March 2025

Business Associate Risk Analysis Initiative Fine
Abyde News, Business Associates, Fines, HIPAA

Business Associate Accountability: Health Fitness Corporation’s $227k HIPAA Fine

March 27, 2025 No comments yet

March 27, 2025   With over $3.5 million of fines levied against Business Associates (BAs) so far in 2025, it’s fair to say that the Office for Civil Rights (OCR) is serious about holding them accountable. These fines in 2025 serve as a reminder that BAs play a crucial role in safeguarding Protected Health Information (PHI).  The latest BA HIPAA fine was enforced on the Health Fitness Corporation, which offers wellness plans nationwide.  After a flurry of breach reports, Health Fitness Corporation found itself in the crosshairs of a HIPAA investigation. This investigation exposed some critical missteps, leading to a $227,816 settlement and a two-year Corrective Action Plan (CAP).  At the center of this fine is a missing Security Risk Analysis (SRA). The SRA is a thorough assessment that identifies the organization’s vulnerabilities.  This fine was also the fifth enforcement of the Risk Analysis Initiative, a recent program by the OCR to ensure regulated entities complied with this HIPAA requirement.  This fine not only spotlights the importance of Business Associates following HIPAA, but also for all regulated entities to be aware of the Security Risk Analysis requirement.    What Happened?  In August 2015, PHI was exposed online due to a server misconfiguration. This breach was not discovered in June 2018, with an estimated 4,000 patients impacted by this security issue.  Four breach reports describing this incident were filed from the end of 2018 into early 2019.  This led to the OCR investigating Health Fitness Corporation. It was then uncovered that the organization did not complete a thorough SRA until 2024.  The SRA is an annual requirement for every HIPAA-regulated entity. This assessment should also be completed after any breach to review and address vulnerabilities.  As a result, the wellness program organization was fined $227,816 with government monitoring for the next two years.    How to Protect Your Organization  When working with PHI, all involved parties must know their responsibilities.  For Covered Entities and Business Associates, having a Business Associate Agreement (BAA) with any third parties with access to PHI is vital. BAAs define each party’s responsibilities, creating legal liability. This required document demonstrates that each party is willing and able to take responsibility for protecting sensitive patient data. In addition to being aware of HIPAA responsibilities, ensure your organization completes an SRA annually, and anytime a breach occurs. Risks can be mitigated by being on top and informed about your organization’s vulnerabilities.  Utilizing a smart software solution can streamline these requirements. Smart solutions can streamline the SRA and any BAAs, protecting your organization. To learn more about how you can automate and streamline compliance in your practice, schedule a consultation with an expert today.

HIPAA Right of Access
Abyde News, Best Practices, HIPAA

What is Right of Access?: Understanding the HIPAA Privacy Rule

March 20, 2025 No comments yet

March 20, 2025   HIPAA is often misunderstood as only addressing the security of medical information. However, it encompasses more than that. The Health Insurance Portability & Accountability Act also defines how medical information must be shared with patients through the Privacy Rule. This highlights another key responsibility healthcare providers must be accountable for.  Alongside the Security Rule and the Breach Notification Rule, the Privacy Rule provides patients additional rights regarding how their medical records are handled.  The Privacy Rule created the Right of Access, requiring practices to provide patients with their medical records in a timely manner.  With the latest fine for HIPAA being a Right of Access violation, it’s vital for practices to be aware of this requirement and how it pertains to the care they provide.    What is Right of Access? Right of Access gives practices 30 days to fulfill a patient’s request for their records. In some situations, these thirty days can be extended to an additional 30 days, but that is the longest period of time allowed to provide a patient with their records.  This is a federal requirement, but the timeline could be even shorter depending on where the practice is located. For instance, if the practice is in California, staff must provide patients with medical records within 15 days.  Your practice can charge for medical records, but it needs to be reasonable. The Office for Civil Rights (OCR) defines this as the average cost of supplies, limited labor, and postage when providing medical records to a patient.  However, instead of calculating this cost, the OCR also suggested a flat fee not to exceed $6.50 when handling electronic records. Once again, other guidance can be levied on the state level, like California’s cap on the cost of medical records at 25¢ a page plus a reasonable clerical fee.  From the moment a practice receives a request, it must be addressed quickly. Staying on top of these requests is crucial for staying compliant and maintaining patient satisfaction.    How to Stay Compliant While this might seem simple, many practices have been fined in the past for violating this right of patients. In 2024 alone, Right of Access fines accounted for nearly $500,000. The OCR introduced a Right of Access Initiative to ensure that these patient requests are taken seriously. Many of these investigations and fines stem from patient complaints, showing the importance of complying with this HIPAA component.  Utilizing smart software solutions can assist your team in ensuring that all staff members are aware of their responsibilities when handling PHI, including the responsibility to address patient requests quickly. This empowers your team to take accountability and keep patients happy.  To learn more about how to comply with HIPAA Right of Access legislation, meet with our team of compliance experts today.   

HIPAA Investigation Guide
Abyde News, Best Practices, HIPAA

Inside a HIPAA Investigation: A 4-Part Educational Series

March 17, 2025 No comments yet

March 17, 2025 Getting a HIPAA investigation letter can be overwhelming, but your practice can successfully navigate the process with the right resources. This series is designed to be your easy-to-read guide, walking you through each step of the process. We’ll break down everything from understanding the initial letter to navigating potential outcomes, providing you with best practices to keep your practice confident and prepared if you ever receive a letter.    Blog 1: Is Your Practice Prepared for a HIPAA Breach? A common misconception is that a HIPAA breach causes your practice to be fined. Instead, your practice’s lack of proactive measures and proper response to a breach is what leads to disciplinary action. Although it’s impossible to prevent breaches completely, the proper safeguards can minimize their risk and impact. Learn more about breach mitigation here.    Blog 2: Decoding the HIPAA Investigation Letter: What to Expect and How to Respond The official start of an investigation is when your practice receives the data request letter from the Office for Civil Rights (OCR). The letter is thorough, with the OCR inspecting your practice’s safeguards in the wake of a breach or a complaint. Learn more about what your practice can expect if they receive a letter here.    Blog 3: Responding to a HIPAA Investigation: A Guide to Document Organization From the second your practice gets a letter from the OCR, it’s time to start organizing documentation. Organizing documentation is vital for streamlining the investigation process. Having organized documentation is the key to passing an investigation and avoiding fines. Learn more here.    Blog 4: The Final Verdict: HIPAA Investigation Outcomes After months of investigation, the OCR will send a letter to your practice. Various outcomes can occur, from closing the investigation with no fines to corrective action. Learn more about the outcomes of an investigation here.    While we hope your practice never has to experience an investigation, things happen. With the right proactive safeguards in place, your practice can minimize the chance of an investigation and be organized and ready if one occurs.  With the right resources, like a compliance software solution, your practice can streamline compliance, take control, and easily identify vulnerabilities before they become serious issues.  Want to learn more about how you can protect your practice? Meet with a compliance expert today.

Oregon Health & Science University HIPAA Fine
Abyde News, Fines, HIPAA

Denied, Delayed, Fined: OHSU’s $200K HIPAA Fine

March 13, 2025 No comments yet

March 13, 2025 Oregon Health & Science University (OHSU), an academic research institution with public health centers, is the latest Covered Entity to be fined for a HIPAA Right of Access violation.  Unfortunately, Right of Access fines are common, usually sparked by a patient complaint. OHSU’s violation was no different, with a patient waiting for records much longer than the 30-day federal requirement.  This 53rd Right of Access rule enforcement showcases the critical importance of prioritizing patient requests.  What Happened?  A patient of OHSU required their medical records, and a medical representative requested records multiple times for years.  The representative’s initial written request was on April 24, 2019. At first, OHSU quickly addressed this request, having a Business Associate provide medical records to the representative by April 29, 2019. However, these were partial records, not including all of the vital information the patient needed.  The representative sent another request at the beginning of November 2019, which OHSU incorrectly denied due to a missing date. The representative submitted another request at the end of the month, which OHSU once again erroneously denied, this time for invoices.  When OHSU again only provided partial records after the representative asked for the records in May 2020, the representative filed a complaint with the Office for Civil Rights (OCR).  After another denial of medical records in July, the OCR closed the case in September, providing OHSU technical assistance to properly send medical records.  However, the records were still not provided as of January 2021, when the representative submitted a second complaint to the OCR.  The OCR notified the university on August 21, 2021. Within the week, OHSU provided the representative with medical records. All medical records were sent to the representative by the end of September.  Over two years had passed from the first request in April 2019 to finally receiving the records in late 2021.  This request’s drawn-out, back-and-forth nature resulted in OHSU being fined a $200,000 Civil Monetary Penalty.  Prioritize Patient Requests Almost half a million patient complaints have been received from the OCR. By prioritizing patient requests for records, your practice can avoid potential investigations, fines, and in general, unhappy patients.  When working in healthcare, your goal is to provide the best care for patients. Ignoring patients’ needs will leave them unhappy and dissatisfied, seriously impacting the overall quality of care your practice can provide. Intelligent compliance software solutions allow your practice to proactively identify and address vulnerabilities while educating staff on essential compliance requirements.  By streamlining compliance, your staff can be well aware of the importance of prioritizing patient requests, leading to a more successful practice with higher patient satisfaction. To learn more about simplifying compliance, schedule a consultation with a compliance expert. 

Warby Parker HIPAA Fine
Abyde News, Fines, HIPAA

Warby Parker’s $1.5 Million HIPAA Fine: A Security Risk Analysis Eye-Opener

March 6, 2025 No comments yet

March 6, 2025   Warby Parker, the popular prescription eyewear retailer with a strong online presence and expanding physical stores, was recently fined $1.5 million for a HIPAA violation. This enforcement highlights that no matter how big your organization is, the government can and will investigate breaches of PHI.  In 2025, the Office for Civil Rights (OCR) has issued over $5 million in fines so far, almost all of which involved a missing Security Risk Analysis (SRA). The SRA thoroughly assesses your practice’s physical, technical, and administrative safeguards for securing patient Protected Health Information (PHI).  The Warby Parker fine is a stark reminder that the SRA, a detailed examination of your PHI safeguards, is not just a recommendation; it’s a necessity.    What Happened?  In late 2018, Warby Parker experienced numerous unusual login attempts on its site. It was discovered that customer logins were breached through credential stuffing or when information was pulled from unrelated breaches. For example, a customer’s login was likely reused on another hacked site.  The OCR began its investigation in December 2018, but the flurry of attacks continued. Warby Parker, which also provides eye exams, issued several addendums to its initial breach report, revealing that additional customer and patient accounts were compromised. Additional attacks occurred in 2020 and 2022. Overall, these cybercrimes impacted almost 200,000 patients.  As the OCR investigated Warby Parker, it discovered that Warby Parker did not conduct an adequate security risk analysis, implement sufficient technical safeguards to prevent further attacks, or regularly review system access. These failures to protect PHI led to a $1.5 million Civil Monetary Penalty (CMP), demonstrating that even massive organizations need to comply with HIPAA requirements.  How to Protect Your Organization The first step to HIPAA compliance for your practice is proactively maintaining an SRA. By evaluating and identifying your vulnerabilities, your practice can address these weaknesses before they become serious problems. As stated before, no matter how small or large your organization is, you must complete the SRA annually.  Regular reviews of PHI access are essential to identify and address breaches promptly, minimizing the number of affected patients. Implementing an access log is crucial as well, ensuring staff is held accountable for documenting when they interact with PHI.  Utilizing a compliance software solution can alleviate the stress of managing numerous requirements. Software solutions can streamline compliance and offer a SRA and an access log within the program. By outsourcing compliance, your team can focus more time on patient care.  To learn how to simplify HIPAA compliance for your practice, schedule a consultation with a compliance expert today.   

Outcomes of a HIPAA Investigation
Abyde News, Best Practices, HIPAA

The Final Verdict: HIPAA Investigation Outcomes

March 3, 2025 No comments yet

March 3, 2025   Welcome to the fourth and final installment of Abyde’s HIPAA Investigation Survival Series. We’ve already reviewed the initial breach, the letter you received, organizing documentation in response to the letter and data request from the OCR, and now the possible outcomes of a HIPAA investigation.  There are a few possible outcomes for a HIPAA investigation. As discussed at the end of the previous blog post, the ultimate judgment from the OCR could be levied months or even years after the investigation started.  What are the possible outcomes of a HIPAA Investigation? The most favorable outcome of an investigation is when the OCR closes your investigation. Your OCR investigator will inform you through writing, either through an official email or letter, that your documentation was sufficient, showcasing that your practice is implementing the right safeguards to secure Protected Health Information (PHI). Once an investigation is closed, you’ve officially passed the investigation.  However, the OCR can and will levy monetary fines if your documentation is insufficient. Monetary fines range from $141 to over $2 million per violation. Fines are tiered, starting with tier 1, which is the least serious based on a sincere lack of knowledge of a violation, to tier 4, or willful neglect of a situation if not corrected within 30 days. These fines are also adjusted yearly based on inflation.  HIPAA fines are categorized into two types: Civil Monetary Penalties and Settlements. Civil Monetary Penalties are imposed when a practice is found guilty of violating HIPAA regulations. The practice and the OCR negotiate settlements, and the practice does not admit to any HIPAA violations once paying the fine.  Both forms of penalties are highlighted on the OCR’s website as press releases and written about by numerous healthcare compliance news professionals, meaning this fine will live on the internet forever.  Lastly, the OCR can levy a Corrective Action Plan (CAP) in addition to a monetary penalty. A CAP requires a fined practice to be monitored by the OCR for several years, as defined by the CAP. This leaves the practice subject to government scrutiny, another hurdle.    How Can I Avoid This? Proactive measures are key when it comes to avoiding a HIPAA investigation. By implementing the appropriate safeguards before a situation occurs and properly training all staff, your practice can avoid common mistakes leading to breaches.  Utilizing a software solution is imperative when handling HIPAA compliance. Outsourcing compliance streamlines compliance for your practice, freeing your time and providing an easily accessible hub for all documentation.  To learn more about simplifying HIPAA compliance for your practice, schedule a consultation with one of our experts today.  To visit our first installment of this series about the breach that likely causes an investigation, please visit here, learn more about the audit letter, visit here, and learn more about organizing documentation for an investigation here.   

How can HIPAA & HR non-compliance affect your practice? Join our live webinar with HR for Health on April 15.

REGISTER TODAY
X