HITECH Act News

OCR to Produce Video Presentation on HITECH Act Recognized Security Practices

Posted June 13, 2022 by HIPAA Journal

The HHS’ Office for Civil Rights (OCR) is producing a video presentation to help HIPAA-regulated entities implement “Recognized Security Practices.”

The Health Information Technology for Economic and Clinical Health (HITECH) Act was recently amended (Public Law 116-321) to require OCR to consider recognized security practices that have been in place for at least 12 months prior to certain Security Rule enforcement and audit activities. OCR previously issued a Request for Information regarding the HITECH Act recognized security practices, the comment period for which ended last week.

There has been confusion about what constitutes recognized security practices and how it is possible to demonstrate to OCR that recognized security practices have been adopted and have been continuous for the 12 months prior to a data breach or OCR investigation.

In the video presentation, Nicholas Heesters, Senior Advisor for Cybersecurity at OCR will explain the 2021 HITECH Act amendment regarding recognized security practices, provide guidance on demonstrating security practices have been in place, how evidence of those security practices will be requested by OCR, and how to find out more information on the best security practices to implement.

Ahead of the publication of the video, OCR has requested questions from HIPAA-regulated entities to ensure they are addressed in the presentation. The deadline for submitting questions is June 17, 2022. Questions should be sent to: OCRPresents@hhs.gov

OCR will be releasing the presentation this summer and will make an announcement about how the presentation can be viewed at a later date.

The post OCR to Produce Video Presentation on HITECH Act Recognized Security Practices appeared first on HIPAA Journal.

What are the Penalties for HIPAA Violations?

Posted January 15, 2021 by HIPAA Journal

Penalties for HIPAA violations can be issued by the Department of Health and Human Services’ Office for Civil Rights (OCR) and state attorneys general. In addition to financial penalties, covered entities are required to adopt a corrective action plan to bring policies and procedures up to the standards demanded by HIPAA.

The Health Insurance Portability and Accountability Act of 1996 placed a number of requirements on HIPAA-covered entities to safeguard the Protected Health Information (PHI) of patients, and to strictly control when PHI can be divulged, and to whom.

Since the Enforcement Final Rule of 2006, OCR has had the power to issue financial penalties (and/or corrective action plans) to HIPAA-covered entities that fail to comply with HIPAA Rules.

Financial penalties for HIPAA violations were updated by the HIPAA Omnibus Rule, which introduced charges in line with the Health Information Technology for Economic and Clinical Health Act (HITECH). The Omnibus Rule took effect on March 26, 2013.

Since the introduction of the Omnibus Rule, the new penalties for HIPAA violations apply to healthcare providers, health plans, healthcare clearinghouses, and all other covered entities, as well as to business associates (BAs) of covered entities that are found to have violated HIPAA Rules.

Financial penalties are intended to act as a deterrent to prevent the violation of HIPAA laws, while also ensuring covered entities are held accountable for their actions – or lack of them – when it comes to protecting the privacy of patients and the confidentiality of health data, and providing patients with access to their health records on request.

The penalty structure for a violation of HIPAA laws is tiered, based on the knowledge a covered entity had of the violation. The OCR sets the penalty based on a number of “general factors” and the seriousness of the HIPAA violation.

Ignorance of HIPAA Rules is no excuse for failing to comply with HIPAA Rules. It is the responsibility of each covered entity to ensure that HIPAA Rules are understood and followed. In cases when a covered entity is discovered to committed a willful violation of HIPAA laws, the maximum fines may apply.

What Constitutes a HIPAA Violation?

There is much talk of HIPAA violations in the media, but what constitutes a HIPAA violation? A HIPAA violation is when a HIPAA-covered entity – or a business associate – fails to comply with one or more of the provisions of the HIPAA Privacy, Security, or Breach Notification Rules.

A violation may be deliberate or unintentional. An example of an unintentional HIPAA violation is when too much PHI is disclosed and the minimum necessary information standard is violated. When PHI is disclosed, it must be limited to the minimum necessary information to achieve the purpose for which it is disclosed. Financial penalties for HIPAA violations can be issued for unintentional HIPAA violations, although the penalties will be at a lower rate to willful violations of HIPAA Rules.

An example of a deliberate violation is unnecessarily delaying the issuing of breach notification letters to patients and exceeding the maximum timeframe of 60 days following the discovery of a breach to issue notifications – A violation of the HIPAA Breach Notification Rule.

Many HIPAA violations are the result of negligence, such as the failure to perform an organization-wide risk assessment. Financial penalties for HIPAA violations have frequently been issued for risk assessment failures.

Penalties for HIPAA violations can potentially be issued for all HIPAA violations, although OCR typically resolves most cases through voluntary HIPAA compliance, issuing technical guidance, or accepting a covered entity or business associate’s plan to address the violations and change policies and procedures to prevent future violations from occurring. Financial penalties for HIPAA violations are reserved for the most serious violations of HIPAA Rules and for when OCR wants to “send a message” about specific violation types.

What Happens if you Violate HIPAA? – HIPAA Violation Classifications

What happens if you violate HIPAA? That depends on the severity of the violation. OCR prefers to resolve HIPAA violations using non-punitive measures, such as voluntary compliance or issuing technical guidance to help covered entities address areas of non-compliance. However, if the violations are serious, have been allowed to persist for a long time, or if there are multiple areas of noncompliance, financial penalties may be appropriate.

The four categories used for the penalty structure are as follows:

Tier 1: A violation that the covered entity was unaware of and could not have realistically avoided, had a reasonable amount of care had been taken to abide by HIPAA Rules
Tier 2: A violation that the covered entity should have been aware of but could not have avoided even with a reasonable amount of care. (but falling short of willful neglect of HIPAA Rules)
Tier 3: A violation suffered as a direct result of “willful neglect” of HIPAA Rules, in cases where an attempt has been made to correct the violation
Tier 4: A violation of HIPAA Rules constituting willful neglect, where no attempt has been made to correct the violation within 30 days

In the case of unknown violations, where the covered entity could not have been expected to avoid a data breach, it may seem unreasonable for a covered entity to be issued with a fine. OCR appreciates this and has the discretion to waive a financial penalty. The penalty cannot be waived if the violation involved willful neglect of the Privacy, Security, and Breach Notification Rules.

HIPAA Violation Penalty Structure

Each category of violation carries a separate HIPAA penalty. It is up to OCR to determine a financial penalty within the appropriate range. OCR considers a number of factors when determining penalties, such as the length of time a violation was allowed to persist, the number of people affected, and the nature of the data exposed. An organization’s willingness to assist with an OCR investigation is also taken into account. The general factors that can affect the amount of the financial penalty also include prior history, the organization’s financial condition, and the level of harm caused by the violation.

Tier 1: Minimum fine of $100 per violation up to $50,000
Tier 2: Minimum fine of $1,000 per violation up to $50,000
Tier 3: Minimum fine of $10,000 per violation up to $50,000
Tier 4: Minimum fine of $50,000 per violation

The above fines for HIPAA violations are those stipulated by the HITECH Act. It should be noted that these are adjusted annually to take inflation into account. The last official update to apply the inflation increases was in March 2022. The table below lists the 2022 penalties. The table will be updated to include the multiplier for 2023 when it is officially applied. The 2023 multiplier is 1.07745.

2022 HIPAA Penalty Structure

Penalty Tier	Culpability	Minimum Penalty per Violation – Inflation Adjusted	Max Penalty per Violation – Inflation Adjusted	Maximum Penalty Per Year (cap) – Inflation Adjusted
Tier 1	Lack of Knowledge	$127	$60,973	$1,919,173
Tier 2	Reasonable Cause	$1,280	$60,973	$1,919,173
Tier 3	Willful Neglect	$12,794	$60,973	$1,919,173
Tier 4	Willful Neglect (not corrected within 30 days)	$60,973	$1,919,173	$1,919,173

A data breach or security incident that results from any violation could see separate fines issued for different aspects of the breach under multiple security and privacy standards. A fine of $60,973 could, in theory, be issued for any violation of HIPAA rules; however minor.

A fine may also be applied on a daily basis. For example, if a covered entity has been denying patients the right to obtain copies of their medical records, and had been doing so for a period of one year, the OCR may decide to apply a penalty per day that the covered entity has been in violation of the law. The penalty would be multiplied by 365, not by the number of patients that have been refused access to their medical records.

OCR 2019 Notice of Enforcement Discretion Applies New Maximum Annual Penalties for HIPAA Violations

The above table of penalties is still officially in force; however, in 2019, the HHS reviewed the language of the HITECH Act with respect to the required increases for HIPAA violations and determined that the language of the HITECH Act had been misinterpreted and that it did not call for the same maximum annual penalty cap to be applied equally across all four penalty tiers. Instead, the HHS determined that the maximum annual penalty of $1.5 million ($1,919,173 in 2022) should only apply to the most serious Tier 4 violation category.

Rather than issue further rulemaking which would see the new penalty structure changed in the Federal Register, the HHS announced that OCR would be exercising enforcement discretion and would be applying a different penalty structure where each tier had a separate annual penalty cap. A Notice of Enforcement Discretion (NED) was issued in April 2019 which states that OCR will apply penalties according to the table below indefinitely, although the new penalty structure will not be legally binding until changes are made to the Federal Register. Since the NED only applied caps to the annual penalties, there is an anomaly. The maximum penalty per violation in Tier 1 was higher than the annual penalty cap, but the cap for that tier applies. This anomaly is likely to be addressed through HHS rulemaking to make the change permanent.

Penalty Tier	Culpability	Minimum Penalty per Violation	Maximum Penalty per Violation	Annual Penalty Cap
Tier 1	Lack of Knowledge	$127	$30,487	$30,487
Tier 2	Reasonable Cause	$1,280	$60,973	$121,946
Tier 3	Willful Neglect	$12,794	$60,973	$304,865
Tier 4	Willful neglect (not corrected within 30 days	$60,973	$1,919,173	$1,919,173

*This table was last updated on March 17, 2022, and includes the inflationary updates for 2022. The HHS has not officially applied the cost-of-living adjustment multiplier for 2023, the deadline for which is January 15, 2023. That deadline was missed last year. The multiplier for 2023, when it is officially applied, will be 1.07745.

Attorneys General Can Also Issue HIPAA Violation Fines

Since the introduction of the HITECH Act (Section 13410(e) (1)) in February 2009, state attorneys general have the authority to hold HIPAA-covered entities accountable for the unauthorized use or disclosure of PHI of state residents and can file civil actions with the federal district courts. HIPAA violation fines can be issued up to a maximum level of $25,000 per violation category, per calendar year. The minimum fine applicable is $100 per violation.

A covered entity suffering a data breach affecting residents in multiple states may be ordered to pay HIPAA violation fines to attorneys general in multiple states. Relatively few states have taken action against HIPAA-regulated entities for violations of the HIPAA Rules – California, Connecticut, Indiana, Massachusetts, Minnesota, New Jersey, New York, Vermont, and the District of Columbia. In recent years attorneys general have joined forces and have pursued penalties for HIPAA violations in response to large-scale data breaches that have affected individuals across the United States, and have pooled their resources and taken a cut of any settlements or civil monetary penalties. While only a small number of states have exercised their authority to issue fines for HIPAA violations, that does not mean HIPAA violations are going unpunished. Many states have pursued financial penalties for equivalent violations of state laws.

Can HIPAA Violations be Criminal?

When a HIPAA-covered entity or business associate violates HIPAA Rules, civil penalties can be imposed. When healthcare professionals violate HIPAA, it is usually their employer that receives the penalty, but not always. If healthcare professionals knowingly obtain or use protected health information for reasons that are not permitted by the HIPAA Privacy Rule, they may be found to be criminally liable for the HIPAA violation under the criminal enforcement provision of the HIPAA Administrative Simplification Regulations.

Criminal HIPAA violations are prosecuted by the Department of Justice, which is increasingly taking action against individuals that have knowingly violated HIPAA Rules. There have been several cases that have resulted in substantial fines and prison sentences.

Criminal HIPAA violations include theft of patient information for financial gain and wrongful disclosures with intent to cause harm. A lack of understanding of HIPAA requirements may not be a valid defense. When an individual “knowingly” violates HIPAA, knowingly means that they have some knowledge of the facts that constitute the offense, not that they definitely know that they are violating HIPAA Rules.

Criminal Penalties for HIPAA Violations

Criminal penalties for HIPAA violations are divided into three separate tiers, with the term – and an accompanying fine – decided by a judge based on the facts of each individual case. As with OCR, a number of general factors are considered which will affect the penalty issued. If an individual has profited from the theft, access, or disclosure of PHI, it may be necessary for all money received to be refunded, in addition to the payment of a fine.

The tiers of criminal penalties for HIPAA violations are:

Tier 1: Reasonable cause or no knowledge of violation – Up to 1 year in jail

Tier 2: Obtaining PHI under false pretenses – Up to 5 years in jail

Tier 3: Obtaining PHI for personal gain or with malicious intent – Up to 10 years in jail

In recent years, the number of employees discovered to be accessing or stealing PHI – for various reasons – has increased. The value of PHI on the black market is considerable, and this can be a big temptation for some individuals. It is therefore essential that controls are put in place to limit the opportunity for individuals to steal patient data, and for systems and policies to be put in place to ensure improper access and theft of PHI is identified promptly.

All staff likely to come into contact with PHI as part of their work duties should be informed of the HIPAA criminal penalties and that violations will not only result in loss of employment but potentially also a lengthy jail term and a heavy fine.

State attorneys general are cracking down on data theft and are keen to make examples out of individuals found to have violated HIPAA Privacy Rules. A jail term for the theft of HIPAA data is therefore highly likely.

Convictions and Jail Time for HIPAA Violations

Florida Medical Clinic Worker Sentenced to 48 Months in Jail over Theft of PHI

3-Year Jail Term for VA Employee Who Stole Patient Data

Former New York Dental Practice Receptionist Sentenced to 2-6 years for HIPAA Violation

UPMC Patient Care Coordinator Gets 1 Year Jail Term for HIPAA Violation

Employee Sanctions for HIPAA Violations

Not all HIPAA violations are a result of insider theft, and many Covered Entities and Business Associates apply a scale of employee sanctions for HIPAA violations depending on factors such as whether the violation was intentional or accidental, whether it was reported by the employee as soon as the violation was realized, and the magnitude of the breach. Some Covered Entities also apply employee sanctions for HIPAA violations on employees who were aware a violation (by another employee) had occurred but failed to report it.

Employee sanctions for HIPAA violations vary in gravity from further training to dismissal. The decision should be taken in consultation with HIPAA Privacy and Security Officers, who may have to conduct interviews with the employee, investigate audit trails, and review telephone logs – including the telephone logs of the employee´s mobile phone. Because of the expense and disruption attributable to applying employee sanctions for HIPAA violations, it is worthwhile dedicating more resources to initial employee training in order to prevent HIPAA violations – whether intentional or accidental – from occurring.

Receiving a Civil Penalty for Unknowingly Violating HIPAA

Although it was mentioned above that OCR has the discretion to waive a civil penalty for unknowingly violating HIPAA, ignorance of the HIPAA regulations is not regarded as a justifiable excuse for failing to implement the appropriate safeguards. In April 2017, the remote cardiac monitoring service CardioNet was fined $2.5 million for failing to fully understand the HIPAA requirements and subsequently failing to conduct a complete risk assessment.

As a result of the incomplete risk assessment, the PHI of 1,391 individuals was potentially disclosed without authorization when a laptop containing the data was stolen from a car parked outside an employee´s home. Speaking after details of the fine had been announced, OCR Director Roger Severino described the civil penalty for unknowingly violating HIPAA as a penalty for disregarding security.

It may also be possible for a CE or BA to receive a civil penalty for unknowingly violating HIPAA if the state in which the violation occurs allows individuals to bring legal action against the person(s) responsible for the violation. Although HIPAA lacks a private right of action, individuals can still use state regulations to establish a standard of care under common law. Several cases of this nature are currently in progress.

Penalties for Non-Compliance with HIPAA

healthcare data breach statistics - OCR HIPAA penalties 2008- Aug 2022

When deciding on an appropriate settlement, OCR considers the severity of the violation, the extent of non-compliance with HIPAA Rules, the number of individuals impacted, and the impact a breach has had on those individuals. OCR also considers the financial position of the covered entity. Punitive measures may be necessary, but penalties for HIPAA violations should not result in a covered entity being forced out of business.

The purpose of these penalties for HIPAA violations is in part to punish covered entities for serious violations of HIPAA Rules, but also to send a message to other healthcare organizations that noncompliance with HIPAA Rules is not acceptable.

OCR HIPAA fines and civil monetary penalties 2008- Aug 2022

HIPAA Penalties 2022

OCR is continuing to crack down on violations of the HIPAA Rules, with violations of the HIPAA Right of Access one of OCR’s main enforcement priorities in 2021, as it has been since the HIPAA Right of Access enforcement initiative was launched in late 2019. It is likely that HIPAA violation fines in 2022 will continue to be imposed at high levels for violations of the HIPAA Right of Access, although questions have been raised about HIPAA fines for other violations.

The HIPAA violation penalty that was imposed in 2018 on the University of Texas MD Anderson Cancer Center for a data breach and lack of encryption was overturned on appeal in 2021. On January 14, 2021, a three-member panel for the Fifth Circuit Court of Appeals unanimously vacated the $4,348,000 penalty. Since then, only a handful of HIPAA penalties have been issued for violations of the HIPAA Rules compared to those for HIPAA Right of Access failures. The decision by the Court of Appeals could be affecting OCR’s willingness to pursue financial penalties for certain HIPAA violations and may encourage HIPAA-covered entities subject to HIPAA violation cases in 2022 to appeal any proposed penalties.

OCR now has a new Director, Lisa J. Pino, who at the time of writing has only been in the position for a short time. it is therefore too early to tell what approach when will take regarding HIPAA enforcement. As and when 2022 HIPAA penalties are announced they will be listed below.

2022 HIPAA Fines and Settlements

There have been 17 HIPAA enforcement actions so far in 2022 that have resulted in financial penalties. OCR has continued with its 2019 HIPAA enforcement initiative targeting noncompliance with the HIPAA Right of Access, and penalties have also been imposed for other HIPAA violations, such as impermissible disclosures of ePHI.

In 2021, the HITECH Act was amended to include a ‘safe harbor’ for HIPAA-regulated entities that have implemented ‘recognized security practices’ for not fewer than 12 months prior to a data security incident occurring. If those security practices have been adopted, they will be considered by OCR when deciding on financial penalties and other actions in response to data incidents and could result in financial penalties being avoided altogether.

2022 HIPAA Settlements

HIPAA-Regulated Entity	Reason	Individuals Impacted	Amount
New England Dermatology and Laser Center	Improper disposal of PHI, failure to maintain appropriate safeguards	58,106	$300,640
Memorial Hermann Health System	HIPAA Right of Access failure	1	$240,000
Southwest Surgical Associates	HIPAA Right of Access failure	1	$65,000
Hillcrest Nursing and Rehabilitation	HIPAA Right of Access failure	1	$55,000
MelroseWakefield Healthcare	HIPAA Right of Access failure	1	$55,000
Erie County Medical Center Corporation	HIPAA Right of Access failure	1	$50,000
Fallbrook Family Health Center	HIPAA Right of Access failure	1	$30,000
Associated Retina Specialists	HIPAA Right of Access failure	1	$22,500
Coastal Ear, Nose, and Throat	HIPAA Right of Access failure	1	$20,000
Lawrence Bell, Jr. D.D.S	HIPAA Right of Access failure	1	$5,000
Danbury Psychiatric Consultants	HIPAA Right of Access failure	1	$3,500
Oklahoma State University – Center for Health Sciences	Risk analysis, security incident response and reporting, evaluation, audit controls, breach notifications & an unauthorized disclosure	279,865	$875,000
Dr. Brockley	HIPAA Right of Access	1	$30,000
Jacob & Associates	HIPAA Right of Access, notice of privacy practices, HIPAA Privacy Officer	1	$28,000
Northcutt Dental-Fairhope	Impermissible disclosure for marketing, notice of privacy practices, HIPAA Privacy Officer	5,385	$62,500

2022 Civil Monetary Penalties for HIPAA Violations

HIPAA-Regulated Entity	Reason	Individuals Impacted	Amount
ACPM Podiatry	HIPAA Right of Access failure	1	$100,000
Dr. U. Phillip Igbinadolor, D.M.D. & Associates, P.A	Impermissible disclosure on social media	1	$50,000

OCR HIPAA Fines 2021

There was a reduction in the number of financial penalties for HIPAA violations in 2021 from the record number of penalties of 2020, with OCR’s decision to finalize penalties potentially being affected by the COVID-19 pandemic. That said, penalties have continued to be imposed at relatively high levels, with most of the recent HIPAA violation cases 2021 imposed for violations of the HIPAA Right of Access. Out of the 14 HIPAA violation cases in 2021 that have resulted in financial penalties, 12 have been for HIPAA Right of Access violations.

In January 2021, one of the largest ever HIPAA fines was imposed on Excellus Health Plan. The settlement resolved a HIPAA case that stemmed from an investigation of a breach of the PHI of 9,358,891 individuals that was reported to OCR in 2015. Aside from that penalty, most of the settlements and civil monetary penalties have been for relatively small amounts and have resulted from investigations of complaints from patients than reports of data breaches. As well as the 2021 HIPAA fines being lower, there was a much higher percentage of financial penalties imposed on small healthcare providers than in previous years. That trend is likely to continue in 2022.

2021 HIPAA Settlements

HIPAA Regulated Entity	Reason	Individuals Impacted	Amount
Advanced Spine & Pain Management	HIPAA Right of Access failure	1	$32,150
Denver Retina Center	HIPAA Right of Access failure	1	$30,000
Rainrock Treatment Center LLC (dba monte Nido Rainrock)	HIPAA Right of Access failure	1	$160,000
Wake Health Medical Group	HIPAA Right of Access failure	1	$10,000
Children’s Hospital & Medical Center	HIPAA Right of Access failure	1	$80,000
The Diabetes, Endocrinology & Lipidology Center, Inc.	HIPAA Right of Access failure	1	$5,000
AEON Clinical Laboratories (Peachstate)	HIPAA Security Rule failures (risk assessment, risk management, audit controls, and documentation of HIPAA Security Rule policies and procedures	Unknown	$25,000
Village Plastic Surgery	HIPAA Right of Access failure	1	$30,000
Arbour Hospital	HIPAA Right of Access failure	1	$65,000
Sharpe Healthcare	HIPAA Right of Access failure	1	$70,000
Renown Health	HIPAA Right of Access failure	1	$75,000
Excellus Health Plan	Multiple HIPAA Violations: Risk analysis, risk management, information system activity reviews, technical policies to prevent unauthorized ePHI access, breach of 9,358,891 records.	9,358,891	$5,100,000
Banner Health	HIPAA Right of Access failure	2	$200,000

2021 Civil Monetary Penalties for HIPAA Violations

HIPAA-Regulated Entity	Reason	Individuals Impacted	Amount
Dr. Robert Glaser	HIPAA Right of Access failure	1	$100,000

OCR HIPAA Fines 2020

2020 saw more financial penalties imposed on HIPAA-covered entities and business associates than in any other year since OCR started enforcing HIPAA compliance. 19 settlements were reached to resolve potential violations of the HIPAA Rules. OCR continued with its HIPAA Right of Access enforcement initiative that commenced in late 2019 and by year-end had settled 11 cases where patients had not been provided with timely access to their medical records for a reasonable cost-based fee.

2020 saw the second-largest settlement to resolve HIPAA violations. The health insurer Premera Blue Cross paid OCR $6,850,000 to resolve potential HIPAA violations discovered during the investigation of its 2015 breach of the ePHI of 10,466,692 individuals.

2020 OCR HIPAA Settlements

HIPAA-Regulated Entity	Reason	Individuals Impacted	Amount
Peter Wrobel, M.D., P.C., dba Elite Primary Care	HIPAA Right of Access failure	2	$36,000
University of Cincinnati Medical Center	HIPAA Right of Access failure	1	$65,000
Dr. Rajendra Bhayani	HIPAA Right of Access failure	1	$15,000
Riverside Psychiatric Medical Group	HIPAA Right of Access failure	1	$25,000
City of New Haven, CT	Failure to terminate access rights; risk analysis failure; failure to implement Privacy Rule policies; failure to issue unique IDs to allow system activity to be tracked; impermissible disclosure of the PHI of 498 individuals	498	$202,400
Aetna	Lack of technical and nontechnical evaluation in response to environmental or operational changes; identity check failure; minimum necessary information failure; impermissible disclosure of 18,849 records; lack of administrative, technical, and physical safeguards	18,849	$1,000,000
NY Spine	HIPAA Right of Access failure	1	$100,000
Dignity Health, dba St. Joseph’s Hospital and Medical Center	HIPAA Right of Access failure	1	$160,000
Premera Blue Cross	Risk assessment failure; risk management failure; insufficient hardware and software controls; unauthorized access to the PHI of 10,466,692 individuals	10,466,692	$6,850,000
CHSPSC LLC	Failure to conduct a risk analysis; failures to implement information system activity reviews, security incident procedures, and access controls, and a breach of the ePHI of more than 6 million individuals	6,121,158	$2,300,000
Athens Orthopedic Clinic PA	Failure to conduct a risk analysis; lack of risk management and audit controls; failure to maintain HIPAA policies and procedures; business associate agreement failure; and the failure to provide HIPAA Privacy Rule training to the workforce.	208,557	$1,500,000
Housing Works, Inc.	HIPAA Right of Access failure	1	$38,000
All Inclusive Medical Services, Inc.	HIPAA Right of Access failure	1	$15,000
Beth Israel Lahey Health Behavioral Services	HIPAA Right of Access failure	1	$70,000
King MD	HIPAA Right of Access failure	1	$3,500
Wise Psychiatry, PC	HIPAA Right of Access failure	1	$10,000
Lifespan Health System Affiliated Covered Entity	Lack of encryption; insufficient device and media controls; lack of business associate agreements; impermissible disclosure of 20,431 patients’ ePHI	20,431	$1,040,000
Metropolitan Community Health Services dba Agape Health Services	Longstanding, systemic noncompliance with the HIPAA Security Rule	1,263	$25,000

OCR HIPAA Fines 2019

HIPAA enforcement continued at a high level in 2019. Eight settlements were reached with HIPAA-covered entities and business associates to resolve HIPAA violations and two civil monetary penalties were issued. The financial penalties were imposed to resolve similar violations of HIPAA Rules as in previous years, but 2019 also saw the first financial penalties issued under OCR’s new HIPAA Right of Access initiative. Two covered entities settled cases over the failure to provide patients with a copy of their medical records, in the requested format, in a reasonable time frame.

2019 OCR HIPAA Settlements

HIPAA-Regulated Entity	Reason	Individuals Impacted	Amount
West Georgia Ambulance	Risk analysis failure; no security awareness training program; failure to implement HIPAA Security Rule policies and procedures.	500	$65,000
Korunda Medical, LLC	HIPAA Right of Access failure.	1 or more	$85,000
Sentara Hospitals	Breach notification failure; business associate agreement failure	577	$2,175,000
University of Rochester Medical Center	Loss of flash drive/laptop; no encryption; risk analysis failure; risk management failure; lack of device media controls.	43	$3,000,000
Elite Dental Associates	Social media disclosure; notice of privacy practices; impermissible PHI disclosure.	Unconfirmed	$10,000
Bayfront Health St Petersburg	HIPAA Right of Access failure	1	$85,000
Medical Informatics Engineering	Risk analysis failure; impermissible disclosure of 3.5 million records	3,500,000	$100,000
Touchstone Medical imaging	No BAAs; insufficient access rights; risk analysis failure; failure to respond to a security incident; breach notification failure; media notification failure; impermissible disclosure of 307,839 individuals’ PHI.	307,839	$3,000,000

2019 OCR Civil Monetary Penalties

HIPAA-Regulated Entity	Reason	Individuals Impacted	Amount
Texas Department of Aging and Disability Services	Risk analysis failure; access control failure; information system activity monitoring failure; impermissible disclosure of 6,617 patients ePHI	6,617	$1,600,000
Jackson Health System	Multiple Privacy Rule, Security Rule, and Breach Notification Rule violations	25,661	$2,154,000

OCR HIPAA Fines 2018

There was a year-over-year increase in HIPAA violation penalties in 2018. 11 financial penalties were agreed in 2018: 10 settlements and one civil monetary penalty. Two records were broken in 2018. 2018 saw the largest ever HIPAA settlement agreed – A $16 million financial penalty for Anthem Inc., to resolve HIPAA violations discovered during the investigation of its 78.8 million record breach in 2015. HIPAA-covered entities also paid more in fines than in any other year since OCR started enforcing compliance with HIPAA Rules: $28,683,400.

2018 OCR HIPAA Settlements

HIPAA-Regulated Entity	Reason	Individuals Impacted	Amount
Cottage Health	Risk analysis and risk management failures; No BAA	62,500	$3,000,000
Pagosa Springs Medical Center	Failure to terminate employee access; No BAA	557+	$111,400
Advanced Care Hospitalists	Impermissible PHI Disclosure; No BAA; Insufficient security measures; No HIPAA compliance efforts prior to April 1, 2014	9,255	$500,000
Allergy Associates of Hartford	PHI disclosure to a reporter; No sanctions against employees	1	$125,000
Anthem Inc	Risk analysis failure; Insufficient reviews of system activity; Failure to respond to a detected breach; Insufficient technical controls to prevent unauthorized ePHI access	78,800,000	$16,000,000
Boston Medical Center	Filming patients without consent	Unspecified	$100,000
Brigham and Women’s Hospital	Filming patients without consent	Unspecified	$384,000
Massachusetts General Hospital	Filming patients without consent	Unspecified	$515,000
Filefax, Inc.	Impermissible disclosure of physical PHI – Left unprotected in truck	2,150	$100,000
Fresenius Medical Care North America	5 breaches: Investigation revealed risk analysis failures; Impermissible disclosure of ePHI; Lack of policies covering electronic devices; Lack of encryption; Insufficient security policies; Insufficient physical safeguards	521	$3,500,000

2018 Civil Monetary Penalties for HIPAA Violations

HIPAA-Regulated Entity	Reason	Individuals Impacted	Amount
University of Texas MD Anderson Cancer Center	3 breaches resulting in an impermissible disclosure of ePHI; No Encryption	34,883	$4,348,000

OCR HIPAA Fines 2017

A summary of the 2017 OCR penalties for HIPAA violations.

2017 OCR HIPAA Settlements

HIPAA-Regulated Entity	Breach Summary	Individuals Impacted	Settlement Amount
Memorial Healthcare System	Impermissible access of PHI by employees; Impermissible disclosure of PHI to affiliated physicians’ offices	115,143	$5,500,000
Cardionet	Theft of an unencrypted laptop computer	1,391	$2,500,000
Memorial Hermann Health System	Disclosure of patient’s PHI to the media	1	$2,400,000
21st Century Oncology	Multiple HIPAA violations	2,213,597	$2,300,000
MAPFRE Life Insurance Company of Puerto Rico	Theft of an unencrypted USB storage device	2,209	$2,200,000
Presense Health	Delayed breach notifications	836	$475,000
Metro Community Provider Network	Lack of a security management process to safeguard ePHI	3,200	$400,000
Luke’s-Roosevelt Hospital Center Inc.	Impermissible disclosure of PHI to patient’s employer	1	$387,000
The Center for Children’s Digestive Health	Lack of a business associate agreement	N/A	$31,000

2017 Civil Monetary Penalties for HIPAA Violations

HIPAA-Regulated Entity	Breach Summary	Individuals Impacted	Penalty Amount
Children’s Medical Center of Dallas	Theft of unencrypted devices	6,262	$3,200,000

OCR HIPAA Fines 2016

2016 was a record year for financial penalties to resolve violations of HIPAA Rules. 2016 saw 12 settlements agreed and one civil monetary penalty issued by OCR.

2016 OCR HIPAA Settlements

HIPAA-Regulated Entity	Breach Summary	Individuals Impacted	Settlement Amount
Feinstein Institute for Medical Research	Improper disclosure of research participants’ PHI	13,000	$3,900,000
Advocate Health Care Network	Theft of desktop computers; Loss of laptop; Improper accessing of data at a business associate	3,994,175	$5,550,000
University of Mississippi Medical Center	Unprotected network drive	10,000	$2,750,000
Oregon Health & Science University	Loss of unencrypted laptop; Storage on cloud server without BAA	4,361	$2,700,000
New York Presbyterian Hospital	Filming of patients by a TV crew	Unconfirmed	$2,200,000
North Memorial Health Care of Minnesota	Theft of laptop computer; Improper disclosure to a business associate	299,401	$1,550,000
St. Joseph Health	PHI made available through search engines	31,800	$2,140,500
Raleigh Orthopaedic Clinic, P.A. of North Carolina	Improper disclosure to a business associate	17,300	$750,000
University of Massachusetts Amherst (UMass)	Malware infection	1,670	$650,000
Catholic Health Care Services of the Archdiocese of Philadelphia	Theft of mobile device	412	$650,000
Care New England Health System	Loss of two unencrypted backup tapes	14,000	$400,000
Complete P.T., Pool & Land Physical Therapy, Inc.	Improper disclosure of PHI (website testimonials)	Unconfirmed	$25,000

2016 Civil Monetary Penalties for HIPAA Violations

HIPAA-Regulated Entity	Breach Summary	Individuals Impacted	Penalty Amount
Lincare, Inc.	Improper disclosure (unprotected documents)	278	$239,800

What are the Penalties for HIPAA Violations? FAQs

What is the maximum penalty for violating HIPAA?

The maximum penalty for violating HIPAA per violation is currently $1,919,173. However, it is rare that an event that results in the maximum penalty being issued is attributable to a single violation. For example, a data breach could be attributable to the failure to conduct a risk analysis, the failure to provide a security awareness training program, and a failure to prevent password sharing.

What are the consequences of a HIPAA violation?

The consequences of a HIPAA violation depend on the nature of the violation, the reason(s) behind it, the amount of harm it causes, and the organization´s previous history of compliance. In most cases, HIPAA violations are not attributable to willful neglect and HHS´ Office for Civil Rights will try to resolve first-time HIPAA violations via technical assistance or a corrective action plan.

What is the civil penalty for unknowingly violating HIPAA?

As mentioned in the above article, there is no excuse for unknowingly violating HIPAA. The Privacy and Security Rules have been in existence for more than twenty years; and, to quote OCR Director Roger Severino “the civil penalty for unknowingly violating HIPAA is a penalty for disregarding security”.

What are the categories for punishing violations of federal health care laws?

The categories for punishing violations of federal health care laws vary considerably depending on which law is being violated or which section of which law is being violated. For example, with regards to the penalties for HIPAA violations, there are four civil categories for punishing violations and three criminal categories. However, in other federal health care laws (for example, the Social Security Act), there can be dozens of categories for punishing violations of federal health care laws.

What criminal consequences are possible with a Tier 3 violation?

The criminal consequences for wrongfully and knowingly obtaining PHI for personal gain, commercial advantage, or with malicious intent are up to ten years in jail and/or a fine of up to $250,000. These penalties are pursued by the Department of Justice rather than HHS´ Office for Civil Rights.

What are the fines for HIPAA violations?

As of 2022, the fines for HIPAA violations (per violation) are:

Tier 1 – from $127 to $30,487

Tier 2 – from $1,280 to $60,973

Tier 3 – from $12,794 to $60,973

Tier 4 – from $60,973 to $1,919,173

It is important to be aware that, in addition to the fines for HIPAA violations issued by HHS´ Office for Civil Rights, State Attorneys General can issue additional fines for HIPAA violations. Furthermore, depending on the nature of the violation(s), it may be possible for affected individuals to bring a class action lawsuit against an organization guilty of a HIPAA violation.

What does a corrective action plan consist of?

The purpose of a corrective action plan is to address the underlying issue that led to a HIPAA violation and therefore what the action plan consists of will be relevant to the nature of the violation. Typically, Covered Entities and Business Associates will be required to develop or revise policies to fill gaps in their compliance; and, when new or revised policies affect the functions of the workforce, provide training on the policies.

Are penalties for HIPAA violations always related to data breaches?

No. As you will see from the tables above, several Covered Entities have been fined or reached settlement resolutions for failing to provide patients with access to their healthcare records within the permitted 30 days. One Covered Entity was fined for failing to have a Business Associate Agreement in place before disclosing ePHI to a Business Associate. None of these penalties for HIPAA violations involved the unauthorized disclosure of unsecured PHI.

How does the Office for Civil Rights find out about HIPAA violations?

The Office for Civil Rights finds out about HIPAA violations in a number of ways. For example, Covered Entities are required to report breaches of unsecured PHI within 60 days (or annually if the breach involves fewer than 500 patients), patients can use the OCR complaints portal to report a delay or refusal to access health information, and members of Covered Entities´ workforces are granted whistleblower protection for reporting non-compliance.

What if a violation occurs due to a common non-compliant practice?

Organizations that fail to monitor compliance run the risk of non-compliant practices developing in the workplace “to get the job done”. When a HIPAA violation occurs due to a common non-compliant practice, the penalty will depend on the nature of the violation, but it will most likely consist of refresher training and a compliance monitoring program – potentially by a third-party organization at the organization´s own cost.

Are HIPAA violations criminal?

Although most HIPAA violations are civil issues, when an individual wrongfully disclosures individually identifiable health information knowingly, the violation can be referred to the Department of Justice for criminal investigation. If the individual is found guilty of a criminal offense under § 1320d-6 of the Social Security Act, they can be fined up to $250,000 and sentenced to up to ten years in jail.

Has anybody ever received a custodial sentence for violating HIPAA?

Custodial sentences for HIPAA violations are rare, but they do occur – especially when an employee steals PHI to commit identify theft or to sell on for personal gain. Even when a violation does not result in a custodial sentence, the offending employee will likely be fined, lose their job, and have their license to practice withdrawn. Depending on how the employee accessed the data, Covered Entities and Business Associates can also be fined for the same violation.

The post What are the Penalties for HIPAA Violations? appeared first on HIPAA Journal.

HHS Increases Civil Monetary Penalties for HIPAA Violations in Line with Inflation

Posted November 11, 2019 by HIPAA Journal

The U.S Department of Health and Human Services’ has increased the civil monetary penalties for HIPAA violations to take inflation into account, in accordance with the Inflation Adjustment Act.

The final rule was issued and took effect on Tuesday November 5, 2019. This rule increases the civil monetary penalties for HIPAA violations that occurred on or after February 18, 2019. Under the new penalty structure, the increases from 2018 to 2019 are detailed in the table below:

Penalty Tier	Level of Culpability	Minimum Penalty per Violation (2018 » 2019)	Maximum Penalty per Violation (2018 » 2019)	New Maximum Annual Penalty (2018 » 2019)*
1	No Knowledge	$114.29 » $117	$57,051 » $58,490	$1,711,533 » $1,754,698
2	Reasonable Cause	$1,141 » $1,170	$57,051 » $58,490	$1,711,533 » $1,754,698
3	Willful Neglect – Corrective Action Taken	$11,410 » $11,698	$57,051 » $58,490	$1,711,533 » $1,754,698
4	Willful Neglect – No Corrective Action Taken	$57,051 » $58,490	$1,711,533 » $1,754,698	$1,711,533 » $1,754,698

Penalties for HIPAA violations that occurred prior to February 18, 2019 have increased to $159 per violation, with an annual cap of $39,936 per violation category.

Earlier this year, the HHS’ Office for Civil Rights announced that it had reduced the penalties for HIPAA violations in certain tiers after a review of the wording of the HITECH Act. The maximum penalty for a HIPAA violation in the highest tier remained at $1.711 million, per violation category per year. Prior to the review, the maximum HIPAA violation penalty was $1.711 million in all four penalty tiers.

*The notice of enforcement discretion, announced on April 30, 2019, capped the maximum annual penalties at $10,000 (Tier 1), $100,000 (Tier 2), $250,000 (Tier 3), and $1,711,533 (Tier 4). The notice of enforcement discretion stated that the reviewed penalty tiers would also be adjusted in line with inflation. The multiplier used by OCR to calculate the cost-of-living increases was based on the Consumer Price Index for all Urban Consumers (CPI–U) for October 2019, which was 1.02522. That would make the new maximum penalties under the notice of enforcement discretion $10,252.20 (Tier 1), $102,522 (Tier 2), $256,305 (Tier 3), and $1,754,698 (Tier 4).

While OCR’s notice of enforcement discretion states that OCR will be adopting the new, revised penalties, this has yet to be made official and is pending further rulemaking. The notification of enforcement discretion creates no legal obligations and no legal rights, so OCR could therefore legally use the above maximum penalty amount of $1,754,698 per violation category, per year across all penalty tiers.

Full details of the new penalty structures have been published in the Federal Register for all agencies, including the FDA, ACF, HRSA, AHRQ, OIG, CMS, and OCR and can be viewed here (PDF).

The post HHS Increases Civil Monetary Penalties for HIPAA Violations in Line with Inflation appeared first on HIPAA Journal.

Webinar: Ransomware, Malware, Phishing, and HIPAA Compliance

Posted July 10, 2019 by HIPAA Journal

Compliancy Group is offering healthcare professionals an opportunity to take part in a webinar covering the main threats facing the healthcare industry.

Threats such as ransomware, malware, and phishing will be discussed by compliance experts in relation to HIPAA and the privacy and security of patient data.

Cybersecurity has become more important than ever in healthcare. The industry is seen as a weak target by hackers, large volumes of data are stored, and patient information carries a high value on the black market.

April 2019 saw the highest number of healthcare data breaches in a single month and more healthcare data breaches were reported in 2018 than in any other year to date. The increased frequency of attacks on organizations of all sizes highlights just how important cybersecurity has become.

Cyberattacks are not only negatively affecting businesses in the healthcare sector, but also place the privacy of patient’s health information at risk. While it was once sufficient to implement standard security tools, the sophisticated nature of attacks today mean new solutions are required to protect against cyberattacks.

Protecting against cyberattacks while ensuring compliance with HIPAA can be a challenge and oversights could easily lead to a costly breach or regulatory fine.

In the latest Compliancy Group webinar, compliancy experts will walk you through the inns and outs of the regulations and you can find out more about cybersecurity with respect to the requirements of HIPAA and HITECH.

Webinar:

Ransomware, Malware, Phishing, Oh My!

Wednesday, July 10th

2:00 ET/11:00 PT

Advance Registration

The post Webinar: Ransomware, Malware, Phishing, and HIPAA Compliance appeared first on HIPAA Journal.

Coffey Health System Agrees to $250,000 Settlement to Resolve Alleged Violations of False Claims and HITECH Acts

Posted June 6, 2019 by HIPAA Journal

Coffey Health System has agreed to a $250,000 settlement with the U.S. Department of Justice to resolve alleged violations of the False Claims and HITECH Acts.

The Kansas-based health system attested to having met HITECH Act risk analysis requirements during the 2012 and 2013 reporting period in claims to Medicare and Medicaid under the EHR Incentive Program.

One of the main aims of the HITECH Act was to encourage healthcare organizations to adopt electronic health records. Under the then named Meaningful Use Program, healthcare organizations were required to demonstrate meaningful use of EHRs in order to receive incentive payments. In addition to demonstrating meaningful use of EHRs, healthcare organizations were also required to meet certain requirements related to EHR technology and address the privacy and security risks associated with EHRs.

In 2016, Coffey Health System’s former CIO, Bashar Awad, and its former compliance officer, Cynthia McKerrigan, filed a lawsuit in federal court in Kansas against their former employer alleging violations of the False Claims Act.

Both alleged Coffey Health System had falsely claimed it had conducted risk analyses in order to receive incentive payments and was aware that those claims were false when they were submitted. As a result of the false claims, Coffey Health System received payments of $3 million under the Meaningful Use program which it did not qualify for.

Awad found no documentation that demonstrated risk analyses had been performed and had personally conducted some basic tests on network security and made an alarming discovery: The health system shared a firewall with Coffey County municipalities. That security failure allowed anyone to login to its system and see patient records from locations protected by the same firewall, including schools and libraries, by using its IP address and logging in. Any attempt to do so required no username or password – A major security failure and violation of the HIPAA Security Rule.

In 2014, Awad arranged for a third-party firm to conduct a risk analysis for the 2014 attestation. The risk analysis revealed several security issues including 5 critical vulnerabilities that had been allowed to persist unchecked. While some attempts were made to correct the issues identified in the risk analysis, Awad was not provided with sufficient resources to ensure those vulnerabilities were properly addressed. He claimed that few of the identified vulnerabilities had been corrected.

When the time came to submit the 2014 attestation, Awad refused to do so as several vulnerabilities had not been addressed. As a result of the failure to support the attestation, Awad was terminated. Awad and McKerrigan then sued Coffey Health System.

Under the whistleblower provisions of the False Claims Act, individuals can sue organizations on behalf of the government and receive a share of any settlement. Awad and McKerrigan will share $50,000 of the $250,000 settlement.

Coffey Health System settled the case with no admission of liability.

The post Coffey Health System Agrees to $250,000 Settlement to Resolve Alleged Violations of False Claims and HITECH Acts appeared first on HIPAA Journal.

HHS To Apply New Caps on Financial Penalties for HIPAA Violations to Reflect Level of Culpability

Posted April 29, 2019 by HIPAA Journal

Body:

The Department of Health and Human Services has issued a notification of enforcement discretion regarding the civil monetary penalties that are applied when violations of HIPAA Rules are discovered and will be reducing the maximum financial penalty for three of the four penalty tiers.

The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 increased the penalties for HIPAA violations. The new penalties were based on the level of knowledge a HIPAA covered entity or business associate had about the violation and whether action was voluntarily taken to correct any violations.

The 1st penalty tier applies when a covered entity or business associate is unaware that HIPAA Rules were violated and, by exercising a reasonable level of due diligence, would not have known that HIPAA was being violated.

The 2nd tier applies when a covered entity knew about the violation or would have known had a reasonable level of due diligence been exercised, but when the violation falls short of willful neglect of HIPAA Rules.

The 3rd penalty tier applies when there was willful neglect of HIPAA Rules, but the covered entity corrected the problem within 30 days.

The 4th tier applies when there was willful neglect of HIPAA Rules and no efforts were made to correct the problem in a timely manner.

The maximum penalty across all four tiers was set at $1.5 million for violations of an identical provision in a single calendar year.

On January 25, 2013, the HHS implemented an interim final rule (IFR) and adopted the new penalty structure, but believed at the time that there were inconsistencies in the language of the HITCH Act with respect to the penalty amounts. The HHS determined at the time that the most logical reading of the law was to apply the same maximum penalty cap of $1,500,000 across all four penalty tiers.

The HHS has now reviewed the language of the HITECH Act and believes a better reading of the requirements of the HITECH Act would be for the annual penalty caps to be different in three of the four tiers to better reflect the level of culpability. The minimum and maximum amounts in each tier will remain unchanged.

New Interpretation of the HITECT ACT’s Penalties for HIPAA Violations

Penalty Tier	Level of Culpability	Minimum Penalty per Violation	Maximum Penalty per Violation	Old Maximum Annual Penalty	New Maximum Annual Penalty
1	No Knowledge	$100	$50,000	$1,500,000	$25,000
2	Reasonable Cause	$1,000	$50,000	$1,500,000	$100,000
3	Willful Neglect – Corrective Action Taken	$10,000	$50,000	$1,500,000	$250,000
4	Willful Neglect – No Corrective Action Taken	$50,000	$50,000	$1,500,000	$1,500,000

The HHS will publish its notification in the Federal Register on April 30, 2019. The HHS notes that its notification of enforcement discretion creates no legal obligations and no legal rights. Consequently, it is not necessary for it to be reviewed by the Office of Management and Budget.

The new penalty caps will be adopted by the HHS until further notice and will continue to be adjusted annually to account for inflation. The HHS expects to engage in further rulemaking to review the penalty amounts to better reflect the text of the HITECH Act.

The post HHS To Apply New Caps on Financial Penalties for HIPAA Violations to Reflect Level of Culpability appeared first on HIPAA Journal.

OCR Announces $4.3 Million Civil Monetary Penalty for University of Texas MD Anderson Cancer Center

Posted June 19, 2018 by HIPAA Journal

The Department of Health and Human Services’ Office for Civil Rights has announced its fourth largest HIPAA violation penalty has been issued to The University of Texas MD Anderson Cancer Center (MD Anderson). MD Anderson has been ordered to pay $4,348,000 in civil monetary penalties to resolve the HIPAA violations related to three data breaches experienced in 2012 and 2013.

MD Anderson is an academic institution and a cancer treatment and research center based at the Texas Medical Center in Houston, TX. Following the submission of three breach reports in 2012 and 2013, OCR launched an investigation to determine whether the breaches were caused as a result of MD Anderson having failed to comply with HIPAA Rules.

The breaches in question were the theft of an unencrypted laptop computer from the home of an MD Anderson employee and the loss of two unencrypted USB thumb drives, each of which contained the electronic protected health information (ePHI) of its patients. In total, the PHI of 34,883 patients was exposed and could potentially have been viewed by unauthorized individuals.

The investigation revealed that MD Anderson had conducted a risk analysis, as is required by HIPAA. That risk analysis revealed the use of unencrypted devices posed a serious threat to the confidentiality, integrity, and availability of ePHI. To address the risk, in 2006 MD Anderson developed policies that required all portable storage devices to be encrypted.

However, even though policies called for the use of encryption, encryption was not implemented until March 24, 2011. When encryption was implemented, it was not implemented on all portable devices in its inventory. MD Anderson reported to OCR that by January 25, 2013, it had only encrypted 98% of its computers. If MD Anderson had implemented encryption on all portable electronic devices containing ePHI, the three breaches would have been prevented.

Preventable Data Breaches Experienced by MD Anderson

The laptop was stolen from the home of Dr. Randall Millikan on April 30, 2012. Dr. Millikan confirmed that the ePHI on the device were not encrypted, the laptop was not password protected, and the ePHI could potentially have been viewed by family members at his home as a result, as well as by the individual who stole the laptop.

The USB devices were lost on or around July 12, 2012 and December 2, 2013. The first contained an Excel file containing the ePHI of 2,264 individuals. The device was lost by a summer intern on her way home from work. The second USB drive was lost by a visiting researcher from Brazil at some point over the Thanksgiving weekend. The device was usually left in the tray on her desk. Neither device was encrypted or password protected.

Between 2010 and 2011, MD Anderson’s Information Security Program and Annual Reports stated clearly that the storage of ePHI on mobile media was a key risk area that had not yet been mitigated, which was also detailed in its risk analysis for fiscal year 2011. That risk analysis determined that employees were downloading ePHI onto portable storage devices for use outside the institution. The failure to address the risk was a violation of 45 C.F.R. § 164.312(a)(2)(iv) and its own policies.

Penalties for HIPAA Violations

When financial penalties are deemed appropriate, OCR usually negotiates with the covered entity and a settlement is agreed; however, MD Anderson disagreed with OCR’s decision and maintained the financial penalty was unreasonable. Specifically, MD Anderson claimed that it was not obligated to use encryption as the data on the devices were used for research purposes, and that the research was not subject to HIPAA’s nondisclosure requirements. A covered entity has the right to contest penalties for HIPAA violations. Consequently, the matter was referred to an Administrative Law Judge.

OCR proposed penalties for HIPAA violations under the tier of ‘reasonable cause’. OCR wrote in its Notice of Proposed Determination, “Reasonable cause is “an act or omission in which a covered entity or business associate knew, or by exercising reasonable diligence would have known, that the act or omission violated an administrative simplification provision, but in which the covered entity or business associate did not act with willful neglect.”

The penalty amounts in such cases are a minimum of $1,000 for each violation up to a maximum of $1.5 million per calendar year.

OCR determined penalties were appropriate for calendar year 2011 (283 days from March 24 to December 31), calendar year 2012 (366 days from January 1 to December 31) and calendar year 2013 (25 days from January 1 to January 25), and applied the maximum penalty of $1.5 million for each of those calendar years.

Administrative Law Judge Steven T. Kessell granted summary judgement in favor of OCR to remedy MD Anderson’s noncompliance with 45 C.F.R. § 164.312(a) – Technical Safeguards; encryption – and 45 C.F.R. § 164.502(a) – Uses and Disclosure of PHI; impermissible disclosure of ePHI.

“OCR is serious about protecting health information privacy and will pursue litigation, if necessary, to hold entities responsible for HIPAA violations,” said OCR Director Roger Severino. “We are pleased that the judge upheld our imposition of penalties because it underscores the risks entities take if they fail to implement effective safeguards, such as data encryption, when required to protect sensitive patient information.”

The post OCR Announces $4.3 Million Civil Monetary Penalty for University of Texas MD Anderson Cancer Center appeared first on HIPAA Journal.

The HIPAA Conduit Exception Rule and Transmission of PHI

Posted January 19, 2018 by HIPAA Journal

The HIPAA Conduit Exception Rule is a source of confusion for many HIPAA covered entities, but it is essential that this aspect of HIPAA is understood. Failure to correctly classify a service provider as a conduit or a business associate could see HIPAA Rules violated and a significant financial penalty issued for noncompliance.

The HIPAA Omnibus Final Rule and Business Associates

On January 25, 2013, the HIPAA Omnibus Final Rule was issued. The HIPAA Omnibus Final Rule introduced a swathe of updates to HIPAA Rules, including the incorporation of the Health Information Technology for Economic and Clinical Health (HITECH) Act.

HIPAA Omnibus Final Rule included an update to the definition of a business associate. Prior to January 25, 2013, a business associate was a person or entity that creates, receives, or transmits protected health information (PHI) on behalf of a covered entity. The Omnibus rule added ‘maintains’ to that definition. That meant companies that store electronic information – or physical records – are considered business associates. The Omnibus Rule also confirmed that most data transmission service providers are also classed as business associates.

What is the HIPAA Conduit Exception Rule?

The HIPAA Conduit Exception Rule is detailed in the HIPAA Privacy Rule, but was defined in the HIPAA Omnibus Final Rule. The Rule allows HIPAA-covered entities to use certain vendors without having to enter into a business associate agreement. The HIPAA Conduit Exception Rule is narrow and excludes an extremely limited group of entities from having to enter into business associate agreements with covered entities. The Rule applies to entities that transmit PHI but do not have access to the transmitted information and do not store copies of data. They simply act as conduits through which PHI flows.

HIPAA Conduit Exception Rule covers organizations such as the US Postal Service and certain other private couriers such as Fed-Ex, UPS, and DHL as well as their electronic equivalents. Companies that simply provide data transmission services, such as internet Service Providers (ISPs), are considered conduits.

The HIPAA Conduit Exception Rule is limited to transmission-only services for PHI. If PHI is stored by a conduit, the storage must be transient in nature, and not persistent.

It does not matter if the service provider says they do not access transmitted information. To be considered a conduit, the service provider must not have access to PHI, must only store transmitted information temporarily, and should not have a key to unlock encrypted data.

Vendors that are often misclassified as conduits are email service providers, fax service providers, cloud service providers, and SMS and messaging service providers. These service providers are NOT considered conduits and all must enter into a business associate agreement with a covered entity prior to the service being used in conjunction with any PHI.

Some service providers claim that they are conduits when they are not, in order to avoid having to sign a business associate agreement. Certain fax service providers have claimed they are conduits, and while they appear at face value to be an electronic equivalent to an organization such as the US Postal Service, they are not covered by the HIPAA Conduit Exception Rule. Fax services do not simply send documents from the sender to the recipient. Faxes are stored, and the storage is not considered transient.

Penalties for Misclassifying a Business Associate as a Conduit

Any vendor that has routine access to PHI is considered a business associate (We have covered the definition of a HIPAA business associate on this page). All business associates must sign a business associate agreement with the HIPAA-covered entity before PHI is provided or access to PHI is granted.

Misclassifying a vendor as a conduit rather than a business associate can result in a significant financial penalty, since PHI will have been disclosed without first entering into a business associate agreement.

The Department of Health and Human Services’ Office for Civil Rights has financially penalized many covered entities that have been discovered to have disclosed PHI to a vendor without obtaining a BAA.

In 2017, the Center for Children’s Digestive Health settled with OCR for $31,000 to resolve business associate agreement failures. In 2016, Care New England Health System settled its HIPAA violation case for $400,000, North Memorial Health Care of Minnesota paid $1,550,000 and Oregon Health & Science University settled for $2,700,000.

The post The HIPAA Conduit Exception Rule and Transmission of PHI appeared first on HIPAA Journal.

HHS Sued by CIOX Health Over Unlawful HIPAA Regulations

Posted January 16, 2018 by HIPAA Journal

The Department of Health and Human Services is being sued by CIOX Health, a medical record retrieval company, over updates to HIPAA laws that place restrictions on the amount that can be charged to patients for providing them with copies of their medical records.

CIOX Health claims the HIPAA Omnibus Rule updates in 2013, “unlawfully, unreasonably, arbitrarily and capriciously,” restrict the fees that can be charged by providers and their business associates for providing copies of the health information stored on patients.

Changes to HIPAA Rules not only placed a limit on the fees, but also expanded the types of information that must be provided to patients, on request. Accessing some of that information, in particular health information that is not stored in electronic medical records, is costly. Yet, even though the costs of processing some requests are high, HIPAA limits charges to $6.50 according to the lawsuit.

CIOX Health argues that this flat rate fee is an arbitrary figure that bears no relation to the actual cost of honoring patient requests for copies of their health information, and such a low fee is hurting its business. CIOX Health wants the HHS to reverse the changes made to HIPAA in 2013 and 2016 with respect to how much can be charged and the provision of copies of any type of medical information.

While the flat fee of $6.50 is the maximum that can be charged, it should be noted that the maximum fee only applies if the healthcare provider or company chooses that option. HIPAA does not prevent healthcare organizations from charging more. If they choose not to charge a flat fee, they are permitted to charge patients “actual or average allowable costs for requests for electronic copies of PHI maintained electronically.” The HHS confirmed this in May 2016 in response to questions asked via its web portal.

Tremendous Financial Burdens on Healthcare Providers

In the lawsuit, CIOX Health says, “HHS’s continued application and enforcement of these rules impose tremendous financial and regulatory burdens on healthcare providers and threatens to upend the medical records industry that services them.”

These changes to HIPAA Rules “threaten to bankrupt the dedicated medical-records providers who service the healthcare industry by effectively and quite deliberately mandating that they fulfill a rapidly growing percentage of requests for protected health information at a net loss.”

The changes to the types of health information that must be provided on request now includes medical information in any form whatsoever, including electronic medical records in EHR systems, but also paper records and films that have been transferred to third parties.

In the case of electronic records, they can be located in several different virtual locations, while paper records and films may be stored in several different physical locations. Providing copies of complete record sets requires staff to be sent to each of those locations to retrieve the records, and even accessing multiple virtual locations is a time consuming and costly process. Records must also be verified and compiled, which all takes time.

CIOX Health serves more than 16,000 physician practices and processes tens of millions of requests for copies of medical records every year. The restrictions on charges has potentially hurt its business, according to the lawsuit.

This is not the only legal action that CIOX Health is involved in which is related to providing patients with copies of their medical records. CIOX is the co-defendant in a November 2017 lawsuit that claims more than 60 Indiana hospitals have been failing to provide copies of medical records to patients within 3 days, as required by the HITECH Act, even though they accepted payments and claimed that they were meeting HITECT Act requirements. The defendants are also alleged to have overcharged patients for copies of medical records.

The post HHS Sued by CIOX Health Over Unlawful HIPAA Regulations appeared first on HIPAA Journal.