HIPAA Compliance News

Flowers Hospital Data Breach Settlement Approved by Judge

Posted by HIPAA Journal

A class action data breach lawsuit filed against Flowers Hospital in Dothan, AL, in 2014 has finally been settled.

In 2014, an employee of Flowers Hospital stole the personal information of patients from the hospital laboratory and used the information to file fraudulent tax returns in the names of patients.

A deputy sheriff discovered patient files in the vehicle of laboratory employee, Karmarian Millender, during a traffic stop. The investigation revealed that Millender had been stealing patient records from the laboratory and had sold the information to tax fraudsters who filed fraudulent tax returns in patients’ names. Millender pleaded guilty to the theft of patient data and was sentenced to two years in prison.

Many patients incurred out-of-pocket expenses from paying for credit monitoring services, lost earnings from arranging those services and combatting identity theft, and lost interest from delayed tax refunds. A class action lawsuit was filed against the hospital to recover those costs.

The lawsuit alleged the hospital had been negligent by failing to implement adequate measures to prevent data theft. Flowers Hospital attempted to have the lawsuit dismissed for lack of standing and claimed that the plaintiffs failed to link the data breach to economic harm. A judge allowed the plaintiffs to amend the complaint and the motion to dismiss was not carried over to the updated filing.

It has taken nearly five years, but the lawsuit has finally been dismissed and Flowers Hospital has agreed to a settlement of up to $150,000. That settlement was recently approved by a judge. Up to 1,208 patients potentially had their protected health information stolen and those who filed claims will be awarded a proportion of the settlement amount.

The maximum claim per patient is $5,000, which covers loss of interest on delayed tax returns, the cost of credit monitoring services, and compensation from loss of earnings arranging those services; up to a maximum of 4 hours. The majority of breach victims are expected to be awarded up to $250 in damages.

The post Flowers Hospital Data Breach Settlement Approved by Judge appeared first on HIPAA Journal.

Largest Healthcare Data Breaches of 2018

Posted by HIPAA Journal

This post summarizes the largest healthcare data breaches of 2018: Healthcare data breaches that have resulted in the loss, theft, unauthorized accessing, impermissible disclosure, or improper disposal of 100,000 or more healthcare records.

2018 has seen 18 data breaches that have exposed 100,000 or more healthcare records. 8 of those breaches saw more than half a million healthcare records exposed, and three of those breaches exposed more than 1 million healthcare records.

A Bad Year for Healthcare Data Breaches

As of December 27, 2018, the Department of Health and Human Services’ Office for Civil Rights (OCR) has received notifications of 351 data breaches of 500 or more healthcare records. Those breaches have resulted in the exposure of 13,020,821 healthcare records.

It is likely that the year will finish on a par with 2017 in terms of the number of reported healthcare data breaches; however, more than twice as many healthcare records have been exposed in 2018 than in 2017.

In 2017, there were 359 data breaches of 500 or more records reported to OCR. Those breaches resulted in the exposure of 5,138,179 healthcare records.

The Largest Healthcare Data Breaches of 2018

Listed below is a summary of the largest healthcare data breaches of 2018. A brief description of those breaches has been listed below.

At the time of writing, OCR is still investigating all but one of the breaches listed below. Only the LifeBridge Health breach investigation has been closed.

Rank

 

 Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach
1 AccuDoc Solutions, Inc. Business Associate 2,652,537 Hacking/IT Incident
2 UnityPoint Health Business Associate 1,421,107 Hacking/IT Incident
3 Employees Retirement System of Texas Health Plan 1,248,263 Unauthorized Access/Disclosure
4 CA Department of Developmental Services Health Plan 582,174 Theft
5 MSK Group Healthcare Provider 566,236 Hacking/IT Incident
6 CNO Financial Group, Inc. Health Plan 566,217 Unauthorized Access/Disclosure
7 LifeBridge Health, Inc Healthcare Provider 538,127 Hacking/IT Incident
8 Health Management Concepts, Inc. Business Associate 502,416 Hacking/IT Incident
9 AU Medical Center, INC Healthcare Provider 417,000 Hacking/IT Incident
10 SSM Health St. Mary’s Hospital – Jefferson City Healthcare Provider 301,000 Improper Disposal
11 Oklahoma State University Center for Health Sciences Healthcare Provider 279,865 Hacking/IT Incident
12 Med Associates, Inc. Business Associate 276,057 Hacking/IT Incident
13 Adams County Healthcare Provider 258,120 Unauthorized Access/Disclosure
14 MedEvolve Business Associate 205,434 Unauthorized Access/Disclosure
15 HealthEquity, Inc. Business Associate 165,800 Hacking/IT Incident
16 St. Peter’s Surgery & Endoscopy Center Healthcare Provider 134,512 Hacking/IT Incident
17 New York Oncology Hematology, P.C. Healthcare Provider 128,400 Hacking/IT Incident
18 Boys Town National Research Hospital Healthcare Provider 105,309 Hacking/IT Incident

 

Causes of the Largest Healthcare Data Breaches of 2018

Further information on the causes of the largest healthcare breaches of 2018.

AccuDoc Solutions, Inc.

Morrisville, NC-based AccuDoc Solutions, a billing company that operates the online payment system used by Atrium Health’s network of 44 hospitals in North Carolina, South Carolina and Georgia, discovered that some of its databases had been compromised between September 22 and September 29, 2018. The databases contained the records of 2,652,537 patients. While data could have been viewed, AccuDoc reports that the databases could not be downloaded. Not only was this the largest healthcare data breach of 2018, it was the largest healthcare data breach to be reported since September 2016.

UnityPoint Health

A UnityPoint Health phishing attack was detected on May 31, 2018. The forensic investigation revealed multiple email accounts had been compromised between March 14 and April 3, 2018 as a result of employees being fooled in a business email compromise attack. A trusted executive’s email account was spoofed, and several employees responded to the messages and disclosed their email credentials. The compromised email accounts contained the PHI of 1,421,107 individuals.

Employees Retirement System of Texas

The Employees Retirement System of Texas discovered a flaw in its ERS OnLine portal that allowed certain individuals to view the protected health information of other members after logging into the portal. The breach was attributed to a coding error. Up to 1,248,263 individuals’ PHI was potentially viewed by other health plan members.

CA Department of Developmental Services

The California Department of Developmental Services experienced a break in at its offices. During the time the thieves were in the offices they potentially accessed the sensitive information of approximately 15,000 employees, contractors, job applicants, and parents of minors who receive DDS services, in addition to the PHI of 582,174 patients.

MSK Group

Tennessee-based MSK Group, P.C, a network of orthopedic medical practices, discovered in May 2018 that hackers had gained access to its network. Certain parts of the network had been accessed by the hackers over a period of several months. The records of 566,236 patients, which included personal, health and insurance information, may have been viewed or copied by the hackers.

CNO Financial Group, Inc.

Chicago-based health insurer Bankers Life, a division of CNO Financial Group Inc., discovered hackers gained access to its systems between May 30 and September 13, 2018 and potentially stole the personal information of 566,217 individuals.

LifeBridge Health, Inc

The Baltimore-based healthcare provider LifeBridge Health discovered malware had been installed on a server that hosted the electronic medical record system used by LifeBridge Potomac Professionals and LifeBridge Health’s patient registration and billing systems. Those systems contained the PHI of 538,127 patients.

Health Management Concepts, Inc.

Health Management Concepts discovered hackers gained access to a server used for sharing files and installed ransomware. The ransom demand was paid to unlock the encrypted files; however, HMC reported that the hackers were ‘inadvertently provided’ with a file that contained the PHI of 502,416 individuals. It is suspected that the file was unwittingly sent to the attackers to prove they could decrypt files.

AU Medical Center, INC

An Augusta University Medical Center phishing attack resulted in an unauthorized individual gaining access to the email accounts of two employees. The compromised email accounts contained the PHI of 417,000 patients.

SSM Health St. Mary’s Hospital – Jefferson City

St. Mary’s Hospital moved to new premises and all patients’ medical records were transferred to the new facility; however, on June 1, 2018, the hospital discovered administrative documents containing the protected health information of 301,000 patients had been left behind. In the most part, the breach was limited to names and medical record numbers.

Oklahoma State University Center for Health Sciences

Oklahoma State University Center for Health Sciences discovered an unauthorized individual gained access to parts of its computer network and potentially accessed files containing billing information of Medicaid patients. The breach affected 279,865 patients, although only a limited amount of PHI was accessible.

Med Associates, Inc.

The Latham, NY-based health billing company Med Associates, which provides claims services to more than 70 healthcare providers, discovered an employee’s computer has been accessed by an unauthorized individual. It is possible that the attacker gained access to the PHI of up to 276,057 patients.

Adams County

Adams County, WI, discovered hackers gained access to its network and potentially accessed the PHI and PII of 258,102 individuals. The compromised systems were used by the departments of Health and Human Services, Child Support, Veteran Service Office, Extension Office, Adams County Employees, Solid Waste, and the Sheriff’s Office.

MedEvolve

MedEvolve, a provider of electronic billing and record services to healthcare providers, discovered an FTP server had been left unsecured between March 29, 2018 and May 4, 2018. A file on the FTP server contained the PHI of 205,434 patients of Premier Immediate Medical Care.

HealthEquity, Inc.

HealthEquity, a Utah-based company that provides services to help individuals gain tax advantages to offset the cost of healthcare, experienced a phishing attack that resulted in hackers gaining access to the email accounts of two employees. Those accounts contained the PHI of 165,800 individuals.

St. Peter’s Surgery & Endoscopy Center

St. Peter’s Surgery & Endoscopy Center in New York discovered malware had been installed on one of its servers which potentially allowed hackers to view the PHI of 134,512 patients. The malware was discovered the same day it was installed. The fast detection potentially prevented patients’ data from being viewed or copied.

New York Oncology Hematology, P.C.

A phishing attack on New York Oncology Hematology in Albany, NY, resulted in hackers gaining access to the email accounts of 15 employees. Those accounts contained the PHI of 128,400 current and former patients and employees.

Boys Town National Research Hospital

Boys Town National Research Hospital, an Omaha, NE hospital specializing in pediatric deafness, visual and communication disorders, experienced a phishing attack that allowed hackers to gain access to a single email account. The email account contained the PHI of 105,309 patients.

The post Largest Healthcare Data Breaches of 2018 appeared first on HIPAA Journal.

Massachusetts Attorney General Issues $75,000 HIPAA Violation Fine to McLean Hospital

Posted by HIPAA Journal

Massachusetts Attorney General Maura Healey has issued a $75,000 HIPAA violation fine to McLean Hospital over a 2015 data breach that exposed the protected health information (PHI) of approximately 1,500 patients.

McLean Hospital, a psychiatric hospital in Belmont, MA, allowed an employee to regularly take 8 backup tapes home. When the employee was terminated in May 2015, McLean Hospital was only able to recover four of the backup tapes. The backup tapes were unencrypted and contained the PHI of approximately 1,500 patients, employees, and deceased donors of the Harvard Brain Tissue Resource Center.

The lost backup tapes included clinical and demographic information such as names, Social Security numbers, medical diagnoses, and family histories. In addition to the exposure of PHI, the state AG’s investigation revealed there had been employee training failures and McLean Hospital had not identified, assessed, and planned for security risks. The loss of the tapes was also not reported in a timely manner and the hospital had failed to encrypt PHI stored on portable devices or use an alternative, equivalent measure to safeguard PHI.

“Hospitals must take measures to protect the private information of their patients,” said AG Maura Healey. “This settlement requires McLean Hospital to implement a new information security program and train its staff on how to properly handle the private information of those they serve.”

Backups of sensitive data should be made regularly to ensure that, in the event of disaster, patients’ PHI can be recovered. If physical copies of PHI are backed up and taken offsite by employees, appropriate security controls should be put in place to prevent those individuals from accessing the data and to ensure that in the event of loss or theft of devices, PHI will not be exposed. While HIPAA falls short of demanding the use of encryption for PHI, if the decision is taken not to encrypt PHI, an alternative safeguard must be implemented that offers an equivalent level of protection.

In addition to the financial penalty, McLean Hospital has agreed to enhance its privacy and security practices. A written information security program will be implemented and maintained, training will be provided to new and existing employees on privacy and security of personal health information, an inventory will be created and maintained of all portable devices containing ePHI, and all electronic PHI will be encrypted within 60 days.

McLean has also agreed to a third-party audit of the Harvard Brain Tissue Resource Center to assess how it handles portable devices containing personal and health information.

“McLean has continued to enhance its privacy and security practices and procedures within the Brain Bank and throughout the research operation. The agreement with the Attorney General represents a continuation of those efforts,” explained McLean Hospital in statement issued to the media.

This is the second HIPAA violation penalty to be issued by Massachusetts in 2018. UMass Memorial Medical Group / UMass Memorial Medical Center settled a HIPAA violation case with Massachusetts for $230,000 in September. The fine related to the failure to secure the ePHI of 15,000 state residents.

The post Massachusetts Attorney General Issues $75,000 HIPAA Violation Fine to McLean Hospital appeared first on HIPAA Journal.

OCR Issues Request for Information on Potential Updates to HIPAA Rules to Improve Data Sharing

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights (OCR) has issued a request for information (RFI) seeking comments from the public on potential modifications to Health Insurance Portability and Accountability Act (HIPAA) Rules to promote coordinated, value-based healthcare.

OCR is seeking suggestions about changes to aspects of the HIPAA Privacy and Security Rules that are impeding the transformation to value-based healthcare and provisions of HIPAA Rules that are discouraging coordinated care between individuals and their healthcare providers.

HIPAA was first enacted 22 years ago at a time when few healthcare providers were using digital health records. While there have been updates to HIPAA over the years, many industry stakeholders believe further updates are necessary now that the majority of healthcare organizations have transitioned to digital health records.

Recently, the American Medical Informatics Association (AMIA) and American Health Information Management Association (AHIMA) explained to Congress that changes to HIPAA are required to improve patients’ access to their health data and to make it easier for that information to be shared with other healthcare providers and research organizations. Currently, aspects of the HIPAA Privacy Rule are discouraging providers from sharing data and patients are still have difficulty accessing their health information in a format that allows them to easily use and reuse their data.

OCR is encouraging the public to submit their comments to help OCR identify problem areas and remove regulatory obstacles that are hampering the transformation to value-based healthcare as well as aspects of HIPAA Rules that place an unnecessary burden on covered entities and their business associates which impede their ability to conduct care coordination and case management. However, changes can only be made to HIPAA Rules if they do not jeopardize the privacy and security of protected health information.

Specifically, OCR is seeking feedback on the following aspects of HIPAA Rules:

  • Changes to the HIPAA Privacy Rule to promote information sharing for treatment, care coordination, and/or case management which encourages, incentivizes, or requires HIPAA-covered entities to disclose PHI to other covered entities.
  • Changes to the HIPAA Privacy Rule to encourage healthcare providers and other covered entities to share treatment information with patients, their loved ones, and caregivers of adults in health emergencies, especially related to opioid misuse.
  • Implementing the HITECH Act requirement to include, in an accounting of disclosures, disclosures for treatment, payment, and health care operations (TPO) from an electronic health record (EHR) in a manner that provides helpful information to individuals, while minimizing regulatory burdens and disincentives to the adoption and use of interoperable EHRs.
  • Changes to the requirement for healthcare providers to make a good faith effort to obtain individuals’ written acknowledgment of receipt of providers’ Notice of Privacy Practices.

Comments are also being sought from healthcare providers, business associates, and other covered entities along with answers to 54 questions detailed in the RFI.

The RFI will be published on December 14, 2018 and comments will be accepted for 60 days after the publication date. The RFI can be downloaded on this link.

The post OCR Issues Request for Information on Potential Updates to HIPAA Rules to Improve Data Sharing appeared first on HIPAA Journal.

Failure to Terminate Former Employee’s PHI Access Costs Colorado Hospital $111,400

Posted by HIPAA Journal

OCR has fined a Colorado hospital $111,400 for the failure to terminate a former employee’s access to a web-based scheduling calendar, which resulted in an impermissible disclosure of 557 patients’ ePHI.

Pagosa Springs Medical Center (PSMC) is a critical access hospital, part of the Upper San Juan Health Service District, which provides more than 17,000 hospital and clinic visits a year. As a HIPAA-covered entity, PSMC is required to comply with the HIPAA Privacy, Security, and Breach Notification Rules.

One of the provisions of the HIPAA Privacy Rule is to limit access to protected health information to authorized individuals. When an employee is terminated, leaves the organization, or changes job role and is no longer required to have access to PHI, access rights must be terminated. The failure to terminate remote access is a violation of HIPAA Rules and could potentially result in an impermissible disclosure of ePHI.

On June 7, 2013, OCR received a complaint about a former employee of PSMC who continued to have remote access to a web-based scheduling calendar after leaving PSMC. OCR investigated and confirmed remote access to the calendar had continued and that the former employee had accessed the calendar on two occasions on July 8 and September 10, 2013 as a direct result of the failure to de-activate the former employee’s username and password. The calendar contained the electronic protected health information of 557 patients.

Further, the web-based calendar used by PSMC had been provided by a company (Google) that had not signed a business associate agreement with PSMC. Consequently, the use of the calendar in connection with ePHI constituted an impermissible disclosure. Without a BAA in place, PSMC had not received satisfactory assurances that Google would safeguard the ePHI contained in the calendar.

It should be noted that Google Calendar is now a “HIPAA compliant” calendar service, as it is included in Google’s BAA. However, unless a signed BAA is obtained by a covered entity prior to using the service in connection with any ePHI, it constitutes a HIPAA violation.

In addition to the financial penalty, PSMC has agreed to adopt a substantial corrective action plan to address all HIPAA compliance failures, including updating its security management and business associate agreement policies and procedures. Staff must also be trained on those new policies and procedures. The corrective action plan last for two years, during which time PSMC will have to submit annual reports to the HHS on whether it has met its compliance obligations.

“It’s common sense that former employees should immediately lose access to protected patient information upon their separation from employment,” said OCR Director Roger Severino.  “This case underscores the need for covered entities to always be aware of who has access to their ePHI and who doesn’t.”

The settlement sends a message to all HIPAA covered entities of the importance of ensuring access to ePHI is promptly terminated when it is no longer required and serves as yet another reminder of the importance of making sure that a BAA is entered into with all vendors prior to any disclosure of ePHI.

This is the second OCR financial penalty for a HIPAA violation to be announced this month and the tenth OCR HIPAA penalty of 2018.

The post Failure to Terminate Former Employee’s PHI Access Costs Colorado Hospital $111,400 appeared first on HIPAA Journal.

EmblemHealth Pays $100,000 HIPAA Violation Penalty to New Jersey for 2016 Data Breach

Posted by HIPAA Journal

The health insurance provider EmblemHealth has been fined $100,000 by New Jersey for a 2016 data breach that exposed the protected health information (PHI) of more than 6,000 New Jersey plan members.

On October 3, 2016, EmblemHealth sent Medicare Part D Prescription Drug Plan Evidence of Coverage documents to its members.

The mailing labels included beneficiary identification codes and Medicare Health Insurance Claim Numbers (HCIN), which mirror Social Security numbers. The documents were sent to more than 81,000 policy members, 6,443 of whom were New Jersey residents.

The New Jersey Division of Consumer Affairs investigated the breach and identified policy, procedural, and training failures. Previous mailings of Evidence of Coverage documents were handled by a trained employee, but when that individual left EmblemHealth, mailing duties were handed to a team manager who had only been given minimal task-specific training and worked unsupervised.

That individual sent a data file to EmblemHealth’s mailing vendor without first removing HCINs, which resulted in the HCINs being printed on mailing labels: A violation of HIPAA, the New Jersey Identity Theft Prevention Act, and the New Jersey Consumer Fraud Act.

“Health insurers entrusted with their customers’ sensitive personal information have a duty to avoid improper disclosures,” said New Jersey Attorney General Gurbir S. Grewal. “EmblemHealth fell short of its obligations to its customers in this case, and I am pleased that our settlement includes measures designed to prevent similar breaches at this company in the future.”

In addition to the financial penalty, EmblemHealth has agreed to make changes to its policies and procedures to prevent further breaches of plan members’ PHI. Those measures include the use of unique patient identifiers for mailings rather than HCINs or Medicare Beneficiary Identifiers.

EmblemHealth will also ensure that a formal transfer process takes place when the responsibilities of outgoing staff are passed on to other EmblemHealth employees or third parties, and that all necessary training will be provided.

All incoming employees will also be required to complete additional privacy and security training modules and refresher training sessions will be conducted annually. The New Jersey Division of Consumer Affairs will be monitoring EmblemHealth over the next three years and must be informed of any further breaches of the PHI of New Jersey customers.

“This settlement should serve as a reminder that we are committed to safeguarding consumer privacy, and will hold accountable any businesses that are careless in the handling of such personal data,” said Paul R. Rodríguez, Acting Director of the Division of Consumer Affairs.

New Jersey has been highly active as an enforcer of HIPAA Rules and has agreed four settlements in 2018 to resolve violations of HIPAA Rules. In addition to the EmblemHealth HIPAA fine, New Jersey has settled HIPAA violations with Best Transcription Medical ($200,000), Aetna ($365,211.59), and Virtua Medical Group ($417,816) in 2018.

The post EmblemHealth Pays $100,000 HIPAA Violation Penalty to New Jersey for 2016 Data Breach appeared first on HIPAA Journal.

12 State Attorneys General File HIPAA Breach Lawsuit Against Medical Informatics Engineering

Posted by HIPAA Journal

A multi-state federal lawsuit has been filed against Medical Informatics Engineering and NoMoreClipboard over the 2015 data breach that exposed the data of 3.9 million individuals.

Indiana Attorney General Curtis Hill is leading the lawsuit and 11 other states are participating – Arizona, Arkansas, Florida, Iowa, Kansas, Kentucky, Louisiana, Minnesota, Nebraska, North Carolina and Wisconsin.

This is the first time that state attorneys general have joined forces in a federal lawsuit over a data breach caused by violations of the Health Insurance Portability and Accountability Act. The lawsuit seeks a financial judgement, civil penalties, and the adoption of a corrective action plan to address all compliance failures.

A Failure to Implement Adequate Security Controls

The lawsuit alleges Medical Informatics Engineering failed to implement appropriate security to protect its computer systems and sensitive patient data and, as a result of those failures, a preventable data breach occurred. According to the lawsuit, “Defendants failed to implement basic industry-accepted data security measures to protect individual’s health information from unauthorized access.”

The breach in question occurred between May 7 and May 26, 2015. Hackers were able to gain access to its WebChart electronic health record system and highly sensitive patient information – The exact types of data sought by identity thieves – Names, addresses, dates of birth, Social Security numbers, and health information.

Known Vulnerabilities Were Not Corrected

Medical Informatics Engineering had set two ‘tester’ accounts, one of which could be accessed with the username and password ‘tester’ and the other with the username and password ‘testing.’ Both accounts could be accessed remotely without the need for any further identification. The lawsuit alleges Medical Informatics Engineering was aware of the security issue as the accounts were identified as high risk by a third-party penetration testing firm, Digital Defense, in January 2015. Even though the accounts were high risk, Medical Informatics Engineering continued to use the accounts. The accounts were set up to enable one of its healthcare provider clients to login without having to use unique usernames and passwords.

While those accounts did not have privileged access, they did allow the hackers to gain a foothold in the network. Through those accounts the attackers conducted an SQL injection attack, which allowed them to gain access to other accounts with administrative privileges that were used to exfiltrate data.

Post-Breach Response Failures

While the initial attack and data exfiltration went unnoticed, a further attempt to exfiltrate data using malware caused network performance to slow to such an extent that an alarm was generated, alerting Medical Informatics Engineering that its systems had been compromised. While investigating the malware attack the attackers were still able to exfiltrate further data through SQL queries demonstrating the company’s post-breach response was “inadequate and ineffective.”

No Encryption or Employee Security Awareness Training

No encryption had been used to protect stored data and no security system had been implemented to alert Medical Informatics Engineering about possible hacking attempts. Had such a system been implemented, it would have been easy to identify unauthorized access as two of the IP addresses used by the attackers originated in Germany.

The lawsuit also alleges Medical Informatics Engineering had no documentation to confirm security awareness training had been provided to its employees prior to the data breach.

In addition to violations of HIPAA Rules, the lawsuit alleges Medical Informatics Engineering violated several state statutes relating to the protection of personal information, unfair and deceptive practices, and data breach notifications.

The post 12 State Attorneys General File HIPAA Breach Lawsuit Against Medical Informatics Engineering appeared first on HIPAA Journal.

OCR Fines Florida Contractor Physicians’ Group $500,000 for Multiple HIPAA Compliance Failures

Posted by HIPAA Journal

An HHS’ Office for Civil Rights (OCR) investigation into an impermissible disclosure of PHI by a business associate of a HIPAA-covered entity revealed serious HIPAA compliance failures.

Advanced Care Hospitalists (ACH) is a Lakeland, FL-based contractor physicians’ group that provides internal medicine physicians to nursing homes and hospitals in West Florida. ACH falls under the definition of a HIPAA-covered entity and is required to comply with the HIPAA Privacy, Security, and Breach Notification Rules. ACH serves approximately 20,000 patients a year and employed between 39 and 46 staff members per year during the time frame under investigation.

Between November 2011 and June 2012, ACH engaged the services of an individual who claimed to be a representative of Doctor’s First Choice billings Inc., a Florida-based provider of medical billing services. That individual used First Choice’s company name and website, but according to the owner of First Choice, those services were provided without the knowledge or permission of First Choice.

A local hospital notified ACH on February 11, 2014 that some patient information – including names, birth dates, Social Security numbers, and some clinical information – was viewable on the First Choice website. The website was shut down the following day.

In April 2014, ACH submitted a breach report to OCR about the impermissible disclosure of patients’ protected health information (PHI). Its breach report stated the PHI of 400 patients had been impermissibly disclosed, but later amended the breach report after it was discovered a further 8,855 patients’ PHI had also been impermissibly disclosed.

OCR investigated the breach and discovered that despite having been in operation since 2005, ACH did not implement any HIPAA Privacy, Security, and Breach Notification Rule policies and procedures before April 1, 2014, and had failed to implement appropriate security measures. ACH also failed to conduct a risk analysis until March 4, 2014.

Even though PHI had been disclosed to the individual providing medical billing services, ACH failed to enter into a business associate agreement with that individual. As a result of the lack of a BAA, ACH impermissibly disclosed the PHI of 9,255 patients to a third party for billing processing services – PHI that was subsequently exposed online.

In addition to paying the $500,000 fine, ACH has agreed to implement a robust corrective action plan to correct all HIPAA compliance failures.

“This case is especially troubling because the practice allowed the names and social security numbers of thousands of its patients to be exposed on the Internet after it failed to follow basic security requirements under HIPAA,” said OCR Director Roger Severino.

The latest settlement is the ninth OCR HIPAA compliance penalty of 2018. $25,572,000 has been paid to OCR in 2018 to resolve compliance failures.

The post OCR Fines Florida Contractor Physicians’ Group $500,000 for Multiple HIPAA Compliance Failures appeared first on HIPAA Journal.

OCR Fines Allergy Practice $125,000 for Impermissible PHI Disclosure

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights (OCR) has fined a Hartford allergy practice $125,000 to revolve potential violations of the HIPAA Privacy Rule.

On October 6, 2015, OCR received a copy of a civil rights complaint that had been filed with the Department of Justice (DOJ). The complainant alleged Allergy Associates of Hartford – A Connecticut healthcare provider that specializes in treating patients with allergies – had impermissibly disclosed her protected health information to a TV reporter.

The complainant had previously contacted a local TV station after she had been turned away from the allergy practice because of her service animal. The TV reporter subsequently contacted the practice seeking comment. A physician at the practice spoke to the reporter and impermissibly disclosed some of the patient’s protected health information.

OCR’s investigation confirmed there had been an impermissible disclosure of PHI, in violation of the HIPAA Privacy Rule – 45 C.F.R. § 164.502(a).

The physician in question had already been advised by the practice’s Privacy Officer to ignore the reporter’s request for comment or to respond with ‘no comment.’ However, the physician chose to speak with the reporter and disclosed some of the patient’s PHI. OCR viewed the disclosure as ‘a reckless disregard for the patient’s privacy rights.’

After Allergy Associates was contacted by OCR about the privacy breach, Allergy Associates failed to apply appropriate sanctions against the physician concerned for a violation of the practice’s privacy policies and procedures, as is required by the HIPAA Privacy Rule – 45 C.F.R. §164.530(e)(l).

“When a patient complains about a medical practice, doctors cannot respond by disclosing private patient information to the media,” explained OCR Director Roger Severino. “Because egregious disclosures can lead to substantial penalties, covered entities need to pay close attention to HIPAA’s privacy rules, especially when responding to press inquiries.”

Allergy Associates agreed to settle the case with no admission of liability. In addition to paying a financial penalty of $125,000, Allergy Associates has agreed to adopt a robust corrective action plan which includes two years of OCR monitoring the practice’s compliance with HIPAA Rules.

The post OCR Fines Allergy Practice $125,000 for Impermissible PHI Disclosure appeared first on HIPAA Journal.