October 24, 2024 There has been a flurry of HIPAA fines in the past few weeks, with over half a million dollars levied in the last month. Just one example is Gums Dental Care, LLC, a small dental practice in Maryland that was fined for a Right of Access violation. Right of Access violations, which involve failing to provide medical records in a timely manner, are a common HIPAA mistake. Another violation for this was issued in August. What Happened? A patient requested her medical records from Gums Dental on April 8, 2019. After not receiving them, she issued a complaint to the OCR in May 2019. The OCR contacted Gums Dental Care for technical assistance and believed the case was over. This was just the beginning. This case spanned years, with a second complaint filed in August 2019 and the OCR sending several data requests through letters and calls to Gums Dental. On October 1, 2020, the OCR sent Gums Dental a proposed resolution agreement and corrective action plan. At the end of the month, Dr. Gums wanted to present her case in front of a judge, believing the patient would commit Medicaid fraud with her records. She also said that the complainant didn’t pay a $25 administrative fee to release the medical records through mail. First, patients should always have access to their medical records, regardless of their reasons. Second, the fee would be waived if the patient requested it digitally, not through mail. In December 2020, the OCR issued a Letter of Opportunity to Gums Dental. At the beginning of the next year, Dr. Gums once again justified her refusal to provide the records since she believed her patient would commit a crime with them. She also believed her website wasn’t secure enough to send them digitally. However, Gums Dental didn’t attempt to send the records at all. By the time the Notice of Proposed Determination was sent in March 2022, roughly three years after the first medical record request, Gums Dental faced a Civil Monetary Penalty fine as high as $7,676,692. However, the OCR ultimately levied a $70,000 fine, recognizing the smaller size of the dental practice. How to Protect Your Practice Common HIPAA fines often involve Right of Access violations. At the federal level, practices are required to provide patients with their medical records within 30 days, and some states have an even shorter timeline. Navigating these unique regulations can be challenging, so having an intelligent solution is crucial. Smart software can streamline compliance for your practice by generating policies and procedures tailored to your needs. These solutions also include access to a team of compliance experts who can help answer your questions and ensure that you are interacting with patients in a HIPAA-compliant manner. To learn more about software solutions, with a compliance expert here.
The Dermatologist’s Ultimate Guide to HIPAA Compliance
October 22, 2024 Did you know that a dermatology center was fined over $300,000 for violating HIPAA? HIPAA compliance is not always top of mind when managing your dermatology practice. Administrative tasks can easily take a back seat with a focus on diagnosing and treating skin conditions. Nevertheless, it’s crucial to prioritize HIPAA compliance. Discover what steps you need to take to ensure the safety of your dermatology practice. What’s Protected Health Information? Protected Health Information (PHI) is sensitive data that can personally identify a patient. Examples of PHI include a social security number, birth date, medical records, and even images of skin ailments for dermatologists. These images can contain personally identifiable information, such as tattoos and unique birthmarks. When working with patients, it’s crucial to ensure all images and other forms of PHI are encrypted and protected behind essential safeguards to secure patient information. Social Media 101s When sharing images of your patient’s treatment, such as before-and-after images of acne treatment, it’s important to do so compliantly. While you might think you’re sharing a feel-good story, patient images are considered Protected Health Information (PHI), and sharing them without consent could violate their privacy. You need the patient’s signed media consent form to share these images and patient reviews on social media compliantly. This form ensures that the patient understands and agrees to use their image and treatment details being shared with the public. Improper Disposal The largest dermatology HIPAA fines, totaling over $300,000, were imposed due to improper disposal. Some states have even stricter laws regarding discarding old patient files, which must be retained for at least six years on a federal level. These files also need to be encrypted throughout the creation to disposal process. When getting rid of sensitive information, ensure it is shredded and properly disposed of. Partner with a disposal company specializing in medical paperwork and waste and have a Business Associate Agreement in place. How Software Solutions Can Help Dermatology helps patients feel comfortable in their own skin, both literally and figuratively. Implementing the appropriate safeguards to protect patients’ data is just as important. By utilizing smart software, you can see where your dermatology practice stands and what you need to do to be compliant. To learn how you can protect your dermatology practice, schedule a consultation with an expert.
The Rise of Ransomware in Healthcare: How a Phishing Breach Led to a $240K HIPAA Fine
October 14, 2024 Unfortunately, the future of data breaches is ransomware, accounting for nearly two-thirds of data breaches. As ransomware remains a significant threat in the healthcare sector, another HIPAA fine has been issued concerning a ransomware incident. Recently, a healthcare organization was fined $240,000 following ransomware attacks, including phishing, that compromised the Protected Health Information of over 85,000 patients. What happened? The Center of Orthopaedic Specialists merged with Providence Medical Institute, a healthcare system in southern California. In February 2018, during the transition, an employee clicked on a malicious link from a phishing attempt, which encrypted over 85,000 files with ransomware. Subsequently, two more successful ransomware attacks were launched on the already vulnerable IT system. Between these attacks, PMI restored data using backup tapes. In the final ransomware attack, the malicious actors used stolen credentials from previous attempts to remotely access PMI’s systems. What could they have done? After the breach, several cybersecurity mistakes that affected almost 100,000 patients were brought to light. Before merging with PMI, the Center of Orthopaedic Specialists partnered with another IT company, Creative Solutions in Computers. However, PMI failed to sign a Business Associate Agreement with the IT company during the transition, a crucial HIPAA requirement. This agreement ensures that both parties understand and take the necessary precautions to protect PHI. Furthermore, PMI made numerous IT and cybersecurity mistakes, such as sharing logins, not properly separating private networks from public networks, failing to monitor access controls, and not encrypting ePHI, which allowed anyone with access to view it. The lack of proper IT infrastructure, which could have been easily avoided, significantly impacted numerous patients. What’s next? After the recent HIPAA fine, it’s crucial for your practice to take the necessary precautions and implement cybersecurity measures to safeguard your patients’ data. When establishing a culture of compliance for your practice, using smart software solutions can help you assess your practice’s status and offer efficient solutions to meet requirements, such as electronically managed Business Associate Agreements. To find out more about how intelligent software solutions can protect your practice from cyber attacks, schedule a consultation with a compliance consultant.
$250K HIPAA Fine for Data Breach: The High Cost of Ignoring Cybersecurity Threats
October 3, 2024 Ransomware remains a significant threat to the healthcare industry, causing nearly two-thirds of data breaches. The Office for Civil Rights imposed a $250,000 HIPAA fine on Cascade Eye and Skin Centers, which provides ophthalmology and dermatology care in Washington state. This fine highlights the ongoing impact of ransomware attacks on the healthcare sector and emphasizes the importance of protecting medical practices. What Happened? In May 2017, hackers held almost 300,000 electronic Protected Health Information (ePHI) files at Cascade Eye and Skin Centers for ransom. The practice lacked essential safeguards, such as a thorough Security Risk Analysis and effective data access monitoring, leaving patient data vulnerable to malicious actors. The Aftermath The $250,000 fine is a stark reminder of the OCR’s commitment to enforcing HIPAA compliance against cybercrimes. Several ransomware fines have been levied in the past year, and unfortunately, this trend is expected to continue as ransomware attacks against healthcare organizations rise. In addition to the substantial fine, the practice is subject to a Corrective Action Plan (CAP), with the OCR overseeing Cascade Eye and Skin Centers as it implements necessary initiatives and measures to safeguard its operations from cybersecurity breaches. Protecting Your Practice While no healthcare practice can be completely immune to cyber threats, there are proactive steps you can take. By implementing preventive measures, you can stop cyberattacks before they impact your practice. Implementing a comprehensive Security Risk Analysis can help identify vulnerabilities and inform your risk management strategy, providing a comprehensive overview of what your practice currently has in place. Encrypting data provides another layer of protection by making it inaccessible to unauthorized individuals. Firewalls and antivirus software can also act as barriers to malicious attacks. Beyond technical safeguards, a well-developed Disaster Recovery Plan is essential for minimizing the impact of a breach. Having a plan in place can help ensure a swift and effective response to incidents and limit disruption to patient care. Remote access and support capabilities can also be critical in managing compromised systems and restoring operations quickly. As technology continues to transform the healthcare industry, your compliance program should also evolve. By utilizing automated software, you can streamline compliance efforts, receive expert guidance, and stay informed about the latest cybersecurity threats. Schedule a consultation with a compliance expert to learn more about how software solutions can help protect your practice.