HIPAA Compliance News

Alleged Social Media Retaliation by Doctor Breached HIPAA Privacy Rule

Posted by HIPAA Journal

A physician at the Dr. O Medical and Wellness Center in San Antonio, Texas allegedly retaliated against a patient by posting a video of the individual clad only in underwear on Facebook and YouTube. The doctor’s actions, which appear to be a clear violation of the HIPAA Privacy Rule, have resulted in her being sanctioned by the Texas Medical Board following a complaint by the patient.

The patient, Clara Aragon-Delk, underwent a series of cosmetic surgery procedures starting in 2015. Non-invasive laser treatments were performed by Dr. Tinuade Olusegun-Gbadehan, and while consent was provided by the patient to have photographs and videos taken, authorization was only given for ‘anonymous use for the purposes of medical audit, education, and promotion.’

The images and video contained full face shots of the patient. Rather than protecting the patient’s privacy by pixelating the patient’s face, a video was posted to Olusegun-Gbadehan’s Facebook page without any attempt to protect the patient’s privacy.

From the video, it would appear that the patient was happy with the treatment, although around a month later the patient had changed her mind. The patient replied to the Facebook post saying “OK, I’ll make my Comment! Beware! Send me a personal message, and I’ll share my experience with this crap!”

There were subsequent email exchanges between the Dr. Olusegun-Gbadehan and the patient in which Aragon-Delk claims Dr. Olusegun-Gbadehan acted in an abusive and threatening manner.

Aragon-Delk claims Dr. Olusegun-Gbadehan said in one email, “I will damage your professional and you will be humiliated!” Olusegun-Gbadehan also said, others “will see your glowing testimonial and your body, enjoy your Hi-Def video. Enjoy as others will do the same.”

In the complaint filed with the Texas Medical Board, the patient claimed she suffered burns during the first procedure. She also claimed to have been overbilled. In response to the overbilling, the patient contacted a merchant processing company called Stripe regarding the disputed charges.

Two weeks ago, the Texas Medical Board ruled that Dr. Olusegun-Gbadehan had violated the patient’s privacy and acted in an unprofessional manner.

The Texas Medical Board said the posting of the video was a HIPAA violation and was unprofessional. The Board also ruled that an email containing the link to a posting of the video that was sent to the patient in an unsecured format was also a confidentiality breach and was unprofessional. Dr. Olusegun-Gbadehan also sent the video to the merchant processing company in response to the billing dispute as evidence that the patient initially appeared to be happy with the treatment, but this too was a violation of the patient’s privacy.

Dr. Olusegun-Gbadehan neither admits or denies the allegations, but the Texas Medical Board’s order was agreed to by Dr. Olusegun-Gbadehan to avoid a contested hearing, according to the San Antonio Express News.

The order requires Dr. Olusegun-Gbadehan to retake the Texas Medical Jurisprudence Examination within the next 12 months.

While the matter would appear to have been settled, the patient has now sued Dr. Olusegun-Gbadehan for mental anguish, physical pain, and suffering. Patients are not permitted to sue physicians for HIPAA violations as there is no private cause of action. Consequently, a health care liability claim has been filed under state law, claiming the publication of the video and subsequent correspondence via email were intended to damage the patient’s personal and professional reputation.

The post Alleged Social Media Retaliation by Doctor Breached HIPAA Privacy Rule appeared first on HIPAA Journal.

Updated HIPAA Compliance Audit Toolkit Issued by AHIMA

Posted by HIPAA Journal

Phase 2 of the Department of Health and Human Services’ Office for Civil Rights HIPAA compliance audits are now well underway. Late last year, covered entities were selected for desk audits and the first round of audits have now been completed. Now OCR has moved on to auditing business associates of covered entities.

At HIMSS17, OCR’s Deven McGraw explained that the full compliance audits, which were initially penciled in for Q1, 2017, are to be delayed. This gives covered entities more time to prepare.

The phase 2 HIPAA compliance desk audits were more detailed than the first phase of audits conducted in 2011/2012. The desk audits covered a broad range of requirements of the HIPAA Privacy, Security, and Breach Notification Rules, although they only consisted of a documentation check to demonstrate compliance.

The onsite audits will be much more thorough and will look much deeper into organizations’ compliance programs. Not only will covered entities be required to show auditors documentation demonstrating compliance with HIPAA Rules, OCR will be looking for evidence of HIPAA in action.

To help with the audit preparation process, the American Health Information Management Association (AHIMA) has updated its HIPAA audit readiness toolkit. The toolkit can be used by covered entities to assess their compliance efforts and determine whether they have all the necessary documentation, policies, and procedures in place to meet all Health Insurance Portability and Accountability Act requirements.

The new toolkit details the legal process of the HIPAA compliance audit program, OCR processes, and now incorporates the updated HIPAA audit protocol used by OCR in the second phase of the compliance audits.

The new toolkit contains HIPAA compliance checklists covering policies, procedures, and documentation that is likely to be requested by Office for Civil Rights auditors, together with a master policy template for the privacy and security rule compliance program.

AHIMA has also included tips and best practices that can be adopted by HIPAA-covered entities and their business associates to help them meet all of their responsibilities along with an HIPAA audit preparation guide.

AHIMA members can access the HIPAA audit readiness toolkit free of charge in the HIM Body of Knowledge section of the AHIMA website or through its web store.

The onsite audits may have been delayed, but covered entities should ensure they are ready for an audit. Even if the audits slip into 2018 as hinted by McGraw, OCR still investigates all breaches of more than 500 records. In the event of a data breach, OCR will require evidence of compliance with HIPAA Rules and heavy fines await organizations found not to have complied with the HIPAA Privacy, Security and Breach Notification Rules.

The post Updated HIPAA Compliance Audit Toolkit Issued by AHIMA appeared first on HIPAA Journal.

AHIMA Published New Resource Confirming Patients PHI Access Rights under HIPAA

Posted by HIPAA Journal

The Health Insurance Portability and Accountability Act (HIPAA) permits patients to obtain a copy of their medical records in electronic or paper form. Last year, the Department of Health and Human Services released a series of videos and documentation to explain patients’ right to access their health data.

Yesterday, the American Health Information Management Association (AHIMA) also published guidance – in the form of a slideshow – further explaining patients’ access rights, what to expect when requests are made to healthcare providers, possible fees, and the timescale for obtaining copies of PHI.

AHIMA explains that copies will not be provided immediately. Under HIPAA Rules, healthcare providers have up to 30 days to provide copies of medical records, although many will issue designated record sets well within that timeframe. However, in some cases, provided there is a justifiable reason for doing so, a healthcare provider may request a 30-day extension. In such cases, it may take up to 60 days for patients to obtain copies of their health data.

AHIMA has explained to whom healthcare providers are allowed to disclose the information: Patients or a nominated personal representative. In the case of the latter, guidance has been issued on who that person may be.

There are various models that can be adopted by healthcare providers for charging patients for copies of PHI. While the actual cost for providing copies of medical records may not be provided at the time the request is made, healthcare providers must advise patients of the approximate cost at the time the request is made. AHIMA points out that if electronic health data is being provided via a patient portal, a charge will not apply.

Since HIPAA serves to protect patient privacy, healthcare providers are required to verify the identity of the person making the request or a personal representative if one is used. A healthcare provider will therefore require a photographic ID to be produced prior to any records being released. A waiver will also need to be signed verifying identity.

AHIMA explains that obtaining copies of medical records is important. Access to health data improves patient engagement and empowers them to make more informed choices about their healthcare.

While providers should be able to obtain health data from other providers, that process is not always straightforward due to data incompatibility issues. It is therefore important that patients have complete copies of their medical records so they can provide complete sets to new providers. Doing so improves the coordination of care.

Patients should also check their health records for any errors and omissions – known allergies for instance. If an error or omission is discovered, a request to change the records should be submitted to the appropriate healthcare provider.

The AHIMA slideshow can be viewed here. Further information for patients on medical record access can be found in an accompanying blog post.

Penalties for Failing to Provide Patients with Copies of their Medical Records

Healthcare providers should be aware that failure to provide patients with copies of their medical records can result in a financial penalty for non-compliance with HIPAA Rules.

41 patients of Cignet Health of Prince George’s County in Maryland were denied access to their medical records and complained to OCR. The investigation revealed that the HIPAA Privacy Rule had been violated. Cignet eventually settled with OCR for more than $4.3 million.

AHIMA recommends that healthcare providers regularly review their policies and procedures for providing patients with copies of their medical records. Many healthcare providers have unintended barriers in place that make it difficult for patients to exercise their right to access their health data. Only by understanding HIPAA Rules on patient PHI access rights – and ensuring HIPAA Rules are followed – will healthcare providers be able to ensure that their patients enjoy the benefits that come from them taking a more active role in their healthcare.

The post AHIMA Published New Resource Confirming Patients PHI Access Rights under HIPAA appeared first on HIPAA Journal.

Simplified HITRUST CSF Program Helps Small Healthcare Organizations with Compliance and Risk Management

Posted by HIPAA Journal

HITRUST has announced that it has updated the HITRUST CSF and has also launched a new CSF initiative specifically for small healthcare organizations to help them improve their resilience against cyberattacks.

While the HITRUST CSF – the most widely adopted privacy and security framework – can be followed by healthcare organizations to improve their risk management and compliance efforts, for many smaller healthcare organizations following the framework is simply not viable. Smaller healthcare organizations simply don’t have the staff and expertise to follow the full HITRUST CSF framework.

While the HITRUST CSF program is beneficial for smaller healthcare organizations, they do not face the same levels of risk as larger organizations. Given that the risks are lower and the requirements to comply with HIPAA already take up a lot of resources, HITRUST has developed a more simplified, streamlined framework which is much better suited to small healthcare organizations.

The new framework – called CSF Basic Assurance and Simple Institution Cybersecurity or CSFBASICs for short – has a more streamlined assessment approach, is easier to understand, yet will still help smaller healthcare organizations with their risk management and compliance efforts.

To develop the pilot CSFBASICs program, HITRUST collaborated with small businesses and the physician community. The pilot is now in the final phase and HITRUST expects to make the CSFBASICs program widely available by Q3, 2017.

Dr. J. Stefan Walker of Corpus Christi Medical Associates (CCMA), a Corpus Christi, TX-based five-physician primary healthcare practice, explained the problem, “I really don’t know many small practices that can comply with all our regulatory obligations, including HIPAA.” Walker went on to say, “We generally don’t have the staff or the expertise, nor can we hire consultants, to manage these programs on an ongoing basis. I honestly didn’t know how my practice could be secure or demonstrate HIPAA compliance, but that was before I had the opportunity to pilot CSFBASICs.”

Enhancements Made to HITRUST CSF and CSF Assurance Program

 

In addition to the CSFBASICs program, HITRUST has also announced that it has enhanced its HITRUST CSF programs (V8.1 and V9) along with the supporting HITRUST CSF Assurance Program (V9). The updates include new guidance and better assurance and support for healthcare organizations to help them deal with the increase in cyber threats and to improve resilience against those threats.

HITRUST (and the HITRUST CSF Advisory Council) sought input from healthcare industry stakeholders on potential changes and updates to the framework. From the comments received, a number of enhancements have now been made.

HITRUST CSF v8.1, which was made available on February 6, 2017, includes updated content and support for PCI DSS v3.2 and MARS-E v2. The CSF Assurance Program V9 has been enhanced with the HITRUST CSF Assessment also including a NIST Cybersecurity Framework certification, a HIPAA risk assessment and auditable documentation.

HITRUST CSF v9 update includes the latest OCR Audit Protoco (v2), FEDRAMP Support for Cloud and IaaS Service Providers and FFIEC IT Examination Handbook for Information Security. The updated version is not expected to be available until July, 2017. That will give HITRUST time to harmonize the new requirements of the program with the current program to ensure that the changes to not overly add to the complexity of the framework.

The post Simplified HITRUST CSF Program Helps Small Healthcare Organizations with Compliance and Risk Management appeared first on HIPAA Journal.

Small Healthcare Data Breach Notification Deadline: March 1, 2017

Posted by HIPAA Journal

The Health Insurance Portability and Accountability Act’s Breach Notification Rule requires all covered entities to report breaches of unsecured electronic protected health information to the Department of Health and Human Services’ Office for Civil Rights.

While large data breaches – those impacting 500 or more individuals – must be reported to OCR within 60 days of the discovery of the breach, covered entities can delay the reporting of smaller data breaches.

While patients must be notified of any breach of their ePHI within 60 days – regardless of the number of individuals affected by the breach – notifications of security incidents are not required by OCR until 60 days after the end of the calendar year in which the data breaches were discovered.

The deadline for reporting 2016 healthcare data breaches impacting fewer than 500 individuals is March 1, 2017.

As with larger data breaches, all smaller incidents must be submitted via the OCR breach reporting tool. While smaller data breaches can be reported together, each breach must be entered into the breach reporting tool separately along with any supporting information.

Even if the full details of the breach are not yet known, covered entities should submit the reports before the March 1 deadline. An addendum can be added to the breach report when further information becomes available.

It is strongly advisable to designate the reporting of breaches to one individual and for the process of uploading the breach reports to start as soon as possible. Covered entities should not wait until February 28 or March 1 to upload their breach reports. The late reporting of healthcare data breaches would be a violation of the HIPAA Breach Notification Rule, and as we have already seen this year, fines for late breach notifications can be – and are – issued.

In January, OCR took action against Presense Health Network for unnecessarily delaying the issuing of breach notification letters to patients. Presense Health was required to pay OCR $475,000 to settle the case.

The post Small Healthcare Data Breach Notification Deadline: March 1, 2017 appeared first on HIPAA Journal.

New HIPAA Guidance in 2017: Texting, Social Media, & Case Walkthrough

Posted by HIPAA Journal

At HIMSS17, OCR’s Deven McGraw shed some light on the HIPAA guidance OCR expects to release in 2017. OCR may be busy with assessing the findings of the HIPAA compliance desk audits of healthcare organizations and their business associates, but a swathe of new HIPAA guidance is set to be released this year.

Last year, the Joint Commission lifted the ban on the use of text messages for orders, although within weeks of the announcement the ban was back in place. Late last year, the Joint Commission partially lifted the ban, saying the use of a secure text messaging platform was acceptable for doctors when communicating with each other, although the use of text messages – regardless of whether a secure, HIPAA-compliant platform was used – remained prohibited.

OCR receives many questions from physicians and covered entities on the use of text messaging and HIPAA Rules. McGraw has confirmed that in response to the many questions, OCR will be issuing HIPAA guidance on text messaging later this year.

In an interview with Information Security Media Group, McGraw explained “There are a lot of questions whether covered entities can text with patients and whether employees within covered entities can text one another, or text covered entity to covered entity, covered entity to business associate, or covered entity to public health department.”

In the guidance, OCR will cover the use of text messages between physicians, healthcare organizations, and the sending of messages to patients, along with the circumstances under which the use of text messages is prohibited by HIPAA Rules.

Last year, there were a number of instances of healthcare professionals accidentally disclosing the protected health information of patients on social media sites and deliberately posting images and videos containing personally identifiable information.

While it is clear to most healthcare professionals what is, and what is not, allowable under HIPAA Rules, guidance on the use of social media platforms will be issued including explanations on when prior authorization from a patient is required.

McGraw also said OCR is working to address its FAQ section on its website as many posted answers are ‘horribly out of date.’

To improve transparency, OCR has been working on guidance on what covered entities can expect then OCR investigators come knocking. OCR investigates all data breaches that have impacted more than 500 individuals, yet how those investigations take place remains something of a mystery. OCR will be releasing an “Anatomy of a Case,” in which the processes that take place when OCR investigates a healthcare data breach or complaint are explained. The guidance will detail how CMPs are calculated and settlements are reached, including the criteria used by OCR when determining appropriate financial penalties.

Much of the guidance has already been written, although it must now be passed to OCR’s legal team. Once that process has been completed, and OCR has made the document readable again, the new guidance will be released.

The post New HIPAA Guidance in 2017: Texting, Social Media, & Case Walkthrough appeared first on HIPAA Journal.

Onsite HIPAA Audits Could Be Delayed by a Year

Posted by HIPAA Journal

In an interview at HIMSS17 with the Information Security Media Group, Deven McGraw, Deputy Director of Health Information Privacy at the Department of Health and Human Services’ Office for Civil Rights, explained that the Phase 2 HIPAA compliance audits are progressing, although the onsite audits of covered entities will be delayed.

It is currently unclear how much of a delay there will be. The onsite audits were to immediately follow the 211 desk audits that were conducted last year, although the decision has been taken to push back the onsite audits until the reports of the desk audits have been written and analyzed.

For the HIPAA compliance desk audits, covered entities and business associates of covered entities were sent notifications that they had been selected for audit. They were asked to supply a range of documentation on various aspects of their HIPAA compliance programs. The documentation has now been assessed and OCR is very close to issuing reports to the 166 covered entities that were audited. Those reports will be sent out in groups, with the first batch hopefully sent by the end of this week.

Covered entities will be provided with the opportunity to comment on the findings of the audits before the reports are finalized. Business associate audits are continuing, with some audit notifications only sent recently. In total, 45 business associates of covered entities were selected for audit.

The onsite audits will be conducted on a small selection of geographically representative covered entities. Last year, when OCR announced the start of the second phase of HIPAA compliance audits, the onsite audits were expected to be conducted in the first quarter of 2017. However, Deven McGraw said the onsite audits are to be delayed. It is hoped that the onsite audits will still take place this year, although they may “slip into 2018.”

The reason for the delay is it makes more sense to hold fire on the onsite audits until the results of the desk audits are assessed. No final decision has been made on the timescale, although it is possible that the final report for the public on the results of the desk audits may be issued before the onsite audits begin.

Input will also be sought from Tom Price, the new secretary for the Department of Health and Human Services. Secretary Price may have views on how the audits are conducted, which will need to be factored in before the audits commence. McGraw also explained that the desk audits have been an “enormous resource-intensive effort” and OCR does not want to “take on more than it can chew.”

However, while OCR is busy with the audit process, there will be no let up on OCR enforcement activities in 2017. The same pace of HIPAA enforcement activities will continue throughout the year.

The interview with Deven McGraw and further information on OCR’s plans for HIPAA enforcement in 2016 can be found on this link.

The post Onsite HIPAA Audits Could Be Delayed by a Year appeared first on HIPAA Journal.

Horizon BCBS of New Jersey Pays $1.1 Million for HIPAA Violation

Posted by HIPAA Journal

The New Jersey Division of Consumer Affairs recently announced that Horizon Blue Cross Blue Shield of New Jersey (Horizon BCBSNJ) has agreed to pay a $1.1 million fine for failing to protect the electronic protected health information of almost 690,000 plan members.

The Health Insurance Portability and Accountability Act (HIPAA) requires covered entities to implement administrative, technical and physical safeguard to protect the ePHI of patients and health plan members. While data encryption is not mandatory technical safeguard, it is an addressable issue. Covered entities must therefore consider the use of encryption technologies to protect ePHI at rest and in motion. If data encryption is not chosen, alternative, security measures must be implemented that offer an equivalent level of protection.

Covered entities are required to conduct a comprehensive risk analysis to identify potential risks to the confidentiality, integrity and availability of PHI. If laptop computers are used to store the ePHI of patients or plan members, a risk assessment should show that there is a risk of ePHI exposure. Appropriate security controls should therefore be put in place to prevent ePHI exposure in the event that the devices are lost or stolen. Data encryption is one method of securing data, although other controls could equally be used. However, the use of a password on its own is insufficient. Passwords do not offer an equivalent level of protection as data encryption.

In November 2013, two laptop computers were stolen from Horizon BCBSNJ offices. The laptops were password protected but ePHI on the devices was not encrypted and no other technical security controls were used to safeguard the data. The laptop computers were secured to desks with security cables, although the thieves cut through those cables and took the laptops.

Data stored on the devices included names and addresses of policy holders, along with insurance identifiers, birth dates, Some Social Security numbers, and a limited amount of clinical data.

The theft occurred over the course of a weekend when work was being conducted on Horizon BCBSNJ offices. A number of external vendors were provided with unsupervised access to the offices, including the area where the laptops were stored.

This was not the first time that an unencrypted laptop computer containing the ePHI of policyholders was stolen from Horizon BCBSNJ. A laptop computer was stolen from the vehicle of an employee in January 2008. Following that incident, Horizon BCBSNJ changed its policies and started using encryption on all laptop computers used to store ePHI. By May 2008, Horizon BCBSNJ announced that the encryption process had been completed. Training on the use of encryption was also provided to company employees to ensure they were aware of the new security controls.

However, during the course of the Division of Consumer Affairs investigation, it was discovered that more than 100 laptop computers used by Horizon BCBSNJ had no encryption, potentially placing ePHI at risk of exposure. The reason provided for the lack of encryption was the laptops computers were obtained via a non-standard procurement process. As a result, the IT department was unaware that the devices had not been encrypted. The devices were also not subjected to monitoring or servicing, as per corporate policies.

Additionally, the Division of Consumer Affairs investigators determined that the employees who had been issued the two laptop computers were not required to store ePHI, and that doing so violated corporate policies.

The investigators concluded that in addition to violations of HIPAA Privacy and Security Rules, Horizon BCBSNJ had also violated the New Jersey Consumer Fraud Act.

In addition to the $1.1 million fine, Horizon BCBSNJ is required to adopt a robust corrective action plan to ensure compliance with HIPAA/HITECH and the New Jersey Consumer Fraud Act. An external professional must be hired to conduct a comprehensive, organization-wide risk analysis covering all devices and systems used to store or transmit ePHI. That risk analysis must be conducted within 180 days of the settlement date, and annually for the next two years. Reports of the findings of the analysis must be submitted to the Division of Consumer Affairs.

Steve Lee, Director of the Division of Consumer Affairs, said “Protecting the personal information of policyholders must be a top priority of every company. Customers deserve it and the law demands it,” He also explained that “Horizon Blue Cross Blue Shield of New Jersey’s alleged security lapses risked exposing policyholders’ most private information to the public, leaving them vulnerable to identity theft.  This settlement ensures that Horizon BCBSNJ will maintain appropriate data privacy and security protocols to prevent future data breaches.”

The post Horizon BCBS of New Jersey Pays $1.1 Million for HIPAA Violation appeared first on HIPAA Journal.

Record HIPAA Settlement Announced: $5.5 Million Paid by Memorial Healthcare System

Posted by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights (OCR) has matched last year’s record HIPAA settlement with Advocate Health. Yesterday, OCR announced that a $5.5 million settlement had been reached with Florida-based Memorial Healthcare Systems to resolve potential Privacy Rule and Security Rule violations.

Memorial Healthcare Systems has paid the penalty for non-compliance with HIPAA Rules, and in addition to the $5.5 million settlement, a robust corrective action plan must be adopted to address all areas of non-compliance.

Memorial Healthcare Systems operates six hospitals in South Florida, with its flagship hospital one of the largest in the state. The healthcare system also operates a range of ancillary healthcare facilities, a nursing home, urgent care center, and is affiliated with many physician offices through an Organized Health Care Arrangement (OHCA).

In 2012, Memorial Healthcare discovered a breach of ePHI had occurred. The breach was reported to OCR on April 12, 2012.  That breach related to two employees who were discovered to have inappropriately accessed patients’ ePHI including names, birth dates, and social security numbers. Federal charges were brought against the individuals for selling on stolen ePHI and filing fraudulent tax returns, although OCR investigated to determine whether there were any underlying violations of HIPAA Rules that contributed to the exposure and theft of PHI. Memorial Healthcare was investigated by OCR in the summer of 2012.

Memorial Healthcare also conducted its own investigation which revealed that those two employees were not the only individuals to have inappropriately accessed ePHI. Memorial Healthcare’s investigation determined that 12 individuals at its affiliated physician offices had also inappropriately accessed the ePHI of patients. In total, the ePHI of 115,143 individuals was impermissibly accessed by its employees.

The investigation revealed that the login credentials of a former employee of one of its affiliated physician offices had been used to access the ePHI of patients on a daily basis for a period of a year. The login credentials were discovered to have first been used to access ePHI without authorization in April 2011, and access continued until April 2012, when the improper access was detected and blocked. The ePHI of 80,000 patients had been accessed using those login credentials.

In accordance with HIPAA Rules, Memorial Healthcare system had implemented policies and procedures covering ePHI access by its workforce, but the healthcare system had failed to implement procedures to review and modify users’ access rights to ePHI when access was no longer required. Several risk analyses had previously been conducted between 2007 and 2012 which highlighted the risk to ePHI.

Inappropriate access by its employees and staff at affiliated physician offices continued for a year, yet Memorial Healthcare did not notice as reviews of information system activity were not regularly checked.

OCR investigators determined that Memorial Healthcare had violated HIPAA Rules (45 C.F.R. §§160.103 and 164.502 (a))) by providing access to PHI to a former employee of an affiliated physician practice between April 1, 2011 and April 27, 2012.

A violation of 45 C.F.R. §164.308(a)(l)(ii)(D) occurred between January 1, 2011 and June 1, 2012, as regular reviews of records of information system activity had not been performed.

45 C.F.R. § 164.308(a)(4)(ii)(C) had also been violated by failing to modify a user’s right of access to a workstation, transaction, or program allowing ePHI to be impermissibly accessed.

Each HIPAA violation carries a maximum penalty of $1.5 million, per year that each violation was allowed to persist. Had Memorial Healthcare not agreed to settle with OCR, the financial penalty would have been considerably higher.

This HIPAA settlement brings the annual total up to three settlements and one Civil Monetary Penalty (CMP). Earlier this month, OCR announced a $3.2 million CMP for Children’s Medical Center of Dallas. In January, a settlement of $2.2 million was agreed with MAPFRE Life Assurance Company of Puerto Rico for impermissible disclosure of ePHI, and a $475,000 settlement was agreed with Presense Health to resolve HIPAA Breach Notification Rule violations.

OCR Acting Director Robinsue Frohboese announced the latest HIPAA settlement saying “Access to ePHI must be provided only to authorized users, including affiliated physician office staff.” Frohboese also explained that “Organizations must implement audit controls and review audit logs regularly. As this case shows, a lack of access controls and regular review of audit logs helps hackers or malevolent insiders to cover their electronic tracks, making it difficult for covered entities and business associates to not only recover from breaches, but to prevent them before they happen.”

At the current rate, last year’s record breaking year for HIPAA settlements will be eclipsed in 2017. The regularity of HIPAA settlements and CMPs should send a strong message to covered entities that OCR is coming down hard on organizations discovered to have violated HIPAA Rules and exposed patients’ protected health information.

The post Record HIPAA Settlement Announced: $5.5 Million Paid by Memorial Healthcare System appeared first on HIPAA Journal.