Legal News

Rhode Island Public Transit Authority Data Breach to be Investigated by State Attorney General

Posted by HIPAA Journal

The Rhode Island Public Transit Authority (RIPTA) has recently notified the Department of Health and Human Services’ Office for Civil Rights about a data breach involving the protected health information (PHI) of 5,015 members of its group health plan.

RIPTA explained in a breach notice on its website that the cyberattack was detected and blocked on August 5, 2021, and the forensic investigation determined hackers had access to its network from August 3, 2021. A comprehensive review of files on the compromised parts of its network identified files related to the RIPTA health plan, which were found to contain the names, addresses, dates of birth, Social Security numbers, Medicare ID numbers, qualification information, health plan ID numbers, and claims information of health plan members. It was also confirmed that those files had been exfiltrated from its systems by the attackers.

RIPTA sent notification letters to affected individuals on December 22, 2021, and offered a complimentary membership to Equifax’s identity monitoring services. RIPTA also explained in its website breach notice that it has implemented additional security measures to prevent further data breaches.

In the days following the mailing of notification letters, the office of the Rhode Island attorney general received a high number of calls from individuals who had received a notification letter who had no direct connection to RIPTA informing them that their personal and health information had been compromised in the data breach. Several complaints were also made to the Rhode Island American Civil Liberties Union (ACLU).

On December 28, 2021, Steve Brown, Executive Director of the Rhode Island ACLU, wrote to Scott Avedisian, CEO of RIPTA seeking answers about the data breach and why the personal data of individuals with no relationship whatsoever with RIPTA had been notified about the breach. Brown also said in the letter that “The information that has been provided publicly by RIPTA about this security breach is, in many ways, significantly and materially different from the information RIPTA has provided the affected individuals about it.”

The public notice on the RIPTA website made two references to a breach of RIPTA health plan data, specifically stating the breach involved “the personal information of our health plan” and “files pertaining to RIPTA’s health plan.” Brown said the letters are “extremely misleading and seriously downplays the extensive nature of the breach.” Brown said all of the complainants said they had never been employed by RIPTA and some even said they had never even ridden on a RIPTA bus.

Further, the breach notice submitted to the HHS’ Office for Civil Rights indicates 5,015 health plan members were affected, when the notification letters stated the breach affected 17,378 individuals in Rhode Island, which raises the question of why RIPTA was storing the data of an additional 12,363 individuals.

Brown also pointed out that the notification letters explained the breach was detected on August 5, 2021, yet it took RIPTA two and a half months to identify the individuals that had been affected, and then a further two months for notification letters to be issued.

RIPTA senior executive Courtney Marciano explained to the Providence Journal that the files obtained by the hackers included the data of individuals with no connection to RIPTA because RIPTA’s previous health insurance provider had sent files that contained the personal and health data of individuals with no connection to RIPTA. RIPTA had previously used UnitedHealthcare for its group health plan but then switched to Horizon BlueCross/Blue Shield of Rhode Island. The files sent to RIPTA by UnitedHealthcare allegedly contained details of health claims of all state employees.

The reason for the delay in issuing notifications was explained as being due to the labor-intensive process of determining which individuals had been affected and verifying contact information, and also sorting through the files to determine which claims were for current or former RIPTA employees.

Rhode Island Attorney General Peter Neronha told The Providence Journal that he will be opening an investigation into the data breach to determine if any state laws have been violated, such as the Identity Theft Protection Act of 2015. The HHS’ Office for Civil Rights may also choose to investigate UnitedHealthcare over the apparent impermissible disclosure of the PHI of state employees to RIPTA. The OCR breach portal has no corresponding breach report from UnitedHealthcare.

The post Rhode Island Public Transit Authority Data Breach to be Investigated by State Attorney General appeared first on HIPAA Journal.

Accountancy Firm Facing Class Action Lawsuit Alleging Negligence and Breach Notification Failures

Posted by HIPAA Journal

The Chicago, IN-based certified public accounting firm Bansley & Kiener LLP is facing a class action lawsuit over a data breach that was reported to regulators this December.

The breach in question occurred in the second half of 2020, with the investigation indicating hackers accessed its systems between August 20, 2020, and December 1, 2020. Bansley & Kiener discovered the breach on December 10, 2020, when ransomware was used to encrypt files. Bansley & Kiener explained in its breach notification letters that it was confirmed on May 24, 2021, that the attackers had exfiltrated data from its systems prior to encrypting files.

Bansley & Kiener manages payroll, health insurance, and pension plans for its clients. In total, the sensitive information of 274,000 individuals was exposed or compromised, including names, dates of birth, Social Security numbers, passport numbers, tax IDs, military IDs, driver’s license numbers, financial account information, payment card numbers, health information, and complaint claims.

While the attack was detected in December 2020, it took until December 2021 for notification letters to be issued to affected individuals and for state attorneys general and the HHS’ Office for Civil Rights to be notified about the breach, 6 months after it was confirmed that sensitive data was stolen in the attack.

The lawsuit was filed by Mason Lietz & Klinger LLP in the Circuit Court, First Judicial Circuit of Cook County, Illinois on behalf of plaintiff Gregg Nelson. The lawsuit alleges Bansley & Kiener failed to safeguard the sensitive data of its clients and failed to provide timely, accurate, and adequate notice of the data breach to individuals whose sensitive information was stolen.

According to the lawsuit, Bansley & Kiener unnecessarily delayed the issuing of notifications about the data breach, even though the individuals whose data was stolen were placed at significant risk of identity theft and various other forms of personal, social, and financial harm. When the notifications were sent, they failed to fully explain the nature of the breach. They did not explain that this was a ransomware attack and referred to the incident as an unauthorized person gaining access to its network that resulted in the encryption of systems.

The lawsuit also takes issue with the response to the data breach. After discovering the attack, files were restored from backups and normal business operations were resumed, and it was only when it was discovered that data had been exfiltrated from its systems, 5 months after the attack, that cybersecurity experts were retained to investigate the breach.

The lawsuit alleges Bansley & Kiener suffered a data breach due to “negligent and/or careless acts and omissions” relating to the safeguarding of sensitive data, and failed to monitor its systems for security vulnerabilities. The lawsuit alleges victims of the breach have incurred out-of-pocket expenses related to the prevention, detection, and resolution of identity theft and/or unauthorized use of their data, have spent time trying to mitigate the effects of the data breach, and have suffered from the lost or diminished value of their personal data.

The lawsuit seeks actual, nominal, and consequential damages, punitive damages, injunctive relief, legal costs, and a jury trial.

The post Accountancy Firm Facing Class Action Lawsuit Alleging Negligence and Breach Notification Failures appeared first on HIPAA Journal.

New Jersey Fines Hackensack Healthcare Providers for PHI Breach and HIPAA Violations

Posted by HIPAA Journal

The New Jersey Division of Consumer Affairs has agreed to settle a data breach investigation that uncovered violations of the New Jersey Consumer Fraud Act and the federal Health Insurance Portability and Accountability Act (HIPAA)

Hackensack, NJ-based Regional Cancer Care Associates is an umbrella name for three healthcare providers that operate healthcare facilities in 30 locations in Connecticut, New Jersey, and Maryland: Regional Cancer Care Associates LLC, RCCA MSO LLC, and RCCA MD LLC.

Between April and June 2019, several employee email accounts were compromised. Employees had responded to targeted phishing emails and disclosed their credentials, which allowed the scammers to access their email accounts and the protected health information (PHI) of more than 105,000 individuals. The email accounts contained PHI such as names, Social Security numbers, driver’s license numbers, health records, bank account information, and credit card details.

In July 2019, notification letters were sent to 13,047 individuals by a third-party vendor; however, the letters were mismailed to the individuals’ next-of-kin. The notification letters disclosed sensitive information such as the patient’s medical conditions, including cancer diagnoses, when consent to disclose that information had not been provided by the patients.

Across the two incidents, the PHI of more than 105,000 individuals was exposed or impermissibly disclosed, including the PHI of more than 80,000 New Jersey residents.

“New Jerseyans battling cancer should never have to worry about whether their medical providers are properly securing and protecting their personal information from cyber threats,” said New Jersey Acting Attorney General Bruck. “We require healthcare providers to implement adequate security measures to protect patient data, and we will continue to hold accountable companies that fall short.”

The companies are alleged to have violated HIPAA and the Consumer Fraud Act by failing to ensure the confidentiality, integrity, and availability of patient data, did not protect against reasonably anticipated threats to the security/integrity of patient data, did not implement security measures to reduce risks and vulnerabilities to an acceptable level, did not conduct an accurate and comprehensive risk assessment, and had not implemented a security awareness and training program for all members of its workforce.

Under the terms of the settlement, three companies will pay a financial penalty of $425,000 and are required to implement further privacy and security measures to ensure the confidentiality, integrity, and availability of PHI.

The companies are required to implement and maintain a comprehensive information security program, a written incident response plan and cybersecurity operations center, employ a CISO to oversee cybersecurity, conduct initial training for employees and annual training on information privacy and security policies, and obtain a third-party assessment on policies and procedures relating to the collection, storage, maintenance, transmission, and disposal of patient data.

“Companies have a duty to take meaningful steps to safeguard protected health and personal information, and to avoid unauthorized disclosures,” said Division of Consumer Affairs Acting Director Sean P. Neafsey. “Our investigation revealed RCCA failed to fully comply with HIPAA requirements, and I am pleased that the companies have agreed to improve their security measures to ensure consumers’ information is protected.”

New Jersey has been one of the most active states in HIPAA enforcement. In the past few months, settlements have been reached with two other companies for violations of HIPAA and the Consumer Fraud Act. In October, a New Jersey fertility clinic was fined $495,000, and two printing companies were fined $130,000 in November.

The post New Jersey Fines Hackensack Healthcare Providers for PHI Breach and HIPAA Violations appeared first on HIPAA Journal.

Planned Parenthood Los Angeles Facing Class Action Lawsuit Over October 2021 Ransomware Attack

Posted by HIPAA Journal

Planned Parenthood Los Angeles (PPLA) is facing a class action lawsuit over a ransomware attack that was discovered on October 17, 2021. The cyberattack exposed the protected health information of more than 409,759 patients. In the notification letters sent to affected individuals on November 30, 2021, PPLA explained that its systems were breached on October 9, 2021, and the hackers had access to files containing PHI until October 17, when they were ejected from the network.

The files on the affected systems contained names, addresses, birth dates, diagnoses, treatment, and prescription information, and some files were exfiltrated from its network prior to file encryption. PPLA said it has found no evidence to suggest patient data has been misused.

A PPLA patient whose PHI was exposed in the data breach has taken legal action over the incident. The lawsuit was filed in the U.S. District Court of Central California and alleges the patient, and class members, have been placed at imminent risk of harm as a result of the theft of their sensitive health data, which included electronic health records that detail the procedures performed by PPLA such as abortions, treatment of sexually transmitted diseases, emergency contraception prescriptions, cancer screening information, other highly sensitive health data.

The lawsuit also references the timing of the attack, which coincided with Supreme Court debates on abortion, and says the exposure of information on abortion procedures at such a time makes it more likely that patients will suffer harm. In addition to facing an imminent risk of harm, affected individuals are likely to continue to suffer economic and actual harm and have lost control of their healthcare data. They have also incurred out-of-pocket expenses as a direct result of the data breach such as costs and time spent securing their accounts, monitoring for identity theft and fraud, and taking action to prevent misuse of their personal information. The lead plaintiff alleges she has suffered actual harm as a result of the breach, including stress and anxiety, and has also suffered damage and diminution in the value of her personal information.

While there is no private cause of action in the Health Insurance Portability and Accountability Act (HIPAA), the lawsuit alleges PPLA has violated HIPAA by failing to ensure the confidentiality of patient data and insufficient cybersecurity measures had been put in place to prevent unauthorized PHI access. The lawsuit also states that this is the third data breach PPLA has suffered in the past three years.

In addition to the HIPAA violations, the lawsuit claims PPLA also violated the California Confidentiality of Medical Information Act (CMIA) and the California Consumer Privacy Act (CCPA).

The lawsuit seeks compensatory and statutory damages, injunctive relief, investment in cybersecurity measures to ensure further breaches do not occur, and for affected individuals to be provided with identity theft protection and restoration services and to be covered by an identity theft insurance policy.

The post Planned Parenthood Los Angeles Facing Class Action Lawsuit Over October 2021 Ransomware Attack appeared first on HIPAA Journal.

Medical Biller Faces Decades in Jail for Healthcare Fraud, Identity Theft, and Tax Offenses

Posted by HIPAA Journal

A medical biller in the Tampa Bay area of Florida has pleaded guilty to four counts of healthcare fraud, four counts of aggravated identity theft, two counts of failing to file a tax return, and one count of filing a false tax return.

Joshua Maywalt, 40, of Tampa, worked as a medical biller at a Clearwater company that provided credentialing and medical billing services to a range of healthcare provider clients in Florida. In his capacity as a medical biller, Maywalt was able to access the company’s financial, medical provider, and patient information.

Maywalt was assigned to a Tampa Bay area physician’s account and submitted claims to Florida Medicaid HMOs for services provided by that physician to recipients of Medicaid. Maywalt wrongfully accessed the company’s patient information and used the name and identification number of the physician to submit false and fraudulent claims to a Florida Medicaid HMO for services that Maywalt claimed were provided by the physician when they had not been. The “pay to” information on the claims for the fictitious medical services was changed to account numbers under Maywalt’s control.

In the tax years of 2017 and 2018, Maywalt failed to file a tax return with the Internal Revenue Service and filed a false tax return for the 2019 tax in which he substantially underreported his income as he did not include the amounts he paid into his bank accounts from his fraudulent billing activities.

According to the United States Attorney’s Office, Middle District of Florida, Maywalt will forfeit $2.2 million in funds and real estate property that are directly traceable to his offenses. He now faces a maximum jail term of 53 years – 10 years for each healthcare fraud count, up to 3 years for filing a false tax return, up to 2 years for each count of a failure to file a tax return and a mandatory 2 years for each count of aggravated identity theft. The aggravated identity theft sentences will run consecutively.

The case was investigated by the Department of Health and Human Services’ Office of the Inspector General, the Federal Bureau of Investigation, the Florida Attorney General’s Medicaid Fraud Control Unit, and the Internal Revenue Service – Criminal Investigation.

The post Medical Biller Faces Decades in Jail for Healthcare Fraud, Identity Theft, and Tax Offenses appeared first on HIPAA Journal.

New Mexico Hospital Hit with Class Action Lawsuit over 2020 Data Breach

Posted by HIPAA Journal

San Juan Regional Medical Center in Farmington, New Mexico is facing a class action lawsuit over a 2020 data breach that was announced in June 2021. The breach investigation confirmed an unauthorized individual gained access to its network and exfiltrated files containing sensitive patient data between September 7, 2021, and September 8, 2021.

The data breach was initially reported to the HHS’ Office for Civil Rights as affecting 500 individuals, with San Juan Regional Medical Center saying at the time that at least 500 individuals had been affected. When the total number of individuals affected by a security breach is not known, breaches can be reported to OCR and the breach report updated when further information is known. The breach investigation later confirmed that the protected health information (PHI) of 68,792 individuals had potentially been stolen in the attack.

While data theft was confirmed, the hospital has not uncovered any evidence to suggest any patient’s PHI has been misused and individuals whose Social Security number was compromised have been offered complimentary credit monitoring and identity theft protection services for 12 months.

The lawsuit was filed on October 7, 2021, on behalf of Jeremy Henderson and all other San Juan Regional Medical Center patients affected by the data breach. The lawsuit alleges the way San Juan Regional Medical Center handled patient data was negligent, which resulted in sensitive information being exposed and stolen by hackers. The lawsuit also alleges the hospital failed to implement appropriate safeguards to protect patient data, in violation of the Health Insurance Portability and Accountability (HIPAA) Act.

The lawsuit also takes issue with the length of time it took to issue notifications. Henderson said he was notified about the breach on September 13, 2021, more than a year after his PHI was stolen.

The lawsuit alleges the plaintiff and class members face a substantial risk of identity theft and fraud as a result of the theft of their protected health information and will be required to spend time and effort monitoring their accounts and statements and taking other steps to protect against identity theft and fraud, and that 12 months of credit monitoring and identity theft protection services is insufficient. The lawsuit seeks unspecified damages.

The post New Mexico Hospital Hit with Class Action Lawsuit over 2020 Data Breach appeared first on HIPAA Journal.

Patient Sues Eskenazi Health Over Ransomware Attack and Misuse of Her Data

Posted by HIPAA Journal

An Eskenazi Health patient whose protected health information was stolen in an August 2021 ransomware attack is suing the healthcare provider over the data breach.

It is now common for ransomware gangs to exfiltrate sensitive data prior to using ransomware to encrypt files. The stolen data is used to threaten victims to encourage payment of the ransom, as was the case in the Eskenazi Health ransomware attack. Indianapolis, IN-based Eskenazi Health discovered the attack in early August and immediately shut down its computer systems in an attempt to prevent further unauthorized access and contain the attack. The healthcare provider took the decision to divert ambulances and cancel certain appointments as a safety measure while its electronic medical record system was offline.

The investigation into the breach determined its systems had first been compromised in May and files containing sensitive patient data had been exfiltrated from its systems. Notification letters started to be sent to affected patients in early November and patients were informed of the data theft and were offered complimentary identity theft protection and credit monitoring services. At the time of issuing notifications, there had been no reports of any misuse of patient data, although some patient data had been published on the gang’s data leak site. The breach report submitted to the HHS’ Office for Civil Rights in early October indicates 1,515,918 patients were affected by the breach.

Eskenazi Health said the stolen data related to employees, providers, patients, former patients, and vendors and included names, addresses, telephone numbers, email addresses, dates of birth, medical record numbers, patient account numbers, diagnoses, clinical information, physicians’ names, insurance information, prescriptions, driver’s license numbers, passport numbers, face photographs, Social Security numbers, and credit card information.

Eskenazi Health patient Terri Ruehl Young was one of the individuals impacted by the data breach. In her lawsuit Young claims a fraudulent charge of $370 was applied to the credit card she used to pay for her treatment and her Equifax credit report showed an attempt to change her name.

The lawsuit alleges patients placed their trust in Eskenazi Health to secure its systems and protect patient data, but the healthcare provider betrayed that trust by failing to implement up-to-date security practices and appropriate safeguards to protect patient data. The lawsuit alleges negligence, breach of contract, and unjust enrichment.

The lawsuit also takes issue with the length of time it took Eskenazi Health to notify patients about the data breach. The lawsuit claims that notification letters were sent more than 6 months after hackers first breached its systems, and 3 months after the breach was discovered by Exkenaki Health. The HIPAA Breach Notification Rule requires notifications to be issued within 60 days of the discovery of a data breach.

The lawsuit, which was filed by Cohen and Malad and John Steinkamp & Associates, seeks class action status and requests a jury trial. A spokesperson for Eskenazi Health said the lawsuit has yet to be formally served.

The post Patient Sues Eskenazi Health Over Ransomware Attack and Misuse of Her Data appeared first on HIPAA Journal.

Quest Diagnostics and Subsidiary Face Class Action Lawsuit Over Ransomware Attack

Posted by HIPAA Journal

A lawsuit has been filed in the US District Court for the District of Massachusetts against Quest Diagnostics and its subsidiary, ReproSource Fertility Diagnostics, over an August 2021 ransomware attack that affected 350,000 patients.

On October 8, 2021, ReproSource started sending notification letters to affected patients informing them that some of their protected health information had potentially been accessed or stolen prior to ransomware being used to encrypt files. The types of data stored on parts of its network that were accessible to the attackers included names, dates of birth, test results, medical histories, diagnosis codes, Social Security numbers, billing information, and other information.

While breach notification letters were sent within the 60 days allowed by HIPAA, the lawsuit alleges Quest and ReproSource failed to issue timely notifications to patients, which violated Massachusetts law, and when the notification letters were issued – more than a month after the attack – they lacked important information about the breach, such as if the servers that stored patient data were accessed by the attackers, whether data on those servers were encrypted, how the attack occurred, and which systems had been affected. The patient named in the lawsuit, Jasmyn Bickham, claims to have received a letter stating her protected health information had been released, while the breach notice published on its website failed to say whether patients’ information was acquired by the hackers.

The lawsuit alleges the hackers were able to gain access to ReproSource’s systems because of the failure to implement appropriate safeguards to protect patient data, as is required by the HIPAA Security Rule, and if those measures had been implemented, the ransomware attack and data breach could have been prevented. The lawsuit alleges the failure to safeguard data violated several state and federal laws, and the security failures were “especially egregious” due to the number of warnings issued to the healthcare industry about the increase in ransomware attacks.

Under HIPAA, security awareness training must be provided to the workforce. The lawsuit alleges a violation of HIPAA and Federal Trade Commission regulations for training failures, claiming security awareness training had not been provided at defined intervals and the training program had not been tailored to employees with differing levels of knowledge about technology and cybersecurity.

The lawsuit alleges negligence, breach of contract, breach of implied contract, and breach of fiduciary duty and seeks class action status. The lawsuit claims patients affected by the breach face an elevated risk of identity theft and fraud, and that have had to spend time protecting themselves against identity theft and fraud.

The lawsuit seeks actual, compensatory, punitive, and statutory damages, attorneys’ fees, and calls for ReproSource to enhance its security systems and return wrongfully retained revenue. In addition, the lawsuit seeks at least three years of credit monitoring services for the plaintiff and class members. ReproSource only offered 12 months of credit monitoring services to affected individuals.

The post Quest Diagnostics and Subsidiary Face Class Action Lawsuit Over Ransomware Attack appeared first on HIPAA Journal.

HHS’ Office for Civil Rights Imposes Further 5 Financial Penalties for HIPAA Right of Access Violations

Posted by HIPAA Journal

The HHS’ Office for Civil Rights (OCR) is continuing with its enforcement of compliance with the HIPAA Right of Access and has recently announced a further 5 financial penalties. The HIPAA Right of Access enforcement initiative was launched in the fall of 2019 in response to a significant number of complaints from patients who had not been provided with timely access to their medical records.

The HIPAA Privacy Rule requires covered entities to provide individuals with access to their medical records. A copy of the requested information must be provided within 30 days of the request being received, although an extension of 30 days may be granted in limited circumstances. HIPAA-covered entities are permitted to charge patients for exercising this important Privacy Rule right, but may only charge a reasonable, cost-based fee. Labor costs are only permitted for copying or otherwise creating and delivering the PHI after it has been identified.

The enforcement actions to date have not been imposed for charging excessive amounts, only for impermissibly refusing to provide a copy of the requested records or for unnecessary delays. In some cases, patients have had to wait many months before they were provided with a copy of their records.

The latest announcement by OCR brings the total number of HIPAA Right of Access enforcement actions under the 2019 enforcement initiative up to 25.

In all of the new cases below, OCR determined the healthcare providers were in violation of 45 C.F.R. § 164.524 and had not provided timely access to protected health information about the individual after receiving a request.

Advanced Spine & Pain Management, a provider of chronic pain-related medical services in Cincinnati and Springboro, OH, agreed to settle OCR’s investigation and paid a $32,150 financial penalty and will be monitored by OCR for compliance with its corrective action plan for 2 years. The investigation stemmed from a complaint from a patient who requested his medical records on November 25, 2019, but was not provided with the records until March 19, 2020.

Denver Retina Center, a Denver, CO-based provider of ophthalmological services, settled its investigation with OCR and paid a $30,000 financial penalty and will be monitored for compliance with its corrective action plan for 12 months. A patient alleged she had requested her records in December 2018 but did not receive a copy of her records until July 26, 2019. OCR had provided technical assistance to the healthcare provider following receipt of a previous HIPAA Right of Access complaint from the same patient and closed the case. When evidence was received of continued non-compliance the case was reopened. OCR determined that in addition to the delay, Denver Retina Center’s access policies and procedures were not compliant with the HIPAA Privacy Rule, as required by 45 C.F.R. § 164.530(i).

Rainrock Treatment Center LLC (dba Monte Nido Rainrock), a Eugene, OR-based provider of residential eating disorder treatment services, settled OCR’s investigation and paid a $160,000 financial penalty and will be monitored for compliance with the corrective action plan for 12 months. OCR had received three complaints from a patient who had not been provided with a copy of her medical records. The patient had requested a copy of her records on October 1, 2019, and November 21, 2019, and did not receive the requested records until May 22, 2020.

Wake Health Medical Group, a Raleigh, NC-based provider of primary care and other health care services, settled OCR’s investigation and paid a $10,000 financial penalty and has agreed to take corrective action to prevent further HIPAA Right of Access violations. OCR had received a complaint from a patient who requested a copy of her medical records on June 27, 2019 and paid a $25 flat fee, which is the standard fee charged by Wake Health Medical Group for providing copies of medical records. As of the date of the settlement, the patient has still not been provided with the requested records.

Dr. Robert Glaser, a New Hyde Park, NY-based cardiovascular disease and internal medicine doctor, did not cooperate with OCR during the investigation, although did not contest the findings and waived his right to a hearing. A civil monetary penalty of $100,000 was imposed by OCR. An investigation was launched following receipt of a complaint from a former patient who alleged he had made several written and verbal requests for a copy of his medical records between 2013 and 2014. The complaint was filed with OCR on November 9, 2017, and the case was closed by OCR on December 15, 2017, after advising Dr. Glaser to investigate the complaint and provide the requested records if the requests were in line with the HIPAA Right of Access. The patient filed a further complaint with OCR on March 20, 2018, and provided evidence of further written requests. OCR tried to contact Dr. Glaser on multiple occasions by letter and phone, but he repeatedly failed to respond, hence the decision to impose a civil monetary penalty.

“Timely access to your health records is a powerful tool in staying healthy, patient privacy and it is your right under law,” said OCR Director Lisa J. Pino. “OCR will continue its enforcement actions by holding covered entities responsible for their HIPAA compliance and pursue civil money penalties for violations that are not addressed.”

The post HHS’ Office for Civil Rights Imposes Further 5 Financial Penalties for HIPAA Right of Access Violations appeared first on HIPAA Journal.