HHS Cracks Down on New Jersey Nursing Facility for HIPAA Violation

April 1, 2024

The U.S. Department of Health and Human Services (HHS) has imposed a civil monetary penalty of $100,000 on Hackensack Meridian Health West Caldwell Care Center, a skilled nursing facility in New Jersey. The facility violated the HIPAA Right of Access law. The penalty stems from the facility’s failure to provide a patient’s medical records to their authorized representative in a timely manner, or within 30 days. 

According to the HHS Office for Civil Rights (OCR), which investigated the case, Hackensack Meridian Health withheld the records even after receiving documentation demonstrating the individual’s legal right to access them. The requested records were ultimately sent to the authorized representative only after intervention by the OCR.

HIPAA guarantees patients the right to access and obtain copies of their medical records. The OCR enforces this regulation and takes action against healthcare facilities that fail to comply.

“A patient’s timely access to health records is paramount for medical care,” said OCR Director Melanie Fontes Rainer in a press release. “The OCR will continue to vigorously enforce this essential right to ensure compliance by health care facilities across the country.”

This incident highlights the importance of HIPAA and the rights it grants patients regarding their medical information. It also serves as a reminder for healthcare providers to ensure they have clear procedures in place for handling requests for medical records.

This is also the second Right of Access violation ruled on in the last week. Read more about other recent fines here.

RECENT POSTS

Related posts

BayCare HIPAA Fine
Abyde News, Fines, HIPAA

BayCare’s $800k HIPAA Violation: The Consequences of Unmonitored Staff Access

May 29, 2025 No comments yet

May 29, 2025   A successful practice is built upon a strong foundation of well-trained and aware staff.  Protecting patient data is a critical responsibility for healthcare staff. Data breaches involving Protected Health Information (PHI) can occur in many ways, but the foundation of security lies in a workforce committed to safeguarding it. A Florida healthcare provider, BayCare Health System, experienced the consequences of improper disclosure of PHI due to a complaint and a noncompliant staff member in the latest HIPAA fine.  Acting Director of the Office for Civil Rights (OCR) Anthony Archeval commented on the importance of managing staff access, saying, “allowing unrestricted access to patient health information can create an attractive target for a malicious insider.”   What Happened? In 2018, an unnamed complainant visited St. Joseph’s Hospital, a facility under the BayCare Health System, for an appointment. After treatment, she received communication from an unknown contact who sent the complainant photos of her medical records and a video of a BayCare associate scrolling through her file as well.  This communication led to a complaint filed with the OCR. Several years of legal interactions and investigations by the OCR resulted in an $800,000 settlement six years later.  After the investigation, it was found that BayCare failed to have procedures and policies for handling ePHI, failed to reduce risks, and did not review staff access.  This nearly million-dollar fine resulted from a malicious insider, insufficient documentation, and an oversight of staff privileges.  Reviewing staff access is vital for protecting patient data. By monitoring staff activity, you can ensure that PHI does not end up in the wrong hands. Additionally, when providing staff with access to PHI, confirm that access is necessary to complete essential job tasks. This falls under the Minimum Necessary Standard within the HIPAA Privacy Rule, which enforces that disclosed PHI is only shared for an authorized and required purpose.  Staff must be thoroughly trained in their responsibilities before accessing PHI, and policies and procedures regarding handling PHI must be readily available for staff to review.  While this situation did not lead to jail time, it is not unheard of in the medical field, so staff must also be aware of the consequences.    Training and Monitoring Staff with Abyde Smart compliance solutions streamline training, policies and procedures, and monitoring access, creating a culture of compliance that protects your organization from malicious insiders. With an intelligent platform managing compliance, you can dynamically generate unique policies and procedures in seconds, automating this task without human error.  Additionally, a centralized compliance hub allows staff to review documentation before working with patients and refer to it if there is any confusion. Access logs can also be found in this hub, which keeps staff accountable when they review patient PHI.  With intelligent solutions, proactive compliance is made easy, encouraging staff to take their HIPAA responsibilities seriously. Speak with a compliance expert today to learn more about how compliance can be simplified for your practice. 

Small Healthcare Practice HIPAA Fine
Abyde News, Fines, HIPAA

Small Size, Same Rules: HIPAA Fine Serves as Reminder for All Healthcare Providers

May 19, 2025 No comments yet

May 19, 2025   HIPAA compliance is not just a recommendation; it’s a requirement, no matter how small your organization is. The latest HIPAA fine is a testament to this, with Vision Upright MRI the latest practice to be penalized.  The small California MRI center experienced a significant breach, which exposed several violations in the fallout. Acting Office for Civil Rights (OCR) Director Anthony Archeval emphasized the widespread cybersecurity risks, noting that these threats impact healthcare providers of all sizes:  “Cybersecurity threats affect large and small covered healthcare providers.”  Vision Upright MRI was fined $5,000 and will now face a two-year Corrective Action Plan (CAP), being monitored by the OCR.  This fine showcases that no practice, big or small, must be followed to keep patient data safe.     What Happened? At the end of 2020, Vision Upright MRI experienced a breach in its systems due to an insecure server. This cybercrime exposed over 21,000 patients’ medical images, leading to the OCR’s investigation.  The investigation discovered that the MRI center had never completed a Security Risk Analysis (SRA). The SRA thoroughly examines a practice, reviewing all current safeguards to secure Protected Health Information (PHI). These safeguards can include physical barriers the practice has implemented, like locked doors and alarms, and the administrative techniques the practice follows, like routinely checking access to sensitive patient data.  The SRA is critical for a compliant practice and should be completed annually and after any breaches.  While the SRA is a fundamental requirement for a practice, it is unfortunately often overlooked. The OCR has implemented a Risk Analysis Initiative to ensure practices are completing this requirement, and has reinstated the audit program, reviewing if regulated entities are maintaining this document.  In addition to missing the SRA, Vision Upright MRI did not properly notify affected parties within 60 days, violating the Breach Notification Rule.  The Breach Notification Rule requires practices to notify patients within 60 days of discovering a breach, regardless of how many were impacted. This short timeline allows patients to take the necessary precautions for the safety of their data. The practice should also provide credit monitoring. Since this event impacted well over 500 patients, the threshold to consider the situation a large breach, Vision Upright MRI also needed to notify the media and the OCR within a 60-day timeline. Communicating this is imperative, allowing the OCR to swiftly begin its investigation and potentially affected patients to receive information through media channels. These serious missteps led to the monetary settlement and years of government monitoring.    Streamlining HIPAA Compliance Even a small practice doesn’t require overwhelming resources to be HIPAA compliant. The right compliance program can simplify HIPAA compliance. With smart solutions, the SRA can be completed easily, reviewing questions and potential vulnerabilities the practice faces. Additionally, breaches can be reported in intelligent software, with compliance experts assisting practices through alerting patients and the OCR.  Meet with an expert today to learn how to automate your compliance program.   

PIH HIPAA Phishing Fine
Abyde News, Fines, HIPAA

Phishing Risks and Notification Delays: A Lesson in Managing a HIPAA Breach

April 24, 2025 No comments yet

4.24.25 As we head into the middle of the year, it’s safe to say that the Office for Civil Rights (OCR) is ramping up enforcement. Since the beginning of this year, over $6M in fines have been levied, with new penalties being announced weekly.  The latest fine showcases that the OCR can and will investigate breaches no matter your organization’s size. The latest HIPAA fine was imposed on PIH Health, Inc. (PIH), a California health network comprised of over a hundred health practices throughout the state.  PIH’s HIPAA violations have cost the organization $600,000. Due to these violations, the organization will be monitored for two years under a Corrective Action Plan (CAP). These violations exposed numerous shortcomings of the organization due to a phishing attack, emphasizing the importance of thorough safeguards for practices of all sizes.  What Happened?  In June 2019, a phishing attack compromised 45 PIH employee accounts. This breach devastated an organization with millions of patients, putting nearly 200,000 patients at risk.  While the phishing attempt occurred in the summer of 2019, the breach was not reported to affected patients or the OCR until January 2020.  When a breach impacts over 500 patients, time is of the essence. Parties must be notified within 60 days of the breach, including widespread press releases for the media.  More issues were brought to light once the OCR was aware of this breach. The organization lacked a sufficient Security Risk Analysis (SRA). The SRA is an exhaustive assessment of a practice, reviewing all safeguards and highlighting any vulnerabilities before a breach occurs.  This is at the base of a compliant practice, and the OCR has introduced the Risk Analysis Initiative to ensure that practices have this documentation in place.  Overall, this successful phishing attempt revealed inadequacies and several HIPAA violations. In addition, the organization’s failure to notify the OCR and patients promptly also contributed to the severity of the fine. Protecting Patient Data The healthcare industry’s sensitive data makes it the prime target for phishing attacks. Healthcare organizations must provide comprehensive staff training to avoid suspicious emails and, in general, risk mitigation techniques.  Healthcare practices must always address the breaches quickly. Timely notification of the OCR and affected patients ensures that all parties are aware of the breach’s impact and understand how to monitor their data. No matter the organization’s size, using smart software can help simplify compliance, avoid significant fines, and reduce patient data risk. For example, the SRA can be streamlined with compliance software, ensuring your practice knows the appropriate safeguards before an incident occurs. Intelligent solutions also provide your practice with a centralized compliance hub, letting staff know precisely what they need to secure patient Protected Health Information (PHI).  To learn more about how your practice can streamline common HIPAA violations, schedule a meeting with a compliance expert today.

Is your practice prepared for a HIPAA investigation? Get educated with our new eBook.

DOWNLOAD NOW
X