with the name and address of the recipient. The mailing was sent to 1,600 individuals.

These three incidents resulted in the impermissible disclosure of the PHI of 18,489 individuals and during the course of the investigation OCR investigators uncovered several other violations of the HIPAA Rules.

  • Aetna had not performed periodic technical and nontechnical evaluations of operational changes affecting the security of their electronic PHI (ePHI), in violation of 45 C.F.R. § 164.308(a)(8);
  • Procedures had not been implemented to verify the identity of individuals or entities looking to access their ePHI, in violation of 45 C.F.R. § 164.312(d);
  • Disclosures of ePHI had not been limited to the minimum necessary information to achieve the purpose for the disclosure, in violation of 45 C.F.R. § 164.514(d); and
  • There was a lack of appropriate administrative, technical, and physical safeguards to protect the privacy of PHI, in violation of 45 C.F.R. § 164.530(c).

“When individuals contract for health insurance, they expect plans to keep their medical information safe from public exposure. Unfortunately, Aetna’s failure to follow the HIPAA Rules resulted in three breaches in a six-month period, leading to this million-dollar settlement,” said OCR Director Roger Severino.

In addition to the financial penalty, Aetna has agreed to adopt a corrective action plan to address all areas of HIPAA noncompliance discovered by OCR. OCR will be monitoring Aetna closely for noncompliance with the HIPAA Rules for 2 years.

Settlements totaling $2,725,170 were agreed in 2018 to resolve HIPAA violation cases brought by state attorneys general in California ($935,000), Connecticut ($99,959), New Jersey ($365,211.59), New York ($1,150,000) and the District of Columbia ($175,000) over these data breaches. In 2018, Aetna also settled a class action lawsuit filed on behalf of victims of the HIV medication mailing incident for $17 million.

This year has already seen more penalties imposed on covered entities and business associates than any other year since OCR was given the authority to impose fines for HIPAA violations. There have been 14 settlements announced this year totaling $13,211,500.

The post Aetna Slapped with $1 Million HIPAA Fine for Three Data Breaches appeared first on HIPAA Journal.

September 2020 Healthcare Data Breach Report: 9.7 Million Records Compromised

Posted by HIPAA Journal

September has been a bad month for data breaches. 95 data breaches of 500 or more records were reported by HIPAA-covered entities and business associates in September – A 156.75% increase compared to August 2020.

Sept 2020 healthcare data breach report monthly breaches

Not only did September see a massive increase in reported data breaches, the number of records exposed also increased significantly. 9,710,520 healthcare records were exposed in those breaches – 348.07% more than August – with 18 entities suffering breaches of more than 100,000 records. The mean breach size was 102,216 records and the median breach size was 16,038 records.

Sept 2020 healthcare data breach report monthly breached records

Causes of September 2020 Healthcare Data Breaches

The massive increase in reported data breaches is due to the ransomware attack on the cloud software company Blackbaud. In May 2020, Blackbaud suffered a ransomware attack in which hackers gained access to servers housing some of its customers’ fundraising databases. Those customers included many higher education and third sector organizations, and a significant number of healthcare providers.

Blackbaud was able to contain the breach; however, prior to the deployment of the ransomware, the attackers exfiltrated some customer data. The breach was initially thought to only include limited data about donors and prospective donors, but further investigations revealed Social Security numbers and financial information were also exfiltrated by the hackers.

Blackbaud negotiated a ransom payment and paid to prevent the publication or sale of the stolen data. Blackbaud has reported it has received assurances that all stolen data were deleted. Blackbaud has engaged a company to monitor dark web sites but no data appears to have been offered for sale.

Blackbaud announced the ransomware attack in July 2020 and notified all affected customers. HIPAA-covered entities affected by the breach started to report the data breach in August, with most reporting in September.

It is currently unclear exactly how many U.S. healthcare organizations were affected by the breach and the final total may never be known. Databreaches.net has been tracking the Blackbaud breach reports and, at last count, at least 80 healthcare organizations are known to have been affected. The records of more than 10 million patients are thought to have been compromised as a result of the ransomware attack.

Sept 2020 healthcare data breach report causes of breaches

Unsurprisingly, given the numbers of healthcare providers affected by the Blackbaud breach, hacking/IT incidents dominated the breach reports. 83 breaches were attributed to hacking/IT incidents and 9,662,820 records were exposed in those breaches – 99.50% of all records reported as breached in September.  The mean breach size was 116,420 records and the median breach size was 27,410 records.

There were 7 unauthorized access/disclosure incidents reported in September involving a total of 34,995 records. The mean breach size was 4,942 records and the median breach size was 1,818 records. There were 4 loss/theft incidents reported involving 12,029 records, with a mean breach size of 3,007 records and a median size of 2,978 records. There was 1 improper disposal incident reported involving 1,076 records.

Most of the compromised records were stored on network servers, although there were a sizable number of breaches involving PHI stored in email accounts.

Sept 2020 healthcare data breach report - location of PHI

Largest Healthcare Data Breaches Reported in September 2020

Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach Breach Cause
Trinity Health Business Associate 3,320,726 Hacking/IT Incident Blackbaud Ransomware Attack
Inova Health System Healthcare Provider 1,045,270 Hacking/IT Incident Blackbaud Ransomware Attack
NorthShore University HealthSystem Healthcare Provider 348,746 Hacking/IT Incident Blackbaud Ransomware Attack
SCL Health – Colorado (affiliated covered entity) Healthcare Provider 343,493 Hacking/IT Incident Blackbaud Ransomware Attack
Nuvance Health (on behalf of its covered entities) Healthcare Provider 314,829 Hacking/IT Incident Blackbaud Ransomware Attack
The  Baton Rouge Clinic, A Medical Corporation Healthcare Provider 308,169 Hacking/IT Incident Ransomware Attack
Virginia Mason Medical Center Healthcare Provider 244,761 Hacking/IT Incident Blackbaud Ransomware Attack
University of Tennessee Medical Center Healthcare Provider 234,954 Hacking/IT Incident Blackbaud Ransomware Attack
Legacy Community Health Services, Inc. Healthcare Provider 228,009 Hacking/IT Incident Phishing Attack
Allina Health Healthcare Provider 199,389 Hacking/IT Incident Blackbaud Ransomware Attack
University of Missouri Health Care Healthcare Provider 189,736 Hacking/IT Incident Phishing Attack
The Christ Hospital Health Network Healthcare Provider 183,265 Hacking/IT Incident Blackbaud Ransomware Attack
Stony Brook University Hospital Healthcare Provider 175,803 Hacking/IT Incident Blackbaud Ransomware Attack
Atrium Health Healthcare Provider 165,000 Hacking/IT Incident Blackbaud Ransomware Attack
University of Kentucky HealthCare Healthcare Provider 163,774 Hacking/IT Incident Blackbaud Ransomware Attack
Children’s Minnesota Healthcare Provider 160,268 Hacking/IT Incident Blackbaud Ransomware Attack
Roswell Park Comprehensive Cancer Center Healthcare Provider 141,669 Hacking/IT Incident Blackbaud Ransomware Attack
Piedmont Healthcare, Inc. Healthcare Provider 111,588 Hacking/IT Incident Blackbaud Ransomware Attack
SCL Health – Montana (affiliated covered entity) Healthcare Provider 93,642 Hacking/IT Incident Blackbaud Ransomware Attack
Roper St. Francis Healthcare Healthcare Provider 92,963 Hacking/IT Incident Blackbaud Ransomware Attack

September 2020 Data Breaches by Covered Entity Type

88 healthcare providers reported data breaches of 500 or more records in September and 2 breaches were reported by health plans. 5 breaches were reported by business associates of HIPAA-covered entities, but a further 53 breaches involved a business associate, with the breach reported by the covered entity. Virtually all of those 53 breaches were due to the ransomware attack on Blackbaud.

Sept 2020 healthcare data breach report - covered entity type

September 2020 Data Breaches by State

Covered entities and business associates in 30 states and the district of Columbia reported data breaches of 500 or more records in September.

New York was the worst affected state with 10 breaches, 6 breaches were reported in each of California, Minnesota, and Pennsylvania, 5 in each of Colorado, South Carolina, and Texas, 4 in Florida, Georgia, Massachusetts, Ohio, and Virginia, 3 in each of Iowa, Kentucky, Louisiana, and Michigan, and 2 in each of Connecticut, Maryland, North Carolina, Tennessee, and Wisconsin.

One breach was reported in each of Alabama, Delaware, Illinois, Indiana, Missouri, New Hampshire, New Jersey, Oklahoma, Washington, and the District of Columbia.

HIPAA Enforcement Activity in September 2020

Prior to September, the HHS’ Office for Civil Rights had only imposed three financial penalties on covered entities and business associates to resolve HIPAA violations, but there was a flurry of announcements about HIPAA settlements in September with 8 financial penalties announced.

The largest settlement was agreed with Premera Blue Cross to resolve HIPAA violations discovered during the investigation of its 2014 data breach that affected 10.4 million of its members. OCR found compliance issues related to risk analyses, risk management, and hardware and software controls. Premera agreed to pay a financial penalty of $6,850,000 to resolve the case. This was the second largest HIPAA fine ever imposed on a covered entity.

CHSPSC LLC, a business associate of Community Health Systems, agreed to pay OCR $2,300,000 to resolve its HIPAA violation case which stemmed from a breach of the PHI of 6 million individuals in 2014. OCR found compliance issues related to risk analyses, information system activity reviews, security incident procedures, and access controls.

Athens Orthopedic Clinic PA agreed to pay a $1,500,000 penalty to resolve its case with OCR which stemmed from the hacking of its systems by TheDarkOverlord hacking group. The PHI of 208,557 patients was compromised in the attack. OCR’s investigation uncovered compliance issues related to risk analyses, risk management, audit controls, HIPAA policies and procedures, business associate agreements, and HIPAA Privacy Rule training for the workforce.

Five of the September settlements resulted from OCR’s HIPAA Right of Access enforcement initiative and were due to the failure to provide patients with timely access to their medical records.

Entity Settlement
Beth Israel Lahey Health Behavioral Services $70,000
Housing Works, Inc. $38,000
All Inclusive Medical Services, Inc. $15,000
Wise Psychiatry, PC $10,000
King MD $3,500

 

There was one settlement to resolve a multistate investigation by state attorneys general, with Anthem Inc. agreeing to pay a financial penalty of $48.2 million to resolve multiple violations of HIPAA and state laws in relation to its 78.8 million record data breach in 2015, which is on top of the $16 million financial penalty imposed by OCR in October 2018.

The post September 2020 Healthcare Data Breach Report: 9.7 Million Records Compromised appeared first on HIPAA Journal.

OCR Announces 9th Financial Penalty under its HIPAA Right of Access Initiative

Posted by HIPAA Journal

The HHS’ Office for Civil Rights (OCR) is continuing its crackdown on healthcare providers that are not fully complying with the HIPAA right of access. Last week, OCR announced its ninth enforcement action against a HIPAA-covered entity for the failure to provide patients with timely access to their medical records at a reasonable cost.

HIPAA gives patients the right to view or receive a copy of their medical records. When a request is made for access to medical records, HIPAA-covered entities must provide access or supply a copy of the requested medical records as soon as possible, but no later than 30 days after the request is received.

By obtaining a copy of their medical records, patients can share those records with other providers, research organizations, or individuals of their choosing. Patients can check their medical records for errors and submit requests to correct any mistakes. In the event of a ransomware attack that renders medical records inaccessible, patients who have a copy of their records ensure that their health histories are never lost.

Under the OCR HIPAA Right of Access Initiative, complaints from individuals who have been denied access to their medical records or have faced delays in receiving a copy of their records are investigated. When violations of the HIPAA right of access are uncovered, financial penalties are issued. The aim of penalties is to encourage compliance by making noncompliance very costly.

The latest financial penalty was imposed on NY Spine, a private medical practice with offices in New York and Miami that specializes in neurology and pain management. OCR received a complaint from a patient in July 2019 who claimed to have sent multiple requests to NY Spine in June 2019 requesting a copy of her protected health information.

NY Spine responded to the requests and provided some of her records but failed to provide the diagnostic films that she had specifically requested. It took intervention from OCR for NY Spine to provide those records. The patient was finally provided with a complete copy of all the requested records in October 2020, 16 months after the first request was submitted.

NY Spine and OCR agreed to settle the case for $100,000. NY Spine is also required to adopt a corrective action plan and will be monitored by OCR for compliance for 2 years.

“No one should have to wait over a year to get copies of their medical records.  HIPAA entitles patients to timely access to their records and we will continue our stepped up enforcement of the right of access until covered entities get the message,” said Roger Severino, OCR Director.

The post OCR Announces 9th Financial Penalty under its HIPAA Right of Access Initiative appeared first on HIPAA Journal.