October 30, 2020 Just when we thought the month was over, the Office for Civil Rights (OCR) decided to sneak one more HIPAA fine in at the last minute. Earlier today the OCR announced October’s FOURTH fine – this time with the City of New Haven, Connecticut who has agreed to pay a $202,400 fine and complete 2-year corrective action plan after violating the HIPAA Privacy and Security Rules. The 15th settlement of the year came as a result of HIPAA violation back in January 2017 that sounds almost like a TV drama. Back in 2017, the incident began when the New Haven Health Department notified the OCR that a former employee appeared to have accessed a file on a computer containing protected health information (PHI). After some OCR sleuthing, it was revealed that 8 days after being fired in July 2016, the same employee returned to the health department and logged into her old computer with still-active credentials (we’re picturing her with a large hat, sunglasses and a trench coat) and downloaded the PHI of 498 individuals to a USB drive. The malicious download included patient names, addresses, and other personal medical information. And as if this really was a binge-worthy TV show (grab the popcorn) the former employee then shared her login ID and password with an intern – who continued to do the dirty work for her. On top of the drama-filled breach, the OCR investigation also uncovered major gaps in the health department’s HIPAA program, including: We’ve seen a number of recent HIPAA settlements centering around improper access, but in this case the unauthorized access came as a result of the New Haven Health Departments’ failure to have proper employee offboarding procedures. The simplest task of deactivating the employee’s login credentials could have saved the organization a huge chunk of change, and kept 498 patients’ information better protected. You can never really predict when an employee will ‘go rogue’, and not having a termination system in place – or even just waiting a few days to disable access – can be a costly mistake. Having a comprehensive plan from an employee’s first day to their last is an important aspect of general operations, but especially your HIPAA compliance program. OCR Director Roger Severino said it best: “Medical providers need to know who in their organization can access patient data at all times. When someone’s employment ends, so must their access to patient records.”
Cybersecurity Awareness Continues
October 29, 2020 Cybersecurity Awareness Month is wrapping up (believe it or not it’s almost Halloween, if you’ve lost track of the days this year like we have), but as the month ends the protections and measures you have in place to prevent a cyberattack should remain in full force. Just a quick glance at our HIPAA news page shows a growing list of recent HIPAA enforcement efforts, many stemming from cyberattacks that could have been avoided. Couple that with growing cyber threats during COVID-19 and you have yourself a pretty good idea of why cybersecurity should stay top of mind for months to come. We know that the word ‘cybersecurity’ can be a little vague – and even daunting – so here’s a recap of the latest and greatest threats to watch out for: Ransomware Activity Phishing Schemes Missing Key Technical Safeguards Properly Mitigating Potential Threats Staying Educated Not convinced cybersecurity is important? Just look at the data: We can probably agree that unless you put your practice in a bubble there really is no such thing as being 100% protected from every cyberthreat out there. Since totally cutting off your patient’s sensitive information is impossible, the next best thing is to have all the necessary technical safeguards and be aware of how to properly handle a threat.
OCR Announces $1,000,000 Settlement With Aetna for Multiple HIPAA breaches
October 28, 2020 Thought we’d be able to skate through the rest of October without another HIPAA fine? Not so fast. The Office for Civil Rights (OCR) just announced another $1,000,000 settlement to add to October’s tab, settling with Aetna on not one, not two, but three separate HIPAA violations. Aetna Life Insurance Company, as well as the affiliated covered entity (Aetna), agreed to a million-dollar payout in addition to a two year corrective action plan as a result of multiple HIPAA incidents experienced back in 2017. The first violation occurred in April 2017, after Aetna discovered that two web services used to display plan-related documents to their members did not have the necessary login protections and were accessible through regular internet search engines. Aetna’s report noted that the incident exposed the protected health information (PHI) of over 5,000 individuals. Violation number two came just a few months later in July, when Aetna received complaints that sensitive health information was made visible through benefit notice mailers. The 11,887 affected individuals’ medication information could be seen through the window of the envelope below the member’s name and address, clearly exposing their PHI to anyone who happened across the mailings. Last but not least, the third violation occurred in September 2017, after a similar mailer was sent to 1,600 individuals displaying the name and logo of a research study on atrial fibrillation (irregular heartbeat) that some members were participating in. Because the logo on the envelope clearly conveyed the type of study the recipients were a part of, it was automatically an impermissible disclosure of PHI. Three HIPAA violations in one year is already enough to get you on the OCR’s bad side, but after further investigation, they found other aspects of Aetna’s HIPAA compliance program missing, including: 2017 was certainly a bad year for Aetna, and 2020 has now been a very bad year for all covered entities – practices, insurance companies and business associates alike – without a complete HIPAA compliance program in place. This latest settlement brings this year’s total to a whopping $13,186,500 – almost a million dollars over last year’s total fines, with 2 months still left on the clock in 2020. We know you’re sick of hearing us harp on the importance of being compliant before an incident happens (seriously, we’re turning into our own mothers) but in the OCR Director, Roger Severino’s own words, “Aetna’s failure to follow the HIPAA Rules resulted in three breaches in a six-month period, leading to this million dollar settlement.”
Abyde launches new educational partnership with Southern College of Optometry
October 28, 2020 October 28, 2020, Tampa, FL – Abyde, an industry-leading, user-friendly HIPAA compliance software solution, today announced it has partnered with the Southern College of Optometry (SCO) to provide HIPAA Compliance training for SCO students and faculty. Abyde continues to pave the way with revolutionary approaches to educating future providers even before graduation, streamlining and enhancing the HIPAA education provided to SCO students and further expanding Abyde’s own services for educational institutions. Abyde, focused on HIPAA compliance education and tools for independent practices, continues to enhance their services for educational institutions, creating curated HIPAA content for promising future doctors. In addition to student-specific content, Abyde is bridging the gap between clinical training and professional practice by highlighting the role HIPAA plays in clinical operations. Through this new partnership, SCO has proven their commitment to industry-leading HIPAA compliance, supplementing a successful education program with additional insight and engaging HIPAA-specific content that further prepares their students for success after graduation. As part of their collaboration, Abyde offers exclusive discounts to SCO alumni as they graduate and join the eye care workforce. “As a leader in eye care, SCO is always looking to enhance our existing programs. Abyde has enabled SCO to use engaging remote training videos to provide comprehensive HIPAA education for our faculty and students. We’ve been able to streamline our own HIPAA compliance program, while adding valuable new ways for students to engage with important content they will need after graduation,” said Dr. Christopher Lievens, Chief of Internal Clinics at Southern College of Optometry, “Abyde has customized their training video schedule to meet our students needs and worked hand in hand with our faculty during the onboarding process.” “Abyde truly wants to revolutionize the HIPAA compliance industry, and there’s no better place to do so than as we educate the next generation of healthcare leaders. This collaboration with Southern College of Optometry fits squarely within our mission and provides an exciting opportunity to supplement an already exceptional curriculum with real-world applications,” added Matt DiBlasi, President of Abyde. “We are confident that SCO’s students will be able to take our engaging content and be better prepared to enter the eye care workforce.” Abyde is a complete HIPAA program used by thousands of providers across the nation and covers the required Security Risk Analysis, HIPAA training for doctors and staff, Business Associate Agreements, customized practice-specific policies, and more. About AbydeAbyde (Tampa, FL) is a software company dedicated to revolutionizing HIPAA compliance for medical professionals. Launched in January 2017, Abyde was formed with the idea that there could exist an easier, more cost-effective way for healthcare providers to comply with government-mandated HIPAA regulations. For more information on Abyde visit abyde.com or call 800.594.0883. About Southern College of OptometrySouthern College of Optometry was established in Memphis, Tennessee, in 1932. SCO is an independent, not-for-profit institution of higher education with more than 500 students and residents from 40 states. The Eye Center at SCO serves nearly 60,000 patients annually, helping make the college one of the top in the nation for clinical optometric education. Additionally, SCO opened a second clinic, University Eye Care, on the campus of The University of Memphis in 2013, and a third clinic, FocalPoint at Crosstown Concourse, in 2017. For more information on SCO, please visit http://www.sco.edu. Read the full press release here.
State HIPAA Fines Add to Growing 2020 Fine Totals
October 23, 2020 The Office for Civil Rights (OCR) has left practices taking hit after hit after hit when it comes to HIPAA fines this year, but two recent multi-state HIPAA fines have added just as many $$$ to this year’s enforcement totals. While the OCR certainly makes headlines, state enforcement and state-specific HIPAA regulations are just as important to adhere to as federal laws. In fact, depending on the incident and patients affected, many states require their attorney general be notified of a breach and have the option to pursue the HIPAA violation in addition to the investigation at the federal level. Driving the point home for us, two healthcare organizations found themselves emptying their pockets for a second time in the past few weeks – agreeing to multi-million dollar settlements with multiple states for HIPAA violations already settled with the OCR. These fines are the latest in over $66 million collected by states as part of HIPAA enforcement actions. Anthem, Inc. The health insurance provider Anthem went one round with the HIPAA police in 2018, and suffered their first loss against the Office for Civil Rights (OCR) with a $16 million settlement relating to a breach that exposed almost 79 million patients records back in 2014. The results of round 2 have just come in, and it’s a K.O. – Anthem, Inc. has just settled with 43-states and California relating to the same HIPAA breach, with a whopping $48.2 million in total fines. If you aren’t able to recite every HIPAA fine from memory (it’s ok, we’re probably the only ones that would win that trivia contest) the original incident resulted from a cyberattack that exposed almost 79 million individuals records. OCR investigation revealed Anthem was missing an enterprise-wide security risk analysis, various technical safeguards, and the proper response to suspected or known security incidents – resulting in the first place trophy for largest HIPAA settlement ever. Community Health System (CHS) Just last month, the OCR settled a $2.3 million fine with a business associate, Community Health System (CHS), who exposed 6.1 million patients records as a result of another 2014 cyber attack. While most of us wish we could fast forward to 2021 and escape 2020, we’re sure CHS probably feels that way more than anyone after the announcement of another $5 million added to their tab in a 28-state settlement of the same incident. These recent fines are starting to feel like deja-vu, so here’s more on the announcement to help jog your memory. Not surprisingly, in their investigation the OCR found CHS was missing a security risk analysis, had no proper security incident procedures in place, and failed to implement necessary access controls. While the breaches themselves may be old news, the latest settlements are a fresh reminder of how healthcare practices must take notice of state HIPAA enforcement. Both state fines mentioned above, though split among all the states listed in each settlement, actually totalled more than the amount the OCR fined each organization. Having a complete HIPAA compliance program with necessary safeguards in place will not only reduce your risk of being targeted by a hacker, as was the case in both these incidents, but will also keep your chances of federal and state-level fines to a minimum. Federal HIPAA requirements certainly put enough on your plate, but having a HIPAA partner that can provide all your state-specific HIPAA requirements for you makes complying that much easier – and helps avoid costly state audits.
What Does ‘Information Blocking’ Mean?
October 15, 2020 If you’re at all familiar with the 21st Century Cures Act, you may have heard the term ‘information blocking’ tossed around. Even if you’re not, you may be familiar with the ongoing healthcare battle to prevent information blocking and more effectively share patient information. If you’re not familiar with any of these things…well…keep reading anyways, if you’re an independent practice we promise this is going to be increasingly important information to know. A major goal of the Cures Act is to break down the barriers currently erected to interfere with, prevent, or discourage the access, exchange, or use of electronic Protected Health Information (ePHI) within the healthcare industry – otherwise known as information blocking. HIPAA outlines the specific ways information can be shared (and these rules still apply) but the statement of “sorry we can’t share that information because of HIPAA” is often applied incorrectly, and part of what the Cures Act hopes to correct. Deliberately blocking information that should be shared with patients and other appropriate covered entities, such as with Health Information Exchanges (HIE’s), can prevent or delay proper treatment and ultimately reduces the effectiveness of patient care. Before the Cures Act rules go into effect (November 2, 2020), organizations must reevaluate or remove any barriers currently in place that constitute information blocking. Not 100% what that really means? You aren’t alone, which is why the Office of the National Coordinator for Healthcare Technology (ONC) has created a helpful cheat sheet for what does and does not qualify as information blocking. There are some exceptions to what falls under the “information blocking” umbrella, including: All of these exceptions are only permissible provided certain conditions are met. In general, think of information blocking as refusing to share data even when there is no reason not to – i.e., none of these exceptions or regular privacy concerns apply. Where it gets tricky is when information sharing might – though the situation makes it unclear – violate HIPAA compliance regulations (really violate them, not just as an excuse). It’s always helpful to ask the experts in these circumstances – such as your HIPAA compliance program provider (*cough cough*).
OCR Settles Ninth HIPAA Right of Access Investigation
October 9, 2020 The OCR has proven they keep their promises (unlike that former friend we all know), taking only two days to fulfill their recent pledge of continued right of access enforcement and announcing yet another HIPAA fine. For those of you counting, that’s 7 right of access fines in less than a month – so take the hint, and pay attention to what your practice should be doing when it comes to patient right of access. This time, the fine goes to NY Spine Medicine (NY Spine), a New York based neurology and pain management medical practice, who was hit with a $100,000 fine and two year corrective action plan for failing to provide records to a patient in 2019. After making multiple requests beginning in June 2019, NY Spine failed to provide diagnostic film records to a patient, only providing the records in October 2020 after OCR investigation. Important to note about this case is that NY Spine did provide some records to the patient, but not the ones she had actually requested – making this still a right of access violation. As OCR Director Roger Severino put it, “no one should have to wait over a year to get copies of their medical records. HIPAA entitles patients to timely access to their records and we will continue our stepped up enforcement of the right of access until covered entities get the message.” If you’re a covered entity of any kind, now would be the right time to say ’message received’. If the OCR’s words aren’t enough, take a look at the stats: If you need a refresher, read up on the five right of access fines announced in September or this Wednesday’s $160,000 right of access fine. What should your practice be doing right now? First, don’t panic. Second, if you think you might not be up to snuff on patient right of access, we have the inside scoop on how to get compliant and update your policies and know-how (wink wink). Just sign up for an educational webinar to learn what steps you can take right away to prevent being the next enforcement victim.
Life Before HIPAA
October 8, 2020 Likely, the number of times someone older than you may have used the phrase “back in my day” is staggering. And while it’s unlikely previous generations did walk 20 miles uphill both ways in the snow to school every day, they DID have to deal with far less patient privacy protections than we have today. So when did protecting patients’ sensitive data become a priority? With the introduction of the Health Insurance Portability Act, better known as HIPAA, in 1996. HIPAA has had a bad reputation since being signed into law but read on to see why HIPAA is actually a good thing – for your practice, and for patients everywhere. Prior to 1996, health information privacy was like the wild west. There was no federal rule governing the privacy and protection of health information. While most providers acted within reason, no one had defined what protecting your sensitive information meant or how it was going to be regulated. So let’s take a moment to picture ‘life before HIPAA’. Imagine you’re in the running for the big promotion at work. You’re definitely the best candidate, but your anxiety (undiagnosed bipolar disorder) has started to affect your work performance. Instead of seeking medical help, you pretend everything’s a-okay. You know that if you see a professional, your employer could be notified and your chance at promotion would be out the window. Meanwhile, your anxiety over hiding your anxiety takes an even greater toll – the promotion goes to Chad from Accounting instead. This scenario was REAL for many individuals prior to HIPAA. Companies used to receive detailed updates regarding employees’ health insurance. At the same time, patients weren’t necessarily able to receive their own medical records. This was a problem. The only way to protect your health information at the time was not to have any created in the first place – preventing patients from seeking the care they needed. Enter HIPAA. HIPAA laws standardize the ’right way’ to handle sensitive patient information. While sometimes these standards are anything but simple, it’s clear HIPAA guidelines make sure PHI is actually protected – not just given away like candy. Protecting PHI means ensuring its privacy (the HIPAA Privacy Rule) as well as its security (the HIPAA Security Rule). Ultimately, HIPAA law standardized protections for your patient data through required safeguards in addition to privacy requirements to prevent unauthorized disclosures. Because of HIPAA, individuals can feel comfortable going to a doctor to receive treatment without fear that it will be the talk of the office break room the next day. Not only do patients have the ability to determine who can and can’t be in the know, but they also have the ability to access records themselves to stay on top of their own care. So next time you’re frustrated with the need to have patients sign a HIPAA authorization form, just remember that HIPAA is what stands between you and chaos. Well, maybe we’re being a bit dramatic, but when sensitive data falls into the wrong hands, it could certainly feel like the end of the world.
Abyde teams up with North Carolina Medical Society to deliver comprehensive HIPAA compliance solutions
October 7, 2020 October 7, 2020, Tampa, FL – Abyde announced today a new partnership with the North Carolina Medical Society (NCMS) to provide NCMS members with Abyde’s user-friendly HIPAA compliance software solution designed for independent practices. The Office for Civil Rights (OCR) has broken records in HIPAA enforcement this past month, including eight settlements totaling $10.8 million in fines. This ongoing enforcement activity emphasizes the continued importance of HIPAA compliance among providers and the need to proactively correct the gaps often found in practice’s compliance programs. Abyde’s collaboration with the NCMS emphasizes continued efforts to help more medical providers meet the government’s standards, improve their compliance programs, and gain the necessary tools to realize HIPAA compliance on an ongoing basis. Abyde’s software solution is the easiest way for any size medical practice to implement and sustain comprehensive HIPAA compliance programs. Abyde’s revolutionary approach guides providers through mandatory HIPAA requirements such as the Risk Analysis, HIPAA training for doctors and staff, managing Business Associate Agreements, customized policies and more. “Partnering with the NCMS emphasizes our joint commitment to helping more providers realize HIPAA compliance and better safeguard their practice against the common threats we’ve seen in recent HIPAA settlements,” said Matt DiBlasi, President of Abyde. “We are thrilled to be a part of the NCMS’ proactive approach to helping their providers experience stress-free HIPAA compliance and steer clear of hefty HIPAA fines.” “The North Carolina Medical Society is pleased to welcome Abyde to our Marketplace to help our members implement and maintain a complete HIPAA program, in the most comprehensive and user-friendly way possible,” said NCMS Vice President for Rural Health Systems Innovation Franklin Walker, MBA. “We look forward to working together to provide our members with valuable education and resources.” About Abyde Abyde (Tampa, FL) is a technology company dedicated to revolutionizing HIPAA compliance for medical professionals. Launched in January 2017, Abyde was formed with the idea that there could exist an easier, more cost-effective way for healthcare providers to comply with government-mandated HIPAA regulations. For more information on Abyde visit abyde.com. About NCMS The North Carolina Medical Society is the oldest professional member organization in North Carolina, representing physicians and PAs who practice in the state. Founded in 1849, the Society seeks to provide leadership in medicine by uniting, serving and representing physicians and their health care teams to enhance the health of North Carolinians. Read the full press release here.
OCR Levies 8th Patient Right of Access Fine, $160,000 Settlement Reached with St. Joseph’s Hospital and Medical Center
October 7, 2020 The Office for Civil Rights (OCR) has officially kept their foot on the gas heading into October, announcing their 8th HIPAA right of access fine and adding to a string of nine total HIPAA fines announced since September 15th. Five of those recent fines also centered on providing patients appropriate access to their records, an initiative the OCR pledged to enforce in 2019. The latest practice left in the OCR’s dust is St. Joseph’s Hospital and Medical Center (SJHMC), an acute care hospital with several hospital-based clinics providing a variety of health services out of Phoenix, Arizona. SJHMC was slapped with a $160,000 fine, along with a 2-year corrective action plan to settle their potential HIPAA violation. Continuing the patient right of access violation trend, SJHMC failed to provide patient records requested by a patient’s personal representative within any sort of a reasonable timeframe, and certainly not within HIPAA-mandated and state-specific deadlines. OCR involvement began in April 2018, when a complaint was received from an SJHMC patient’s mother stating that since January of 2018 she made various requests for a copy of her son’s medical records that SJHMC had failed to fulfill. While the hospital provided partial records, they failed to produce the full records requested despite follow-ups made by the mother in March, April, and May of 2018. The records were only provided a long 22 months later, in December 2019, after the OCR got involved to investigate the complaint. The deadline to provide patient records after a request in Arizona is 30 days. If you haven’t realized the enforcement trend yet, the OCR made it pretty clear in their statement announcing the fine. “It shouldn’t take a federal investigation to secure access to patient medical records, but too often that’s what it takes when health care providers don’t take their HIPAA obligations seriously,” OCR Director Roger Severino stated, “OCR has many rights of access investigations open across the country, and will continue to vigorously enforce this right to better empower patients.” Not only did OCR Director Roger Severino call out practices who aren’t actively focusing on their HIPAA compliance program, he emphasized that there is more to come related to patient right of access. This fine, along with the many others announced in recent weeks, emphasizes just how important a HIPAA compliance program is and having the right policies in place to fulfill all aspects of HIPAA compliance – including meeting patient’s access requests.