Fines

Missing Business Associate Agreements HIPAA Fine
Fines, HIPAA

Missing Business Associate Agreement with EHR Vendor Leads to $100,000 Fine

March 3, 2020 Comments Off on Missing Business Associate Agreement with EHR Vendor Leads to $100,000 Fine

March 3, 2020 Announced today, a medical practice in Utah has come to a $100,000 settlement with the OCR for their failure to meet HIPAA requirements under the Security Rule. The practice of Steven A. Porter, M.D. received the $100,000 monetary settlement in addition to submitting to a corrective action plan over the next two years after a breach report led to the OCR’s investigation of the practice’s HIPAA compliance program.  The investigation began after the practice filed a breach report regarding a complaint against a Business Associate of the practice’s EHR company. The Business Associate (BA) was blocking access to the practices’ patient’s electronic protected health information in exchange for $50,000 to be paid by the practice.  While the original complaint was against the BA, once the investigation was initiated by the Office for Civil Rights, it was the practice that found themselves in the government’s crosshairs. Within the compliance review, the OCR had found that the practice had failed to do the following:  Unfortunately for the practice, their lack of proper safeguarding and documentation of compliance cost them a hefty fine and put their patient’s PHI at risk. This breach, and corresponding financial settlement, highlights that even when working with typical healthcare vendors, such as EHR providers, the right Business Associate Agreements and HIPAA-compliant policies are required to prevent impermissible safeguarding or access to PHI. OCR Director, Roger Severino, included a statement in the HHS press release regarding the incident. “All health care providers, large and small, need to take their HIPAA obligations seriously, the failure to implement basic HIPAA requirements, such as an accurate and thorough risk analysis and risk management plan, continues to be an unacceptable and disturbing trend within the healthcare industry.” This fine follows a recent article highlighting the OCR’s focus on “low hanging fruit” and commitment to address an ongoing lack of HIPAA compliance among covered entities. As these violations continue to see costly outcomes, it is more important now than ever to ensure your practice has a full HIPAA program in place. 

1st HIPAA Right of Access Fine
Fines, HIPAA

OCR Settles First Case in HIPAA Right of Access Initiative

September 9, 2019 Comments Off on OCR Settles First Case in HIPAA Right of Access Initiative

September 9, 2019 Today, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services is announcing its first enforcement action and settlement in its Right of Access Initiative.  Earlier this year, OCR announced this initiative promising to vigorously enforce the rights of patients to receive copies of their medical records promptly and without being overcharged. Bayfront Health St. Petersburg (Bayfront) has paid $85,000 to OCR and has adopted a corrective action plan to settle a potential violation of the right of access provision of the Health Insurance Portability and Accountability Act (HIPAA) Rules after Bayfront failed to provide a mother timely access to records about her unborn child.  Bayfront, based in St. Petersburg, Florida, is a Level II trauma and tertiary care center licensed as a 480-bed hospital with over 550 affiliated physicians. OCR initiated its investigation based on a complaint from the mother.  As a result, Bayfront directly provided the individual with the requested health information more than nine months after the initial request. The HIPAA Rules generally require covered health care providers to provide medical records within 30 days of the request and providers can only charge a reasonable cost-based fee.  This right to patient records extends to parents who seek medical information about their minor children, and in this case, a mother who sought prenatal health records about her child. “Providing patients with their health information not only lowers costs and leads to better health outcomes, it’s the law,” said OCR Director Roger Severino.  “We aim to hold the health care industry accountable for ignoring peoples’ rights to access their medical records and those of their kids.” In addition to the monetary settlement, Bayfront will undertake a corrective action plan that includes one year of monitoring by OCR. The resolution agreement and corrective action plan may be found at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/bayfront/index.html

Record HIPAA Fine
Fines, HIPAA

Anthem Pays OCR $16 Million in Record HIPAA Settlement Following Largest U.S. Health Data Breach in History

October 16, 2018 Comments Off on Anthem Pays OCR $16 Million in Record HIPAA Settlement Following Largest U.S. Health Data Breach in History

October 16, 2018 Anthem, Inc. has agreed to pay $16 million to the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) and take substantial corrective action to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules after a series of cyberattacks led to the largest U.S. health data breach in history and exposed the electronic protected health information of almost 79 million people. The $16 million settlement eclipses the previous high of $5.55 million paid to OCR in 2016. Anthem is an independent licensee of the Blue Cross and Blue Shield Association operating throughout the United States and is one of the nation’s largest health benefits companies, providing medical care coverage to one in eight Americans through its affiliated health plans.  This breach affected electronic protected health information (ePHI) that Anthem, Inc. maintained for its affiliated health plans and any other covered entity health plans. On March 13, 2015, Anthem filed a breach report with the HHS Office for Civil Rights detailing that, on January 29, 2015, they discovered cyber-attackers had gained access to their IT system via an undetected continuous and targeted cyberattack for the apparent purpose of extracting data, otherwise known as an advanced persistent threat attack.  After filing their breach report, Anthem discovered cyber-attackers had infiltrated their system through spear phishing emails sent to an Anthem subsidiary after at least one employee responded to the malicious email and opened the door to further attacks. OCR’s investigation revealed that between December 2, 2014 and January 27, 2015, the cyber-attackers stole the ePHI of almost 79 million individuals, including names, social security numbers, medical identification numbers, addresses, dates of birth, email addresses, and employment information. In addition to the impermissible disclosure of ePHI, OCR’s investigation revealed that Anthem failed to conduct an enterprise-wide risk analysis, had insufficient procedures to regularly review information system activity, failed to identify and respond to suspected or known security incidents, and failed to implement adequate minimum access controls to prevent the cyber-attackers from accessing sensitive ePHI, beginning as early as February 18, 2014. In addition to the $16 million settlement, Anthem will undertake a robust corrective action plan to comply with the HIPAA Rules.  The resolution agreement and corrective action plan may be found on the OCR website at http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/anthem/index.html.

What's coming next in HIPAA? Join our June webinar to stay up to date.

REGISTER NOW
X