HIPAA Compliance News

HHS’ Office for Civil Rights Makes Changes to Individuals’ Right of Access to Health Records

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights has announced that certain legislative changes made in the HIPAA Omnibus Final Rule of 2013 – Modifications to the HIPAA Privacy, Security, and Enforcement Rules Under the Health Information Technology for Economic and Clinical Health Act, and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Ruleshave been reversed.

The reversal applies to a portion of the rule that expanded the third-party directive within the individual right of access (45 C.F.R. §164.524) “beyond requests for a copy of an electronic health record with respect to

Member Login

of an individual … in an electronic format” and guidance issued in 2016 confirming fee limitations for providing a copy of an individual’s PHI – 45 C.F.R. § 164.524(c)(4) – also apply to an individual’s request to send health records to a third party for legal or commercial reasons. Those fee limitations will now only apply to an individual’s request for access to their own records, not for an individual’s request to send a copy of their PHI to a third party such as a lawyer or insurance company.

The reversal followed the conclusion of legal action by the medical records provider, Ciox Health, challenging the changes. Ciox Health contracts with healthcare providers to maintain, retrieve, and produce individuals’ PHI. Ciox Health handles requests from healthcare providers to supply individuals’ PHI for treatment purposes, along with requests from patients exercising their rights under the HIPAA individual right of access, and requests to send PHI to legal and commercial entities. Ciox Health handles tens of millions of requests for PHI each year.

Ciox Health understood the fee limitations only applied to requests from individuals for access to their own PHI, and not to requests to send PHI to legal and commercial entities. However, in 2016, the Department of Health and Human Services (HHS) issued a guidance document in which it was made clear that the fee limitations had been expanded to include requests for PHI from legal and commercial entities. According to the lawsuit, that change resulted in Ciox Health and other medical records companies losing millions in revenue. The change was challenged as it was seen to be violative of the procedural and substantive protections of the Administrative Procedure Act (“APA”).

Ciox also challenged the types of labor costs that are recoverable under the fee limitation, the three methods for calculating fees for providing the records, and the 2013 change requiring medical records companies “to send PHI to third parties regardless of the format in which the PHI is contained and in the format specified by the patient.” The HHS filed a motion to dismiss and the cross-motions went before a federal court for summary judgment.

The HHS motion to dismiss was granted in part and denied in part, and the cross-motions were also granted in part and dismissed in part. The HHS motions to dismiss were denied in all cases apart from the three methods for calculating fees.

The court held that the rule requiring PHI to be delivered to third parties regardless of the records’ format was ‘arbitrary and capricious’ as it went beyond the requirements of the HITECH Act. The court also ruled in favor of the plaintiff on the challenge to the 2016 expansion of fee limitations, as this was a legislative change and the HHS failed to subject the change to notice and comment, in violation of the ACA. The 2016 explanation of what labor costs can be recovered was determined to be an interpretive rule and was therefore not subject to notice and comment.

The court declared the changes unlawful and vacated the 2016 expansion of fee limitations and the 2013 mandate broadening PHI delivery to third parties regardless of format. The Ciox Health, LLC v. Azar, et al court order can be viewed on this link.

The post HHS’ Office for Civil Rights Makes Changes to Individuals’ Right of Access to Health Records appeared first on HIPAA Journal.

December 2019 Healthcare Data Breach Report

Posted by HIPAA Journal

There were 38 healthcare data breaches of 500 or more records reported to the Department of Health and Human Services’ Office for Civil Rights in December 2019, an increase of 8.57% from November 2019.

While the number of breaches increased, there was a major reduction in the number of exposed healthcare records, falling from 607,728 records in November 2019 to 393,189 records in December 2019 – A drop of 35.30%. In December the mean breach size was 10,347 records and the median breach size was 3,650 records.

It has been a particularly bad year for healthcare data breaches. 2019 was the second worst ever year for healthcare data breaches in terms of the number of patients impacted by breaches. 41,232,527 healthcare records were exposed, stolen, or impermissibly disclosed in 2019. That’s 195.61% more than 2018. More healthcare records were breached in 2019 than in the previous three years combined.

healthcare records exposed by year

The number of reported data breaches also increased 36.12% year-over-year, from 371 breaches in 2018 to 505 breaches in 2019. That makes 2019 the worst every year in terms of the number of reported healthcare data breaches.

Healthcare data breaches in 2019

Largest Healthcare Data Breaches in December 2019

The largest healthcare data breach reported in December affected Truman Medical Center in Kansas City, MO and involved the protected health information of 114,466 patients. The records were stored on a company-owned laptop computer that was stolen from the vehicle of an employee. The laptop was password-protected but was not encrypted.

8 of the top 10 breaches in December were hacking/IT incidents. The Adventist Health Simi Valley, Healthcare Administrative Partners, Cheyenne Regional Medical Center, SEES Group, and Sinai Health System breaches were due to phishing attacks. Roosevelt General Hospital discovered malware on an imaging server and Children’s Choice Pediatrics experienced a ransomware attack.

The Colorado Department of Human Services breach was due to a coding error on a mailing and Texas Family Psychology Associates discovered an unauthorized individual had accessed its electronic medical record system.

Name of Covered Entity Covered Entity Type Type of Breach Individuals Affected
Truman Medical Center, Incorporated Healthcare Provider Theft 114,466
Adventist Health Simi Valley Healthcare Provider Hacking/IT Incident 62,000
Roosevelt General Hospital Healthcare Provider Hacking/IT Incident 28,847
Healthcare Administrative Partners Business Associate Hacking/IT Incident 17,693
Cheyenne Regional Medical Center Healthcare Provider Hacking/IT Incident 17,549
SEES Group, LLC Healthcare Provider Hacking/IT Incident 13,000
PediHEalth, PLLC, dba Children’s Choice Pediatrics Healthcare Provider Hacking/IT Incident 12,689
Sinai Health System Healthcare Provider Hacking/IT Incident 12,578
Colorado Department of Human Services Healthcare Provider Hacking/IT Incident 12,230
Texas Family Psychology Associates, P.C. Healthcare Provider Unauthorized Access/Disclosure 12,000

 

Entities Affected by December 2019 Healthcare Data Breaches

28 healthcare providers reported breaches of 500 or more healthcare records in December. Four health plans were affected by data breaches and 6 business associates of covered entities reported a breach. One additional breach had some business associate involvement, but the breach was reported by the covered entity.

December 2019 Healthcare Data Breaches by Covered Entity

Causes of December 2019 Healthcare Data Breaches

There were 21 hacking/IT incidents reported by HIPAA-covered entities and business associates in December. 226,774 healthcare records were exposed or stolen in those incidents. The mean breach size was 10,798 records and the median breach size was 5,991 records. The incidents mostly consisted of phishing attacks, ransomware and malware infections, and coding errors.

There were 11 cases of unauthorized accessing of healthcare data and impermissible disclosures of protected health information due to a mix of insider errors and malicious actions by employees. These incidents involved 46,364 healthcare records. The mean breach size was 4,214 records and the median breach size was 3,500 records.

There were two theft incidents reported and three incidents involving lost electronic devices and paperwork containing protected health information. 118,877 records were lost or stolen in those incidents. The mean breach size was 23,775 records and the median breach size was 1,100 records. There was also one case of incorrect disposal of paperwork involving documents containing the PHI of 1,174 patients.

Causes of December 2019 healthcare data breaches

Location of Breached Protected Health Information

The chart below clearly indicates the difficulty healthcare organizations have securing their email systems and protecting them against unauthorized access. The majority of the email incidents in December 2019 were phishing attacks in which unauthorized individuals obtained the login credentials of employees and used them to remotely access their email accounts.

Email security solutions can block the majority of phishing and malware-laced emails, but some phishing emails will slip through the net. It is therefore important – and a requirement of HIPAA – to provide regular security awareness training to employees to help them identify malicious emails. Multi-factor authentication should also be implemented. In the event to email credentials being obtained by unauthorized individuals, in the vast majority of cases, MFA will prevent those credentials from being used to remotely access email accounts.

Location of Breached PHI - December 2019

December 2019 Healthcare Data Breaches by State

December data breaches were reported by HIPAA-covered entities and business associates in 22 states and the District of Columbia. Texas was the worst affected with 4 breaches, 4 breaches were reported by entities based in California and Illinois, Florida experienced 3 breaches, and two breaches were reported by entities based in Colorado, Georgia, and Tennessee.

A single breach was reported by entities based in Alaska, Connecticut, Louisiana, Maryland, Michigan, Missouri, New Mexico, New York, Ohio, Oklahoma, Pennsylvania, North Carolina, South Carolina, Washington, Wyoming, and District of Columbia.

HIPAA Enforcement Activity in December 2019

The Department of Health and Human Services’ Office for Civil Right closed December with two further enforcement actions against covered entities that were discovered to have violated the HIPAA Rules.

The first financial penalty of the month to be announced was a settlement with Korunda Medical LLC. This was the second financial penalty imposed on a HIPAA-covered entity under OCR’s HIPAA Right of Access Initiative. OCR investigated Korunda Medical following receipt of a complaint from a patient who had not been provided with a copy of her medical records. OCR issued technical assistance, but a further patient submitted a similar complaint a few days later and a financial penalty was determined to be appropriate. Korunda Medical settled the case for $85,000.

The second penalty was imposed on West Georgia Ambulance for multiple violations of HIPAA Rules. OCR launched an investigation following receipt of a breach notification about the loss of an unencrypted laptop computer. OCR discovered longstanding noncompliance with several aspects of the HIPAA Rules. A risk analysis had not been conducted, there was no security awareness training program for employees, and West Georgia Ambulance had failed to implement HIPAA Security Rule policies and procedures. West Georgia Ambulance settled the case for $65,000.

2019 HIPAA Enforcement Actions

In total, there were 10 financial penalties were imposed on covered entities and business associates in 2019, comprising 2 Civil Monetary Penalties and 8 settlements totaling $12,274,000.

Entity Penalty Penalty Type
West Georgia Ambulance $65,000 Settlement
Korunda Medical, LLC $85,000 Settlement
Sentara Hospitals $2,175,000 Settlement
Texas Department of Aging and Disability Services $1,600,000 Civil Monetary Penalty
University of Rochester Medical Center $3,000,000 Settlement
Jackson Health System $2,154,000 Civil Monetary Penalty
Elite Dental Associates $10,000 Settlement
Bayfront Health St Petersburg $85,000 Settlement
Medical Informatics Engineering $100,000 Settlement
Touchstone Medical imaging $3,000,000 Settlement

Figures for this report were calculated from the U.S. Department of Health and Human Services’ Office for Civil Rights Research Report on January 21, 2020.

The post December 2019 Healthcare Data Breach Report appeared first on HIPAA Journal.

California Bill Proposes Further Health Data Exemptions for CCPA

Posted by HIPAA Journal

On January 1, 2020, the California Consumer Protection Act (CCPA) came into effect. CCPA enhanced privacy protections for state residents and gave Californians new rights over their personal data.

Healthcare data covered by the Health Insurance Portability and Accountability Act (HIPAA) Rules and California’s Confidentiality of Medical Information Act (CMIA) were exempted from CCPA but there is still potential for CCPA to cause compliance headaches for healthcare organizations.

A new bill – AB 713 – has now been introduced which aims to simplify compliance by adding further categories of data to the CCPA exemptions, specifically health data that has been de-identified in accordance with HIPAA Rules, personal information used for public health and safety purposes, medical research data, and health information collected, maintained, or used by business associates of HIPAA-covered entities. The bill was unanimously approved by the State Senate Health Committee this month.

The change to the exemption for deidentified health data is required as the definitions of deidentified data differ under HIPAA and CCPA and data de-identified in accordance with HIPAA could still contain data covered by CCPA. HIPAA only require identifiers to be removed that could be used to identify patients. It does not require the removal of identifiers for workforce members or providers, which is covered by CCPA.

AB 713 adds a new exemption for health data that is deidentified in accordance with HIPAA, provided the following three conditions are met:

Data is deidentified through either the safe harbor or expert determination method detailed in 45 CFR § 164.514 (b); data is derived from protected health information, medical information, individually identifiable health information, or identifiable private information, consistent with the Federal Policy for the Protection of Human Subjects (Common Rule); the business or business associate does not try to or actually re-identify individuals from the data.

The exemption applies to information deidentified in accordance with HIPAA. This exemption would therefore also apply to entities not covered by HIPAA.

While AB 713 would exempt deidentified information, a business will be required to disclose, via a consumer-facing public notice, if deidentified information will be provided to third parties and the method used to deidentify the data.

CCPA does not cover certain types of personal information used for research, such as data collected for clinical trials subject to the Common Rule. AB 713 adds further exemptions for personal information collected or used in biomedical research studies subject to institutional review board standards, the ethics and privacy requirements of the Common Rule, the International Council for Harmonization’s good clinical practice guidelines, or the FDA’s human subject protection requirements. An exemption is also added for personal information collected for or used in research, subject to all applicable ethics and privacy laws, if the information is either individually identifiable health information (45 CFR § 160.103) or medical information governed by the California Confidentiality of Medical Information Act (CMIA).

AB 713 also adds an exemption for personal information that is only used for the following purposes, provided the information is protected in accordance with all confidentiality and privacy provisions applicable under federal or state law:

  • Product registration and tracking consistent with applicable FDA regulations and guidelines.
  • Public health activities and purposes detailed in 45 CFR § 164.512
  • FDA-regulated quality, safety, and effectiveness activities

The post California Bill Proposes Further Health Data Exemptions for CCPA appeared first on HIPAA Journal.

Survey Reveals HIPAA Compliance Issues with Group Health Plan Sponsors

Posted by HIPAA Journal

Many group health plan sponsors are not fully compliant with the Health Insurance Portability and Accountability Act Rules, according to a recent survey by the integrated HR and benefits consulting, technology, and administration services firm, Buck.

The survey uncovered several areas where group health plan sponsors are noncompliant and revealed many group health plan sponsors are not prepared for a compliance investigation or HIPAA audit.

The 2019 HIPAA Readiness Survey was conducted between April 29, 2019 and May 17, 2019 on 31 group health plan sponsors.

The survey uncovered several areas where important provisions of HIPAA Rules are not fully understood or are not being followed such as risk analyses, business associate agreements, HIPAA training for staff, and breach notifications.

Risk analyses are not being conducted as frequently as they should, so threats to the confidentiality, integrity and availability of ePHI may not be identified and managed. 42% of respondents were unsure when a HIPAA-compliant risk assessment was last conducted or that said it was last conducted more than 5 years ago. 10% said the last time a risk/threat analysis was conducted was more than 5 years ago.

Business associate agreements were another area where survey respondents highlighted potential HIPAA failures. 33% of respondents had not created an inventory of their business associates or were unaware whether an inventory had been created. 16% of respondents said they did not have current business associate agreements for certain vendors or were unaware if current BAAs had been obtained. 3% said they do not have current business associate agreements in place.

45% of respondents said privacy and security policies were updated in the past year, but 45% said they were updated between 1 and 5 years ago, and 3% said they had not been updated for at least 5 years.

Almost three quarters of respondents had prepared for breaches and had developed breach notification polices. 10% of respondents said they did not have policies in place covering breach notifications and 16% were unsure if they had policies covering breach notifications.

Refresher HIPAA training sessions are required to ensure employees are reminded of the importance of HIPAA compliance and understand their responsibilities under HIPAA. More than a third of respondents (35%) had last been offered HIPAA training between one and five years ago, with 13% admitting that HIPAA training was not ongoing and was only provided when onboarding staff. One in ten respondents said they did not know when training on HIPAA was last provided to employees.

Privacy and security policies and procedures must be implemented, but it is essential that those policies are followed by employees. To determine whether that is the case, operational reviews are required. These reviews show whether day-to-day working practices are HIPAA compliant. 23% of respondents said they had not conducted an operational review and 43% of respondents did not know if a review had been conducted.

In the event of a data breach, complaint, or audit, HIPAA failures are likely to be uncovered, which could easily result in a financial penalty for noncompliance. To avoid financial penalties, it is essential for group health plan sponsors to be fully aware of the requirements of HIPAA, have compliant policies and procedures in place, and to regularly assess their compliance efforts and ensure that, in the event of an audit, compliance can be demonstrated.

The post Survey Reveals HIPAA Compliance Issues with Group Health Plan Sponsors appeared first on HIPAA Journal.

Georgia Man Charged Over False Allegations of HIPAA Violations

Posted by HIPAA Journal

A Georgia man has been charged over an elaborate scheme to frame an acquaintance for violations of the Health Insurance Portability and Accountability Act (HIPAA) that never occurred.

Jeffrey Parker, 43, of Richmond Hill, GA, claimed he was a whistleblower reporting HIPAA violations by a nurse. He reported the violations to the hospital where the person worked, and complaints also sent to the Department of Justice (DoJ) and the Federal Bureau of Investigation (FBI). Parker was also interviewed by Fox28Media in October 2018 and told reporters that the nurse had been violating HIPAA privacy laws for an extensive period.

The nurse worked at an unnamed hospital in Savannah, GA, which was part of a health system that also operated healthcare facilities in Nashville, TN and other areas. She was alleged to have emailed graphic photographs of patients with traumatic injuries such as gunshot wounds to other individuals outside the hospital. In the Fox28Media interview Parker explained that the sharing of images between employees and other individuals had been going on for a long time.

Parker requested that his identity remain hidden out of fear for his personal safety. He also claimed he had received threats as a result of reporting the HIPAA violations.

In additions to claiming the nurse had violated HIPAA, Parker set up email accounts using the names of real hospital employees. Those email accounts were used to send further reports of HIPAA violations to the hospital as well as the DoJ and the FBI to make it appear that the nurse’s co-workers were also reporting HIPAA violations.

The FBI responded quickly to the threats over his personal safety and interviewed Parker about the alleged crimes. An FBI agent found inconsistencies in Parker’s story and, upon further questioning, Parker admitted making false statements and creating the email addresses to support his story. According to the Fox28Media story, the nurse was a former lover of Parker.

“Falsely accusing others of criminal activity is illegal, and it hinders justice system personnel with the pursuit of unnecessary investigations,” said U.S. Attorney Bobby L. Christine. “This fake complaint caused a diversion of resources by federal investigators, as well as an unnecessary distraction for an important health care institution in our community.”

Parker was charged with one count of false statements by the U.S. Attorney for the Southern District of Georgia. Parker now faces up to five years imprisonment for the crime.

“Hopefully the quick uncovering of this alleged scheme by our investigators will send a message that these types of actions will be exposed, and justice will be served,” said Chris Hacker, Special Agent in Charge of FBI Atlanta.

The post Georgia Man Charged Over False Allegations of HIPAA Violations appeared first on HIPAA Journal.

Is It Possible to Have HIPAA Compliant Gmail?

Posted by HIPAA Journal

With around 1.5 million users, Gmail is the most popular email service but can Gmail be used by healthcare organizations to send protected health information? Is it possible to make Gmail HIPAA compliant?

Is Gmail HIPAA Compliant?

In order for Gmail to be HIPAA compliant, Google would have to ensure that the email platform is secure and meets the minimum standards for security laid down in the HIPAA Security Rule. A covered entity would also need to enter into a business associate agreement with Google covering Gmail, as Google would be classed as a business associate under HIPAA. While encryption for email is not mandatory under HIPAA, it is a requirement if emails containing protected health information are to be sent externally beyond the protection of a firewall. If emails are sent externally, they would need to be secured with end-to-end encryption.

Google has implemented excellent security and its email service meets the requirements of the HIPAA Security Rule. Google is willing to enter into business associate agreements with HIPAA-covered entities that cover its email service, so provided a BAA is obtained, that HIPAA compliance box is also checked. Encryption for email can be applied, so Google does offer an email services that can be made HIPAA compliant. However, while you can make Gmail HIPAA compliant, it is not compliant by default.

Google offers Gmail for free and this email service is not HIPAA compliant. The standard free email service, which includes an @gmail.com email address, is only intended for personal use.

To be compliant with HIPAA you need to use Google’s G Suite (formerly Google Apps) email service, for which a subscription must be paid. This paid email service is intended for use with a company-owned domain. @hipaajournal.com for example. Google offers a business associate agreement for G Suite, but its BAA does not cover its free @gmail.com email service.

If you pay for G Suite and obtain a BAA, your email is still not yet compliant. You must ensure that your emails are encrypted. Google only encrypts emails at rest, not in transit. To send PHI via Gmail-powered G Suite, you will need to pay for an end-to-end email encryption service.

There are many encryption services that are compatible with Gmail. You can use Google Apps Message Encryption (GAME) or a third-party email encryption solution such as those offered by Identillect, LuxSci, Paubox, RMail, Virtru, or Zix.

You must then ensure your employees are trained on the correct use of email, are aware of the internal and federal rules covering the transmission of PHI via email, and they must take care to ensure the emails are sent to the correct recipient. You must also obtain consent from patients to send their PHI via email.

The post Is It Possible to Have HIPAA Compliant Gmail? appeared first on HIPAA Journal.

Does HIPAA Apply to Schools?

Posted by HIPAA Journal

HIPAA applies to healthcare providers, health plans, healthcare clearinghouses, and business associates of those entities but how does HIPAA apply to schools? In this post we explore when HIPAA applies to schools and how the Health Insurance Portability and Accountability Act intersects with the Family Educational Rights and Privacy Act (FERPA).

Does HIPAA Apply to Schools?

Generally, HIPAA does not apply to schools because they are not HIPAA covered entities, but in some situations a school can be a covered entity if healthcare services are provided to students. In such cases, HIPAA may still not apply because any student health information collected would be included in the students’ education records and education records are exempt from the HIPAA Privacy Rule as they are covered by FERPA.

More and more schools are offering healthcare services to their students. Medical professionals are employed by some schools, some have on-site health clinics, and they often dispense medications and administer vaccines. When healthcare services are provided, health information will be collected, stored, maintained, and transmitted. Even if a school employs nurses, psychologists, or physicians, schools are not usually classed as covered entities because they do not conduct healthcare transactions electronically for which the Department of Health and Human Services has adopted standards. Most schools fall into this category and are not covered entities so HIPAA does not apply.

Some schools employ a healthcare provider that conducts transactions electronically for which the HHS has adopted standards. In this case, the school would be classed as a HIPAA covered entity. The HIPAA Transactions and Code Sets and Identifier Rules would have to be followed when electronic transactions are conducted, but it would not be a requirement to comply with the HIPAA Privacy Rule if healthcare data is stored in education records, which are covered by FERPA. If health information is stored in education records, it is not classed as protected health information and is therefore not covered by the HIPAA Privacy Rule. The school would however have to comply with FERPA privacy requirements.

One scenario where the HIPAA Privacy Rule would apply is when a healthcare professional provides medical services such as vaccinations at the school but is not employed by the school. In this situation, the healthcare professional would be required to comply with HIPAA, the records would be covered by HIPAA while they are held by the healthcare professional, and that individual would be required to obtain authorization before the health information is disclosed to the school. When those records are added to the student’s education records by the school, FERPA would apply rather than HIPAA.

FERPA, HIPAA, and Private Schools

FERPA applies to all educational institutions that receive direct funding through programs administered by the Department of Education. FERPA therefore applies to public schools, but private schools are not typically covered by FERPA as they do not receive federal funding direct from the Department for Education. If the private school is not covered by FERPA, it may or may not be covered by HIPAA depending on whether it conducts electronic transactions for which the HHS has adopted standards. If it does, it would be required to comply with HIPAA although if not, neither HIPAA nor FERPA would apply.

Further Information

To help clear up confusion over disclosures of health information under FERPA and HIPAA, the U.S. Department of Education and the HHS’ Office for Civil Rights updated their joint guidance in December 2019. The updated guidance is available on this link.

The post Does HIPAA Apply to Schools? appeared first on HIPAA Journal.

HIPAA Enforcement in 2019

Posted by HIPAA Journal

It has been another year of heavy enforcement of HIPAA compliance. HIPAA enforcement in 2019 by the Department of Health and Human Services’ Office for Civil Right (OCR) has resulted in 10 financial penalties. $12,274,000 has been paid to OCR in 2019 to resolve HIPAA violation cases.

2019 saw one civil monetary penalty issued and settlements were reached with 9 entities, one fewer than 2018. In 2019, the average financial penalty was $1,022,833.

HIPAA Enforcement in 2019 by the HHS' Office for Civil Rights

 

Particularly egregious violations will attract financial penalties, but some of the HIPAA settlements in 2019 provide insights into OCRs preferred method of dealing with noncompliance. Even when HIPAA violations are discovered, OCR prefers to settle cases through voluntary compliance and by providing technical assistance. When technical assistance is provided and covered entities fail to act on OCR’s advice, financial penalties are likely to be issued.

This was made clear in two of the most recent HIPAA enforcement actions. OCR launched compliance investigations into two covered entities after being notified about data breaches. OCR discovered in both cases that HIPAA Rules had been violated. OCR chose to provide technical assistance to both entities rather than issue financial penalties, but the covered entities failed to act on the guidance and a financial penalty was imposed.

Sentara Hospitals disagreed with the guidance provided by OCR and refused to update its breach report to reflect the actual number of patients affected. West Georgia Ambulance was issued with technical guidance and failed to take sufficient steps to address the areas of noncompliance identified by OCR.

If you are told by OCR that your interpretation of HIPAA is incorrect, or are otherwise issued with technical guidance, it pays to act on that guidance quickly. Refusing to take corrective action is a sure-fire way to guarantee a financial penalty, attract negative publicity, and still be required to change policies and procedures in line with the guidance.

There were two important HIPAA enforcement updates in 2019. OCR adopted a new interpretation of the Health Information Technology for Economic and Clinical Health (HITECH) Act’s requirements for HIPAA penalties and a new enforcement initiative was launched.

The HITECH Act of 2009 called for an increase in the penalties for HIPAA violations. On January 25, 2013, the HHS implemented an interim final rule and adopted a new penalty structure. At the time it was thought that there were inconsistencies in the language of the HITECH Act with respect to the penalty amounts. OCR determined that the most logical reading of the HITECH Act requirements was to apply the same maximum penalty of $1,500,000 per violation category, per calendar year to all four penalty tiers.

In April 2019, OCR issued a notice of enforcement discretion regarding the penalties. A review of the language of the HITECH Act led to a reduction in the maximum penalties in three of the four tiers. The maximum penalties for HIPAA violations were changed to $25,000, $100,000, and $250,000 for penalty tiers, 1, 2, and 3. (subject to inflationary increases).

2019 saw the launch of a new HIPAA Right of Access enforcement initiative targeting organizations who were overcharging patients for copies of their medical records and were not providing copies of medical records in a timely manner in the format requested by the patient.

The extent of noncompliance was highlighted by a study conducted by Citizen Health, which found that 51% of healthcare organizations were not fully compliant with the HIPAA Right of Access. Delays providing copies of medical records, refusals to send patients’ PHI to their nominated representatives or their chosen health apps, not providing a copy of medical records in an electronic format, and overcharging for copies of health records are all common HIPAA Right of Access failures.

The two HIPAA Right of Action settlements reached so far under OCR’s enforcement initiative have both resulted in $85,000 fines. With these enforcement actions OCR is sending a clear message to healthcare providers that noncompliance with the HIPAA Right of Access will not be tolerated.

Right of Access violations aside, the same areas of noncompliance continue to attract financial penalties, especially the failure to conduct a comprehensive, organization-wide risk analysis. 2019 also saw an increase in the number of cited violations of the HIPAA Breach Notification Rule.

HIPAA Compliance Issues Cited in 2019 Enforcement Actions

Noncompliance Issue Number of Cases
Risk Analysis 5
Breach Notifications 3
Access Controls 2
Business Associate Agreements 2
HIPAA Right of Access 2
Security Rule Policies and Procedures 2
Device and Media Controls 1
Failure to Respond to a Security Incident 1
Information System Activity Monitoring 1
No Encryption 1
Notices of Privacy Practices 1
Privacy Rule Policies and Procedures 1
Risk Management 1
Security Awareness Training for Employees 1
Social Media Disclosures 1

OCR’s HIPAA enforcement in 2019 also clearly demonstrated that a data breach does not have occurred for a compliance investigation to be launched. OCR investigates all breaches of 500 or more records to determine whether noncompliance contributed to the cause of a breach, but complaints can also result in an investigation and compliance review. That was the case with both enforcement actions under the HIPAA Right of Access initiative.

 

The post HIPAA Enforcement in 2019 appeared first on HIPAA Journal.

Ambulance Company Settles HIPAA Violation Case with OCR for $65,000

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced a $65,000 settlement has been reached with West Georgia Ambulance, Inc., to resolve multiple violations of Health Insurance Portability and Accountability Act Rules.

OCR launched an investigation into the Carroll County, GA ambulance company after being notified on February 11, 2013 about the loss of an unencrypted laptop computer containing the protected health information of 500 patients. According the breach report, the laptop computer fell from the rear bumper of the ambulance and was not recovered.

The investigation uncovered longstanding noncompliance with several aspects of the HIPAA Rules. OCR discovered West Georgia Ambulance had not conducted a comprehensive, organization-wide risk analysis (45 C.F.R. § 164.308(a)(1)(ii)(A)), had not implemented a security awareness training program for its employees (45 C.F.R. § 164.308(a)(5)), and had failed to implement HIPAA Security Rule policies and procedures (45 C.F.R. § 164.316.).

OCR provided technical assistance to West Georgia Ambulance to help the firm address its compliance failures, but despite that assistance, OCR said no meaningful steps were taken to address the areas of noncompliance. A financial penalty was therefore warranted.

In addition to paying the $65,000 financial penalty, West Georgia Ambulance is required to adopt a corrective action plan to address all areas of noncompliance discovered by OCR during the investigation. OCR will also be scrutinizing West Georgia Ambulance’s HIPAA compliance program for two years to ensure HIPAA Rules are being followed.

“The last thing patients being wheeled into the back of an ambulance should have to worry about is the privacy and security of their medical information,” said OCR Director Roger Severino. “All providers, large and small, need to take their HIPAA obligations seriously.”

This is the 10th OCR HIPAA financial penalty of 2019. In total, $12,274,000 has been paid to OCR in 2019 to resolve noncompliance issues.

The post Ambulance Company Settles HIPAA Violation Case with OCR for $65,000 appeared first on HIPAA Journal.