What are the Penalties for HIPAA Violations?

Penalties for HIPAA violations can be issued by the Department of Health and Human Services’ Office for Civil Rights (OCR) and state attorneys general. In addition to financial penalties, covered entities are required to adopt a corrective action plan to bring policies and procedures up to the standards demanded by HIPAA. 

The Health Insurance Portability and Accountability Act of 1996 placed a number of requirements on HIPAA-covered entities to safeguard the Protected Health Information (PHI) of patients, and to strictly control when PHI can be divulged, and to whom.

Since the Enforcement Final Rule of 2006, OCR has had the power to issue financial penalties (and/or corrective action plans) to covered entities that fail to comply with HIPAA Rules.

Financial penalties for HIPAA violations were updated by the HIPAA Omnibus Rule, which introduced charges in line with the Health Information Technology for Economic and Clinical Health Act (HITECH). The Omnibus Rule took effect from March 26, 2013.

Since the introduction of the Omnibus Rule, the new penalties for HIPAA violations apply to healthcare providers, health plans, healthcare clearinghouses and all other covered entities, as well as business associates (BAs) of covered entities that are found to have violated HIPAA Rules.

Financial penalties are intended to act as a deterrent to prevent the violation of HIPAA laws, while also ensuring covered entities are held accountable for their actions – or lack of them – when it comes to protecting the privacy of patients and the confidentiality of health data, and providing patients with access to their health records on request.

The penalty structure for a violation of HIPAA laws is tiered, based on the knowledge a covered entity had of the violation. The OCR sets the penalty based on a number of “general factors” and the seriousness of the HIPAA violation.

Ignorance of HIPAA Rules is no excuse for failing to comply with HIPAA Rules.  It is the responsibility of each covered entity to ensure that HIPAA Rules are understood and followed. In cases when a covered entity is discovered to committed a willful violation of HIPAA laws, the maximum fines apply.

What Constitutes a HIPAA Violation?

There is much talk of HIPAA violations in the media, but what constitutes a HIPAA violation? A HIPAA violation is when a HIPAA covered entity – or a business associate – fails to comply with one or more of the provisions of the HIPAA Privacy, Security, or Breach Notification Rules.

A violation may be deliberate or unintentional. An example of an unintentional HIPAA violation is when too much PHI is disclosed and the minimum necessary information standard is violated. When PHI is disclosed, it must be limited to the minimum necessary information to achieve the purpose for which it is disclosed. Financial penalties for HIPAA violations can be issued for unintentional HIPAA violations, although the penalties will be at a lower rate to willful violations of HIPAA Rules.

An example of a deliberate violation is unnecessarily delaying the issuing of breach notification letters to patients and exceeding the maximum timeframe of 60 days following the discovery of a breach to issue notifications – A violation of the HIPAA Breach Notification Rule.

Many HIPAA violations are the result of negligence, such as the failure to perform an organization-wide risk assessment. Financial penalties for HIPAA violations have frequently been issued for risk assessment failures.

Penalties for HIPAA violations can potentially be issued for all HIPAA violations, although OCR typically resolves most cases through voluntary compliance, issuing technical guidance, or accepting a covered entity or business associate’s plan to address the violations and change policies and procedures to prevent future violations from occurring. Financial penalties for HIPAA violations are reserved for the most serious violations of HIPAA Rules.

What Happens if you Violate HIPAA? – HIPAA Violation Classifications

What happens if you violate HIPAA? That depends of the severity of the violation. OCR prefers to resolve HIPAA violations using non-punitive measures, such as with voluntary compliance or  issuing technical guidance to help covered entities address areas of non-compliance. However, if the violations are serious, have been allowed to persist for a long time, or if there are multiple areas of noncompliance, financial penalties may be appropriate.

The four categories used for the penalty structure are as follows:

  • Tier 1: A violation that the covered entity was unaware of and could not have realistically avoided, had a reasonable amount of care had been taken to abide by HIPAA Rules
  • Tier 2: A violation that the covered entity should have been aware of but could not have avoided even with a reasonable amount of care. (but falling short of willful neglect of HIPAA Rules)
  • Tier 3: A violation suffered as a direct result of “willful neglect” of HIPAA Rules, in cases where an attempt has been made to correct the violation
  • Tier 4: A violation of HIPAA Rules constituting willful neglect, where no attempt has been made to correct the violation

In the case of unknown violations, where the covered entity could not have been expected to avoid a data breach, it may seem unreasonable for a covered entities to be issued with a fine. OCR appreciates this, and has the discretion to waive a financial penalty. The penalty cannot be waived if the violation involved willful neglect of Privacy, Security and Breach Notification Rules.

HIPAA Violation Penalty Structure

Each category of violation carries a separate HIPAA penalty. It is up to OCR to determine a financial penalty within the appropriate range. OCR considers a number of factors when determining penalties, such as the length of time a violation was allowed to persist, the number of people affected and the nature of the data exposed. An organization´s willingness to assist with an OCR investigation is also taken into account. The general factors that can affect the level of financial penalty also include prior history, the organization’s financial condition and the level of harm caused by the violation.

  • Tier 1: Minimum fine of $100 per violation up to $50,000
  • Tier 2: Minimum fine of $1,000 per violation up to $50,000
  • Tier 3: Minimum fine of $10,000 per violation up to $50,000
  • Tier 4: Minimum fine of $50,000 per violation

The above fines for HIPAA violations are those stipulated by the HITECH Act. It should be noted that these are adjusted annually to take inflation into account. The civil monetary penalties for 2018 and 2019, adjusted for inflation, can be viewed on this link. 

The HITECH Act increased the possible penalties for HIPAA violations to strengthen enforcement of HIPAA compliance and to give HIPAA covered entities a greater incentive to press forward with their compliance programs. OCR interpreted the text of the HITECH Act to mean that maximum and minimum penalties should be set in each of the four penalty tiers based on the level of culpability. However, there were some ambiguities with respect to the maximum possible annual fines in each of the violation tiers. OCR interpreted HITECH requirements to mean that the maximum penalty in each violation category should be $1,500,000 per year for violations of an identical provision. However, in April 2019, OCR re-evaluated the HITECH Act text and interpreted the maximum fines differently. From April 2019 onward, the maximum fines that can be applied for violations of an identical provision in a calendar year are different in each penalty tier.  The maximum fine per violation category, per year, is still $1,500,000 for a Tier 4 violation. The maximum annual fine has been reduced in each of the other tiers, as detailed in the infographic below.

A data breach or security incident that results from any violation could see separate fines issued for different aspects of the breach under multiple security and privacy standards. A fine of $50,000 could, in theory, be issued for any violation of HIPAA rules; however minor.

A fine may also be applied on a daily basis. For example, if a covered entity has been denying patients the right to obtain copies of their medical records, and had been doing so for a period of one year, the OCR may decide to apply a penalty per day that the covered entity has been in violation of the law. The penalty would be multiplied by 365, not by the number of patients that have been refused access to their medical records.

Attorneys General Can Also Issue HIPAA Violation Fines

Since the introduction of the HITECH Act (Section 13410(e) (1)) in February 2009, state attorneys general have the authority to hold HIPAA-covered entities accountable for the exposure of the PHI of state residents and can file civil actions with the federal district courts. HIPAA violation fines can be issued up to a maximum level of $25,000 per violation category, per calendar year. The minimum fine applicable is $100 per violation.

A covered entity suffering a data breach affecting residents in multiple states may be ordered to pay HIPAA violation fines to attorneys general in multiple states. At present only a few U.S states – Connecticut, Massachusetts, Indiana, Vermont and Minnesota – have so far taken action against HIPAA offenders, but since attorneys general offices are able to retain a percentage of the fines issued, more attorneys general may decide to issue penalties for HIPAA violations.

Can HIPAA Violations be Criminal?

When a HIPAA-covered entity of business associate violates HIPAA Rules, civil penalties can be imposed. When healthcare professionals violate HIPAA, it is usually their employer that receives the penalty, but not always. If healthcare professionals knowingly obtain or use protected health information for reasons that are not permitted by the HIPAA Privacy Rule, they may be found to be criminally liable for the HIPAA violation under the criminal enforcement provision of the Administrative Simplification subtitle of HIPAA.

Criminal HIPAA violations are prosecuted by the Department of Justice, which is increasingly taking action against individuals that have knowingly violated HIPAA Rules. There have been several cases that have resulted in substantial fines and prison sentences.

Criminal HIPAA violations include theft of patient information for financial gain and wrongful disclosures with intent to cause harm. A lack of understanding of HIPAA requirements may not be a valid defense. When an individual “knowingly” violates HIPAA, knowingly means that they have some knowledge of the facts that constitute the offense, not that they definitely know that they are violating HIPAA Rules.

Criminal Penalties for HIPAA Violations

Criminal penalties for HIPAA violations are divided into three separate tiers, with the term – and an accompanying fine – decided by a judge based on the facts of each individual case. As with OCR, a number of general factors are considered which will affect the penalty issued. If an individual has profited from the theft, access or disclosure of PHI, it may be necessary for all moneys received to be refunded, in addition to the payment of a fine.

The tiers of criminal penalties for HIPAA violations are:

Tier 1:   Reasonable cause or no knowledge of violation – Up to 1 year in jail

Tier 2:   Obtaining PHI under false pretenses – Up to 5 years in jail

Tier 3:   Obtaining PHI for personal gain or with malicious intent – Up to 10 years in jail

In recent months, the number of employees discovered to be accessing or stealing PHI – for various reasons – has increased. The value of PHI on the black market is considerable, and this can be a big temptation for some individuals. It is therefore essential that controls are put in place to limit the opportunity for individuals to steal patient data, and for systems and policies to be put in place to ensure improper access and theft of PHI is identified promptly.

All staff likely to come into contact with PHI as part of their work duties should be informed of the HIPAA criminal penalties and that violations will not only result in loss of employment, but potentially also a lengthy jail term and a heavy fine.

State attorneys general are cracking down on data theft and are keen to make examples out of individuals found to have violated HIPAA Privacy Rules. A jail term for the theft of HIPAA data is therefore highly likely.

Employee Sanctions for HIPAA Violations

Not all HIPAA violations are as a result of insider theft, and many Covered Entities and Business Associates apply a scale of employee sanctions for HIPAA violations depending on factors such as whether the violation was intentional or accidental, whether it was reported by the employee as soon as the violation was realized,  and the magnitude of the breach. Some Covered Entities also apply employee sanctions for HIPAA violations on employees who were aware a violation (by another employee) had occurred, but failed to report it.

Employee sanctions for HIPAA Violations vary in gravity from further training to dismissal. The decision should be taken in consultation with HIPAA Privacy and Security Officers, who may have to conduct interviews with the employee, investigate audit trails and review telephone logs – including the telephone logs of the employee´s mobile phone. Because of the expense and disruption attributable to applying employee sanctions for HIPAA violations, it is worthwhile dedicating more resources to initial employee training in order to prevent HIPAA violations – whether intentional or accidental – from occurring.

Receiving a Civil Penalty for Unknowingly Violating HIPAA

Although it was mentioned above that OCR has the discretion to waive a civil penalty for unknowingly violating HIPAA, ignorance of the HIPAA regulations is not regarded as a justifiable excuse for failing to implement the appropriate safeguards. In April 2017, the remote cardiac monitoring service CardioNet was fined $2.5 million for failing to fully understand the HIPAA requirements and subsequently failing to conduct a complete risk assessment.

As a result of the incomplete risk assessment, the PHI of 1,391 individuals was potentially disclosed without authorization when a laptop containing the data was stolen from a car parked outside an employee´s home. Speaking after details of the fine had been announced, OCR Director Roger Severino described the civil penalty for unknowingly violating HIPAA as a penalty for disregarding security.

It may also be possible for a CE or BA to receive a civil penalty for unknowingly violating HIPAA if the state in which the violation occurs allows individuals to bring legal action against the person(s) responsible for the violation. Although HIPAA lacks a private right of action, individuals can still use the regulations to establish a standard of care under common law. Several cases of this nature are currently in progress.

HIPAA Compliance Audits are Likely to Result in Penalties for HIPAA Violations

If a CE or BA is found not to have complied with HIPAA regulations, OCR has the authority to issue penalties for HIPAA noncompliance – even if there has been no breach of PHI or no complaint.

After much delay, OCR is now conducting the second phase of HIPAA compliance audits. The audits are not being conducted specifically to find HIPAA violations and to issue financial penalties, although if serious violations of HIPAA Rules are discovered, financial penalties may be deemed appropriate.

The first phase of HIPAA compliance audits was conducted in 2011/2012 and revealed many covered entities were struggling with compliance. OCR provided technical assistance to help those entities correct areas of noncompliance and no penalties for HIPAA violations were issued.

Now, 5 years on, covered entities have had ample time to develop their compliance programs. This time around, OCR is not expected to be so lenient.

One of the biggest areas of noncompliance with HIPAA Rules discovered during the first phase of compliance audits was the failure to conduct a comprehensive, organization-wide risk assessment.

The risk assessment is fundamental to developing a good security posture. If a risk assessment is not conducted, a covered entity will be unaware whether any security vulnerabilities exist that pose a risk to the confidentiality, integrity, and availability of ePHI. Those risks will therefore not be managed and reduced to an acceptable level.

A look at the penalties for HIPAA violations issued by OCR shows just how common risk assessment violations occur. Risk assessment failures frequently attract financial penalties.

The failure to complete Business Associate Agreements (BAAs) with third-party service providers can attract penalties for HIPAA noncompliance. Several covered entities have been fined for failing to revise BAAs written before September 2014, when all existing contracts were invalidated by the Final Omnibus Rule. In September 2016, the Care New England Health System was fined $400,000 for HIPAA noncompliance that included the failure to revise a BAA originally signed in March 2005.

BAAs are a key area that OCR will be keeping an eye on throughout its audit program. BAAs – contracts that lay out the permitted uses and allowable disclosures of PHI – should be signed with every third party service provider with whom PHI is disclosed (including lawyers).

Penalties for HIPAA Violations


OCR Penalties for HIPAA violations 2008-2020

When deciding on an appropriate settlement, OCR considers the severity of the violation, the extent of noncompliance with HIPAA Rules, the number of individuals impacted and the impact a breach has had on those individuals. OCR also considers the financial position of the covered entity. Punitive measures may be necessary, but penalties for HIPAA violations should not result in a covered entity being forced out of business.

The purpose of these penalties for HIPAA violations is in part to punish covered entities for serious violations of HIPAA Rules, but also to send a message to other healthcare organizations that noncompliance with HIPAA Rules is not acceptable.


Penalty amounts in OCR HIPAA settlements and CMPs

OCR HIPAA Fines 2020

2020 saw more financial penalties imposed on HIPAA covered entities and business associates than in any other year since OCR started enforcing HIPAA compliance. 19 settlements were reached to resolve potential violations of the HIPAA Rules. OCR continued with its HIPAA Right of Access enforcement initiative that commenced in late 2019 and by year end had settled 11 cases where patients had not been provided with timely access to their medical records for a reasonable cost-based fee.

2020 saw the second largest settlement to resolve HIPAA violations. The health insurer Premera Blue Cross paid OCR $6,850,000 to resolve potential HIPAA violations discovered during the investigation of its 2015 breach of the ePHI of 10,466,692 individuals.

2020 OCR HIPAA Settlements

Covered Entity Reason Individuals Impacted Amount
Peter Wrobel, M.D., P.C., dba Elite Primary Care HIPAA Right of Access failure 2 $36,000
University of Cincinnati Medical Center HIPAA Right of Access failure 1 $65,000
Dr. Rajendra Bhayani HIPAA Right of Access failure 1 $15,000
Riverside Psychiatric Medical Group HIPAA Right of Access failure 1 $25,000
City of New Haven, CT Failure to terminate access rights; risk analysis failure; failure to implement Privacy Rule policies; failure to issue unique IDs to allow system activity to be tracked; impermissible disclosure the PHI of 498 individuals 498 $202,400
Aetna Lack of technical and nontechnical evaluation in response to environmental or operational changes; identity check failure; minimum necessary information failure; impermissible disclosure of 18,849 records; lack of administrative, technical, and physical safeguards 18,849 $1,000,000
NY Spine HIPAA Right of Access failure 1 $100,000
Dignity Health, dba St. Joseph’s Hospital and Medical Center HIPAA Right of Access failure 1 $160,000
Premera Blue Cross Risk assessment failure; risk management failure; insufficient hardware and software controls; unauthorized access to the PHI of 10,466,692 individuals 10,466,692 $6,850,000
CHSPSC LLC Failure to conduct a risk analysis; failures to implement information system activity reviews, security incident procedures, and access controls, and a breach of the ePHI of more than 6 million individuals 6,121,158 $2,300,000
Athens Orthopedic Clinic PA Failure to conduct a risk analysis; lack of risk management and audit controls; failure to maintain HIPAA policies and procedures; business associate agreement failure; and the failure to provide HIPAA Privacy Rule training to the workforce. 208,557 $1,500,000
Housing Works, Inc. HIPAA Right of Access failure 1 $38,000
All Inclusive Medical Services, Inc. HIPAA Right of Access failure 1 $15,000
Beth Israel Lahey Health Behavioral Services HIPAA Right of Access failure 1 $70,000
King MD HIPAA Right of Access failure 1 $3,500
Wise Psychiatry, PC HIPAA Right of Access failure 1 $10,000
Lifespan Health System Affiliated Covered Entity Lack of encryption; insufficient device and media controls;ack of business associate agreements; impermissible disclosure of 20,431 patients’ ePHI 20,431 $1,040,000
Metropolitan Community Health Services dba Agape Health Services Longstanding, systemic noncompliance with the HIPAA Security Rule 1,263 $25,000

OCR HIPAA Fines 2019

HIPAA enforcement continued at a high level in 2019. Eight settlements were reached with HIPAA covered entities and business associates to resolve HIPAA violations and two civil monetary penalties were issued. The financial penalties were imposed to resolve similar violations of HIPAA Rules as previous years, but 2019 also saw the first financial penalties issued under OCR’s new HIPAA Right of Access initiative. Two covered entities settled cases over the failure to provide patients with a copy of their medical records, in the requested format, in a reasonable time frame.

2019 OCR HIPAA Settlements

Covered Entity Reason Individuals Impacted Amount
West Georgia Ambulance Risk analysis failure; no security awareness training program; failure to implement HIPAA Security Rule policies and procedures. 500 $65,000
Korunda Medical, LLC HIPAA Right of Access failure. 1 or more $85,000
Sentara Hospitals Breach notification failure; business associate agreement failure 577 $2,175,000
University of Rochester Medical Center Loss of flash drive/laptop; no encryption; risk analysis failure; risk management failure; lack of device media controls. 43 $3,000,000
Elite Dental Associates Social media disclosure; notice of privacy practices; impermissible PHI disclosure. Unconfirmed $10,000
Bayfront Health St Petersburg HIPAA Right of Access failure 1 $85,000
Medical Informatics Engineering Risk analysis failure; impermissible disclosure of 3.5 million records 3,500,000 $100,000
Touchstone Medical imaging No BAAs; insufficient access rights; risk analysis failure; failure to respond to a security incident; breach notification failure; media notification failure; impermissible disclosure of 307,839 individuals’ PHI. 307,839 $3,000,000

2019 OCR Civil Monetary Penalties

Covered Entity Reason Individuals Impacted Amount
Texas Department of Aging and Disability Services Risk analysis failure; access control failure; information system activity monitoring failure; impermissible disclosure of 6,617 patients ePHI 6,617 $1,600,000
Jackson Health System Multiple Privacy Rule, Security Rule, and Breach Notification Rule violations 25,661 $2,154,000

OCR HIPAA Fines 2018

There was a year-over-year increase in HIPAA violation penalties in 2018. 11 financial penalties were agreed in 2018: 10 settlements and one civil monetary penalty. Two records were broken in 2018. 2018 saw the largest ever HIPAA settlement agreed – A $16 million financial penalty for Anthem Inc., to resolve HIPAA violations discovered during the investigation of its 78.8 million record breach in 2015. HIPAA covered entities also paid more in fines than in any other year since OCR started enforcing compliance with HIPAA Rules: $28,683,400.

2018 OCR HIPAA Settlements

Covered Entity Reason Individuals Impacted Amount
Cottage Health Risk analysis and risk management failures; No BAA 62,500 $3,000,000
Pagosa Springs Medical Center Failure to terminate employee access; No BAA 557+ $111,400
Advanced Care Hospitalists Impermissible PHI Disclosure; No BAA; Insufficient security measures; No HIPAA compliance efforts prior to April 1, 2014 9,255 $500,000
Allergy Associates of Hartford PHI disclosure to reporter; No sanctions against employee 1 $125,000
Anthem Inc Risk analysis failure; Insufficient reviews of system activity; Failure to respond to a detected breach; Insufficient technical controls to prevent unauthorized ePHI access 78,800,000 $16,000,000
Boston Medical Center Filming patients without consent Unspecified $100,000
Brigham and Women’s Hospital Filming patients without consent Unspecified $384,000
Massachusetts General Hospital Filming patients without consent Unspecified $515,000
Filefax, Inc. Impermissible disclosure of physical PHI – Left unprotected in truck 2,150 $100,000
Fresenius Medical Care North America 5 breaches: Investigation revealed risk analysis failures; Impermissible disclosure of ePHI; Lack of policies covering electronic devices; Lack of encryption; Insufficient security policies; Insufficient physical safeguards 521 $3,500,000

2018 Civil Monetary Penalties for HIPAA Violations

Covered Entity Reason Individuals Impacted Amount
University of Texas MD Anderson Cancer Center 3 breaches resulting in an impermissible disclosure of ePHI; No Encryption 34,883 $4,348,000

OCR HIPAA Fines 2017

A summary of the 2017 OCR penalties for HIPAA violations.

2017 OCR HIPAA Settlements

Covered Entity Breach Summary Individuals Impacted Settlement Amount
Memorial Healthcare System Impermissible access of PHI by employees; Impermissible disclosure of PHI to affiliated physicians’ offices 115,143 $5,500,000
Cardionet Theft of an unencrypted laptop computer 1,391 $2,500,000
Memorial Hermann Health System Disclosure of patient’s PHI to the media 1 $2,400,000
21st Century Oncology Multiple HIPAA violations 2,213,597 $2,300,000
MAPFRE Life Insurance Company of Puerto Rico Theft of an unencrypted USB storage device 2,209 $2,200,000
Presense Health Delayed breach notifications 836 $475,000
Metro Community Provider Network Lack of a security management process to safeguard ePHI 3,200 $400,000
Luke’s-Roosevelt Hospital Center Inc. Impermissible disclosure of PHI to patient’s employer 1 $387,000
The Center for Children’s Digestive Health Lack of a business associate agreement N/A $31,000

2017 Civil Monetary Penalties for HIPAA Violations

Covered Entity Breach Summary Individuals Impacted Penalty Amount
Children’s Medical Center of Dallas Theft of unencrypted devices 6,262 $3,200,000

OCR HIPAA Fines 2016

2016 was a record year for financial penalties to resolve violations of HIPAA Rules. 2016 saw 12 settlements agreed and one civil monetary penalty issued by OCR.

2016 OCR HIPAA Settlements

Covered Entity Breach Summary Individuals Impacted Settlement Amount
Feinstein Institute for Medical Research Improper disclosure of research participants’ PHI 13,000 $3,900,000
Advocate Health Care Network Theft of desktop computers; Loss of laptop; Improper accessing of data at business associate 3,994,175 $5,550,000
University of Mississippi Medical Center Unprotected network drive 10,000 $2,750,000
Oregon Health & Science University Loss of unencrypted laptop; Storage on cloud server without BAA 4,361 $2,700,000
New York Presbyterian Hospital Filming of patients by TV crew Unconfirmed $2,200,000
North Memorial Health Care of Minnesota Theft of laptop computer; Improper disclosure to business associate 299,401 $1,550,000
St. Joseph Health PHI made available through search engines 31,800 $2,140,500
Raleigh Orthopaedic Clinic, P.A. of North Carolina Improper disclosure to business associate 17,300 $750,000
University of Massachusetts Amherst (UMass) Malware infection 1,670 $650,000
Catholic Health Care Services of the Archdiocese of Philadelphia Theft of mobile device 412 $650,000
Care New England Health System Loss of two unencrypted backup tapes 14,000 $400,000
Complete P.T., Pool & Land Physical Therapy, Inc. Improper disclosure of PHI (website testimonials) Unconfirmed $25,000

 2016 Civil Monetary Penalties for HIPAA Violations

Covered Entity Breach Summary Individuals Impacted Penalty Amount
Lincare, Inc. Improper disclosure (unprotected documents) 278 $239,800


The post What are the Penalties for HIPAA Violations? appeared first on HIPAA Journal.

HIPAA Privacy Rule Changes Proposed to Improve Care Coordination and Patient Rights

The Department of Health and Human Services has issued a notice of proposed rulemaking detailing multiple HIPAA Privacy Rule changes that are intended to remove regulatory burdens, improve care coordination, and give patients better access to their protected health information (PHI).

OCR issued a request for public input on potential HIPAA Privacy Rule changes in December 2018 under the HHS’ Regulatory Sprint to Coordinated Care. The regulatory sprint was intended to accelerate transformation of the healthcare system and remove some of the barriers that have hampered the coordination of care, were making it difficult for healthcare providers to share patient information and placed an unnecessary burden on patients and their families who were trying to get their health information exchanged. In response to the request for information, the HHS received around 1,300 comments spanning 4,000 pages. The HHS has had to strike a balance between providing more flexibility to allow health information to be shared easily and ensuring the privacy and security of healthcare data.

“Our proposed changes to the HIPAA Privacy Rule will break down barriers that have stood in the way of commonsense care coordination and value-based arrangements for far too long,” said HHS Secretary Alex Azar. “As part of our broader efforts to reform regulations that impede care coordination, these proposed reforms will reduce burdens on providers and empower patients and their families to secure better health.”

HIPAA was initially signed into law in 1996 and the Privacy Rule took effect in 2003, prior to widespread adoption of electronic medical records and before many online and mobile services were available. The proposed updates are intended to remove some of the barriers to digital health, with definitions added for terms such as electronic health records and personal health applications.

Strengthening Patients’ Rights to their Own Healthcare Data

The HIPAA Privacy Rule gave patients the right to access their own healthcare data. The proposed changes will see those rights strengthened with regard to electronic protected health information (ePHI) and inspecting PHI in person. Individuals will be permitted to take notes and use personal resources to view and capture images of their own PHI, such as taking photographs of their own medical records and medical images. The time frame for providing patients with access to their own PHI has been shortened from 30 days to 15 days from the date of request and the identity verification burden on individuals has been eased.

Disclosures to Telecommunication Relay Services (TRS), which are used by the deaf and hard of hearing, are expressly permitted and TRS providers have been excluded from the definition of business associate.

The HHS has specified when ePHI must be provided to individuals at no cost – such as when ePHI is provided through online patient portals – and the permissible fee structure has been amended for responding to requests to direct healthcare records to a third party.

The HHS has also created a pathway for individuals to direct the sharing of ePHI in an EHR among covered health care providers and health plans. Covered entities will also be required to publish estimated fee structures on their websites for providing access to PHI and copies of PHI, as well as provide individuals with itemized bills for completed requests.

Improving Coordination of Care and Reducing the Administrative Burden

Several changes have been proposed to improve information sharing for care coordination and case management for individuals, which will make it easier for hospitals and physician practices to share patient information with other healthcare providers and social service and caregiving agencies.

If patients give their authorization for their healthcare provider or doctor to see their medical records from another healthcare provider, it will be the healthcare provider or doctor’s office that will be responsible for getting that information rather than the patient.

The privacy standard that permitted covered entities to make disclosures based on their professional judgement has been changed to permit uses and disclosures based on a covered entity’s good faith belief that a use or disclosure is in the best interests of the patient, which is more permissive.

Changes have also been proposed to remove the administrative burden on healthcare providers, such as long-awaited removal of the requirement to have patients sign a notice of privacy practices, instead they will only need to be provided with a notice of privacy practices. This change alone is expected to save the healthcare industry an estimated $3.2 billion over five years.

Changes have been proposed to improve the sharing of healthcare data in crises and emergencies. Currently, the HIPAA Privacy Rule permits covered entities to disclose patient health information to avert a serious and imminent threat to health or patient safety. The wording has been changed to avert threats when harm is ‘serious and reasonably foreseeable’. The change would make it easier for healthcare providers to share information when individuals have stated they are contemplating suicide, for instance, and would improve care coordination in emergencies such as the opioid and COVID-19 public health emergencies.

Commonsense, Bipartisan HIPAA Privacy Rules Changes

“Today’s announcement is a continuation of our ongoing work under my Regulatory Sprint to Coordinated Care to eliminate unnecessary regulatory barriers blocking patients from getting better care,” said HHS Deputy Secretary Eric Hargan. “These proposed changes reduce burden on providers and support new ways for them to innovate and coordinate care on behalf of patients, while ensuring that we uphold HIPAA’s promise of privacy and security.”

The HHS is accepting comments from all healthcare industry stakeholders, including patients and their families, healthcare providers, health plans, business associates, health IT vendors and government entities. Comments must be submitted within 60 days of the publication of the notice of proposed rulemaking in the Federal Register.

With President-Elect Biden due to take office in January, it is likely there will be significant amendments to the proposed HIPAA Privacy Rule changes; however, many of the updates have been proposed to address issues that have been proving problematic for hospitals, doctors, and patients for many years and are non-partisan, commonsense changes. HHS officials hope the incoming administration will understand the need for these HIPAA Privacy Rule changes and will provide the support to ensure they are implemented.

You can view the proposed 2020 HIPAA Privacy Rule changes on this link (PDF).

The post HIPAA Privacy Rule Changes Proposed to Improve Care Coordination and Patient Rights appeared first on HIPAA Journal.

HHS Increases Civil Monetary Penalties for HIPAA Violations in Line with Inflation

The U.S Department of Health and Human Services’ has increased the civil monetary penalties for HIPAA violations to take inflation into account, in accordance with the Inflation Adjustment Act.

The final rule was issued and took effect on Tuesday November 5, 2019. This rule increases the civil monetary penalties for HIPAA violations that occurred on or after February 18, 2019. Under the new penalty structure, the increases from 2018 to 2019 are detailed in the table below:

Penalty Tier Level of Culpability Minimum Penalty per Violation

(2018 » 2019)

Maximum Penalty per Violation

(2018 » 2019)

New Maximum Annual Penalty

(2018 » 2019)*

1 No Knowledge $114.29 » $117 $57,051 » $58,490 $1,711,533 » $1,754,698
2 Reasonable Cause $1,141 » $1,170 $57,051 » $58,490 $1,711,533 » $1,754,698
3 Willful Neglect – Corrective Action Taken $11,410 » $11,698 $57,051 » $58,490 $1,711,533 » $1,754,698
4 Willful Neglect – No Corrective Action Taken $57,051 » $58,490 $1,711,533 » $1,754,698 $1,711,533 » $1,754,698

Penalties for HIPAA violations that occurred prior to February 18, 2019 have increased to $159 per violation, with an annual cap of $39,936 per violation category.

Earlier this year, the HHS’ Office for Civil Rights announced that it had reduced the penalties for HIPAA violations in certain tiers after a review of the wording of the HITECH Act. The maximum penalty for a HIPAA violation in the highest tier remained at $1.711 million, per violation category per year. Prior to the review, the maximum HIPAA violation penalty was $1.711 million in all four penalty tiers.

*The notice of enforcement discretion, announced on April 30, 2019, capped the maximum annual penalties at $10,000 (Tier 1), $100,000 (Tier 2), $250,000 (Tier 3), and $1,711,533 (Tier 4). The notice of enforcement discretion stated that the reviewed penalty tiers would also be adjusted in line with inflation. The multiplier used by OCR to calculate the cost-of-living increases was based on the Consumer Price Index for all Urban Consumers (CPI–U) for October 2019, which was 1.02522. That would make the new maximum penalties under the notice of enforcement discretion $10,252.20 (Tier 1), $102,522 (Tier 2), $256,305 (Tier 3), and $1,754,698 (Tier 4).

While OCR’s notice of enforcement discretion states that OCR will be adopting the new, revised penalties, this has yet to be made official and is pending further rulemaking. The notification of enforcement discretion creates no legal obligations and no legal rights, so OCR could therefore legally use the above maximum penalty amount of $1,754,698 per violation category, per year across all penalty tiers.

Full details of the new penalty structures have been published in the Federal Register for all agencies, including the FDA, ACF, HRSA, AHRQ, OIG, CMS, and OCR and can be viewed here (PDF).

The post HHS Increases Civil Monetary Penalties for HIPAA Violations in Line with Inflation appeared first on HIPAA Journal.

Texas Health and Human Services Commission Pays $1.6 Million HIPAA Penalty

The Department of Health and Human Services’ Office for Civil Rights (OCR) has imposed a $1.6 million civil monetary penalty (CMP) on Texas Health and Human Services Commission (TX HHSC) for multiple violations of Health Insurance Portability and Accountability Act (HIPAA) Rules.

TX HHSC is a state agency that operates supported living centers, regulates nursing and childcare facilities, provides mental health and substance abuse services, and administers hundreds of state programs for people in need of assistance, such as individuals with intellectual and physical disabilities.

OCR launched an investigation following receipt of a breach report from the Department of Aging and Disability Services (DADS), a state agency that was reorganized into TX HHSC in September 2017. On June 11, 2015, DADS reported a security incident to OCR which stated that the electronic protected health information (ePHI) of 6,617 individuals had been exposed over the internet. The exposed information included names, addresses, diagnoses, treatment information, Medicaid numbers, and Social Security numbers.

The information was exposed during the migration of an internal CLASS/DBMD application from a private server to a public server. A flaw in the software of the application allowed ePHI to be accessed over the internet without any authentication. As a result of the flaw, private and highly sensitive information could be found and accessed through a Google search.

TX HHSC was unable to provide documentation to demonstrate compliance with three important provisions of HIPAA Rules. OCR determined that TX HHSC had violated four HIPAA provisions.

  • 45 C.F.R. § 164.308(a)(1 )(ii)(A) – Failure to conduct a comprehensive organization-wide risk analysis to identify all risks to the confidentiality, integrity, and availability of PHI
  • 45 C.F.R. § 164.312(a)(1) – Failure to implement access controls. Credentials were not required to access ePHI contained in its CLASS/DBMD
  • 45 C.F.R. § 164.312(b) – Failure to implement audit controls that recorded user access on the public server, which prevented TX HHSC from determining who had accessed ePHI in the application during the time it was exposed.
  • 45 C.F.R. § 164.502(a) – The above failures resulted in an impermissible disclosure of the ePHI of 6,617 individuals.

Under HIPAA, financial penalties are determined based on the level of culpability. OCR determined that the violations fell short of willful neglect and constituted reasonable cause – the second penalty tier. For each of the above classes of HIPAA violation, the minimum penalty for a violation is $1,000 up to a maximum financial penalty of $100,000 per year. The risk analysis failures, access controls failures, and audit control failures spanned from 2013 to 2017, hence the $1.6 million penalty.

“Covered entities need to know who can access protected health information in their custody at all times,” said OCR Director Roger Severino. “No one should have to worry about their private health information being discoverable through a Google search.”

We initially reported on the HIPAA penalty in March 2019 when it appeared that a settlement had been reached between TX HHSC and OCR over the HIPAA violations. The 86th Legislature of the State of Texas had voted to approve the settlement; however, it would appear that the proposed settlement was rejected. OCR issued a Notice of Proposed Determination on July 29, 2019.

TX HHSC did not contest the findings of OCR’s Notice of Proposed Determination and waived the right to a hearing. OCR imposed the CMP on TX HHSC on October 25, 2019.

This is the second HIPAA penalty to be announced by OCR this week. A few days ago, OCR announced a $3 million settlement had been reached with the University of Rochester Medical Center to resolve HIPAA violations related to the loss of unencrypted devices containing ePHI.

The TX HHSC CMP is the seventh HIPAA penalty of 2019. The latest CMP brings the total HIPAA fines for 2019 up to $9,949,000.

The post Texas Health and Human Services Commission Pays $1.6 Million HIPAA Penalty appeared first on HIPAA Journal.

Lack of Encryption Leads to $3 Million HIPAA Penalty for New York Medical Center

The University of Rochester Medical Center (URMC) has paid a $3 million HIPAA penalty for the failure to encrypt mobile devices and other HIPAA violations.

URMC is one of the largest health systems in New York State with more than 26,000 employees at the Medical Center and various other components of the health system, including Strong Memorial Hospital and the School of Dentistry.

The Department of Health and Human Services’ Office for Civil Rights (OCR) launched an investigation following receipt of two breach reports from UMRC – The loss of an unencrypted flash drive and the theft of an unencrypted laptop computer in 2013 and 2017.

This was not the first time OCR had investigated URMC. An investigation was launched in 2010 following a similar breach involving a lost flash drive. In that instance, OCR provided technical compliance assistance to URMC. The latest investigation uncovered multiple violations of HIPAA Rules, including areas of noncompliance that should have been addressed after receiving technical assistance from OCR in 2010.

Under HIPAA, data encryption is not mandatory. Following a risk analysis, as part of the risk management process, covered entities must assess whether encryption is an appropriate safeguard. An alternative safeguard can be implemented in place of encryption if it provides an equivalent level of protection.

In this case, URMC had assessed risk and determined that the lack of encryption posed a high risk to the confidentiality, integrity, and availability of ePHI, yet failed to implement encryption when it was appropriate and continued to use unencrypted mobile devices that contained ePHI, in violation of 45 C.F.R. § 164.31 2(a)(2)(iv).

OCR’s investigation confirmed that the ePHI of 43 patients was contained on the stolen laptop and as a result of the theft, that information was impermissibly disclosed – 45 C.F.R. §164.502(a). OCR also determined that URMC had failed to conduct a comprehensive, organization-wide risk analysis – 45 C.F.R. § 164.308(a)(1)(ii)(A) – that included all risks to the confidentiality, integrity, and availability of ePHI, and covered ePHI stored on the lost and stolen devices.

Risks had not been sufficiently managed and reduced to reasonable and acceptable level – 45 C.F.R. §164.308(a)(l)(ii)(B) – and policies and procedures governing the receipt and removal of hardware and electronic media in and out of its facilities had not been implemented – 45 C.F.R. § 163.310(d).

In addition to the $3,000,000 financial penalty, URMC is required to adopt a robust corrective action plan to address all aspects of noncompliance identified by OCR. URMC’s compliance efforts over the next two years will be scrutinized by OCR to ensure continuing compliance.

“Because theft and loss are constant threats, failing to encrypt mobile devices needlessly puts patient health information at risk,” said OCR Director Roger Severino. “When covered entities are warned of their deficiencies, but fail to fix the problem, they will be held fully responsible for their neglect.”

This is the sixth financial penalty of 2019 that OCR has issued to resolve violations of the Health Insurance Portability and Accountability Act and it is the fourth enforcement action to cite a risk analysis failure.

The risk analysis is one of the most important elements of HIPAA compliance and a risk analysis failure is the most common HIPAA violation cited in OCRs enforcement actions.

OCR has released a risk assessment tool to help covered entities and business associates comply with this aspect of HIPAA. Further information on the HHS risk assessment tool is available on this page.

The post Lack of Encryption Leads to $3 Million HIPAA Penalty for New York Medical Center appeared first on HIPAA Journal.

Roger Severino Gives Update on OCR HIPAA Enforcement Priorities

Roger Severino, Director of the HHS’ Office for Civil Rights, has given an update on OCR’s HIPAA enforcement priorities at the OCR/NIST 11th Annual HIPAA Conference in Washington D.C.

Severino confirmed that one of OCR’s top policy initiatives is still enforcing the rights of patients under the HIPAA Privacy Rule and ensuring they are given timely access to their health information at a reasonable cost.

Under HIPAA, patients have the right to view and check their medical records and obtain a copy of their health data, yet there are still healthcare organizations that are making this difficult. OCR has already agreed to settle one case this year with a HIPAA-covered entity that failed to provide a patient with a copy of her health information. OCR had to intervene before those records were provided to the patient. The entity in question, Bayfront Health St Petersburg, paid a financial penalty of $85,000 to resolve the HIPAA violation.

More financial penalties will be issued to covered entities that fail to comply with this important provision of HIPAA. Severino confirmed that Bayfront Health’s financial penalty was the first in a series of penalties for covered entities that are not providing patients with access to their health data within 30 days of the request being received.

OCR has issued guidance to help covered entities comply with this aspect of HIPAA, but now the time has come “for serious enforcement,” explained Severino.

Severino also explained that patients must be allowed to have their health data sent to health apps. The requests should only be denied if the app poses a security risk to the covered entity. Severino confirmed a covered entity is not liable for what happens to PHI after a disclosure to a health app at the patient’s request.

In many cases, patients are not being denied access to their medical records and requests for copies of medical records are being honored, but patients are being charged excessive amounts. In 2016, OCR issued guidance on the amounts that healthcare organizations can charge for providing copies of medical records and further clarification was also issued on the fee structures that can be adopted. Financial penalties for overcharging for copies of medical records can be expected.

The crackdown on patient access issues is part of the HHS Regulatory Sprint to Coordinated Care initiative and fits in with the Trump Administration’s drive to improve transparency of healthcare costs and the reduction of the cost of healthcare in the United States.

A prop is always useful for getting a point across. In this case Severino used a medical boot that he purchased to aid recovery from a torn Achilles tendon. Severino said he was advised by his doctor to purchase the boot and paid his doctor $430 for the treatment aid. He explained that he later looked online and found the exact same boot for sale on Amazon for $70, saying “This boot represents what’s wrong with price transparency.”

OCR is looking at how HIPAA can be updated to address this problem, such as requiring healthcare providers and health plans to provide information about the expected out-of-pocket costs for medical services or equipment before those items or services are provided to patients.

Contractors provide quotes for work in advance and banks provide customers with information on the costs of mortgages before providing the funds, but that doesn’t always happen in healthcare. That is something that needs to change.

Severino also touched on the issue of cybersecurity. Phishing and ransomware attacks cause a high percentage of healthcare data breaches and in many cases the attacks can be prevented by practicing good cybersecurity hygiene.

Ransomware is often installed through the exploitation of vulnerabilities in Remote Desktop Protocol. The failure to address those RDP vulnerabilities has led to several major healthcare ransomware attacks and data breaches.

Phishing attacks have been a major cause of healthcare data breaches for several years. It is not possible to prevent all attacks, but by complying with HIPAA, risk can be significantly reduced. HIPAA calls for covered entities to provide employees with training to help them identify and avoid phishing threats. Severino explained that training is critical, as is conducting phishing simulation exercises to find out how susceptible employees are to phishing.

Other cybersecurity failures that could prevent data breaches include the lack of multi-factor authentication, poor access controls, and the failure to promptly terminate access to systems when employees leave the company.

2019 may have only seen four OCR financial penalties issued to date to resolve HIPAA violations but the year is far from over. Further penalties will be announced this year, including one $2.1 million civil monetary penalty.

Severino did not confirm the reason for the penalty or provide any details, other than saying a final determination has been reached and the penalty will be announced by the department soon.

The post Roger Severino Gives Update on OCR HIPAA Enforcement Priorities appeared first on HIPAA Journal.

Dental Practice Fined $10,000 for PHI Disclosures on Yelp

The Department of Health and Human Services’ Office for Civil Rights has agreed to settle a HIPAA violation case with Elite Dental Associates over the impermissible disclosure of multiple patients’ protected health information (PHI) when responding to patient reviews on the Yelp review website.

Elite Dental Associates is a Dallas, TX-based privately-owned dental practice that provides general, implant and cosmetic dentistry. On June 5, 2016, OCR received a complaint from an Elite patient about a social media HIPAA violation. The patient claimed the dental practice had responded to a review she left on Yelp and publicly disclosed some of the PHI.

When replying to the patient’s June 4, 2016 post, Elite disclosed the patient’s last name along with details of her health condition, treatment plan, insurance, and cost information.

The investigation confirmed that to be the case, but also found it was not the first time that PHI had been disclosed without authorization on the social media platform when responding to patient reviews. Further impermissible PHI disclosures were found on the Elite review page.

In addition to the impermissible disclosures of PHI, which violated 45 C.F.R. § 164.502(a), OCR determined Elite had not implemented policies and procedures relating to PHI, in particular the release of PHI on social media and other public platforms, in violation of 45 C.F.R. § 164.530(i). Elite was also discovered not to have included the minimum required content in its Notice of Privacy Practices as required by the HIPAA Privacy Rule (45 C.F.R. § 164.520(b)).

OCR agreed to a HIPAA violation fine of $10,000 and a corrective action plan (CAP) to resolve the alleged HIPAA violations and settle the case with no admission of liability. The three potential HIPAA violations could have attracted a substantially higher financial penalty; however, when considering an appropriate financial penalty, OCR took the financial position of the practice, its size, and Elite’s cooperation with the OCR investigation into account.

“Social media is not the place for providers to discuss a patient’s care,” said OCR Director, Roger Severino.  “Doctors and dentists must think carefully about patient privacy before responding to online reviews.”

This is the 4th OCR HIPAA settlement of 2019. In September, OCR fined Bayfront Health St Petersburg $85,000 for a HIPAA Right of Access failure. In May, two settlements were agreed to resolve multiple HIPAA violations at Medical Informatics Engineering ($100,000) and Touchstone Medical Imaging ($3,000,000).

The post Dental Practice Fined $10,000 for PHI Disclosures on Yelp appeared first on HIPAA Journal.

Senate Fails to Remove Ban on Funding of National Patient Identifier

The Department of Health and Human Services (HHS) is prohibited from using any of its budget to fund the development and implementation of a national patient identifier, but there was hope that the ban would finally be lifted this year.

The House of Representatives added an amendment to its Departments of Labor, Health, and Human Services, and Education, and Related Agencies Act of 2020 which removed the ban, which would allow the HHS to follow through on this requirement of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

It now looks likely that the ban will remain in place for at least another year as the Senate Appropriations Subcommittee’s draft 2020 fiscal budget bill, released last Wednesday, has retained the text banning the HHS from acting on this HIPAA requirement.

The ban has been in place since 1999 and was introduced because of concerns over patient privacy. The ban has been written into the Congressional budget every year since and the proposed 2020 fiscal budget bill is no different.

The proposed fiscal budget bill includes the text, “None of the funds made available in this act may be used to promulgate or adopt any final standard under section 1173(b) of the Social Security Act providing for, or providing for the assignment of, a unique health identifier for an individual (except in an individual’s capacity as an employer or a health care provider), until legislation is enacted specifically approving the 13 standard.”

The purpose of the national patient identifier is to make it easier for patients to be efficiently matched with their health records. Regardless of where a patient receives treatment, their health data will be tied to them through their unique national patient identifier code. The new identifier would help to ensure that patient information could flow freely between different healthcare organizations and it is seen by many healthcare industry stakeholders to be essential for full interoperability. A national patient identifier could help to improve patient privacy, patient safety, and eliminate considerable waste and misspending in healthcare.

For several years, industry associations such as the College of Healthcare Information Management Executives (CHIME), the American Health Information Management Association (AHMIA), and the Health Innovation Alliance (HIA) have been calling for the ban to be lifted.

HIA Executive Director Joel White has called the ban ‘antiquated’ and said studies have suggested that patients are matched with their records as little as 50% of the time. A national patient identifier would instantly solve that problem.

Efforts to have the ban removed have stepped up in recent years, and this year 56 healthcare stakeholder groups urged the Senate to remove the ban. Significant progress was made this year when the amendment receives strong bipartisan support in the House of Representatives.

Convincing the Senate to lift the ban is proving more difficult. As long as privacy concerns remain, the ban is unlikely to be lifted. One of the main issues is a single identifier would be used to tie medical records to an individual from birth until death, and that could allow unprecedented tracking of Americans through their health records. It could also potentially facilitate the sharing, use, and analysis of patient data without patient consent.

While the draft fiscal budget bill has not had the ban removed, it is possible that an amendment could be made at a later date. AHMIA and CHIME leaders remain hopeful that the Senate will follow the House’s lead and have the ban lifted this year.

The post Senate Fails to Remove Ban on Funding of National Patient Identifier appeared first on HIPAA Journal.

OCR Settles First HIPAA Violation Case Under 2019 Right of Access Initiative

Earlier this year, the Department of Health and Human Services’ Office for Civil Rights (OCR) announced that one of the main areas of HIPAA enforcement in 2019 would be HIPAA right of access failures, including untimely responses to access requests and overcharging for copies of medical records.

The HIPAA right of access allows patients to obtain copies of their medical records on request. HIPAA-covered entities are required to honor those requests and provide patients with access to PHI or copies of health data contained in a ‘designated record set’ within 30 days of the request being received. A covered entity is permitted to charge a reasonable, cost-based fee for providing a copy of the individual’s PHI, which can include the cost of certain labor, supplies and postage.

HIPAA-covered entities that fail to provide copies of records in a reasonable time frame or charge excessive amounts for providing a copy of a patient’s PHI are in violation of the HIPAA Privacy Rule – See 45 CFR 164.501. Such violations can attract a sizable financial penalty.

This week, OCR has announced that the first settlement has been reached with a HIPAA-covered entity under the right of access initiative. Bayfront Health St. Petersburg, a 480-bed hospital in St. Petersburg, FL, has agreed to pay OCR $85,000 to settle the case.

OCR launched an investigation into a potential HIPAA violation at Bayfront Health following receipt of a complaint from a patient on August 14, 2018. The patient alleged that she had requested her fetal heart monitor records from Bayfront Health St. Petersburg in October 2017. At the time of the complaint, 9 months after the request was made, she had still not been provided with a full copy of her records.

OCR confirmed that the patient made the request on October 18, 2017 and was informed by Bayfront Health that the records could not be found. Two further requests were sent to Bayfront Health by the patient’s counsel on January 2, 2018 and February 12, 2018. In March 2018, Bayfront Health provided an incomplete set of records and a complete response was only received on August 23, 2018. The patient’s counsel shared the records with the patient, but it took the intervention of OCR for the fetal heart monitor records to be provided to the patient. Those records were provided directly to the patient on February 7, 2019.

OCR determined that the failure to provide access to the patient’s designated record set was a clear violation of 45 C.F.R. § 164.524 and that the HIPAA violation warranted a sizable financial penalty.

“Providing patients with their health information not only lowers costs and leads to better health outcomes, it’s the law,” said OCR Director Roger Severino.  “We aim to hold the health care industry accountable for ignoring peoples’ rights to access their medical records and those of their kids.”

In addition to the financial penalty, Bayfront Health has agreed to implement a corrective action plan and will be monitored by OCR for the following 12 months.

The post OCR Settles First HIPAA Violation Case Under 2019 Right of Access Initiative appeared first on HIPAA Journal.