Fines

New York OSH Center Case
Fines, OSHA

A New York Health Center’s Case is Denied Under OSH Act

November 28, 2022 Comments Off on A New York Health Center’s Case is Denied Under OSH Act

November 28, 2022 Hey, ref – blow the whistle already! Back in June of 2021, the U.S. Department of Labor filed suit against a New York health center due to an alleged violation of the OSH Act. It was reported that the NY health center suspended and later terminated an employee who had reported personal concerns about exposure to COVID-19. The employee, also known as the whistleblower did so under the OSH Act, which protects workers from retaliation when reporting a hazardous work condition.  The health center proceeded to file a motion in October of 2021, preventing the department from seeking damages for the whistleblower. Fast forward to September of this year, a federal court has rejected the health center’s case under the protection of the OSH Act.  Regional Solicitor of Labor, Jeffrey Rogoff adds, “This is a significant decision reaffirming the U.S. Department of Labor’s independent authority to pursue legal actions and relief for employees in the name of the public interest. The Office of the Solicitor of Labor will continue to aggressively bring cases seeking to vindicate the rights of whistleblowers, who are essential to the proper functioning of laws protecting the health and safety, wages, and wellbeing of the American workforce.” More investigations from the OSHA’s Division of Whistleblower Protection Programs are underway in New York. So what can we take away from this? As a reminder, the Whistleblower Protection Program enforces the provisions of more than 20 federal laws. These protect your employees from retaliation from raising or reporting their concerns about hazards of violations of various workplace safety and health. Make sure your office is a safe place where employees can voice their concerns, but more importantly you are taking the proper steps upfront to ensure your practice meets the necessary safety and health standards.

North Carolina Increases State OSHA Penalties
Fines, Legislation, OSHA

North Carolina Department of Labor Increases State OSHA Penalties and Updates Investigation Timelines

October 13, 2022 Comments Off on North Carolina Department of Labor Increases State OSHA Penalties and Updates Investigation Timelines

October 13, 2022 Do you get surprised and frustrated when policies change? How about when your bill was more expensive than you originally thought? We can relate. The North Carolina Department of Labor increased state OSHA penalties and investigations to match current Federal OSHA standards through the Appropriations Act. Starting October 1st, fines will increase and follow the same pattern every January 1st. Prior to this change, if a practice was fined the maximum under NC OSHA the cost to the practice would be: Wow, that’s a lot of dough – and we’re not talking about the pizza or cookie kind! And if you though that was expensive, here is what a violation will cost now: Notice anything special about the fines above? Some can be “per day”. We all know time is money and there’s no exception when it comes to OSHA. Not only are the penalties changing, but the time frame to issue citations is as well. Previously, citations could be levied up to six months from initial reporting. Also being implemented on October 1st, NC OSHA has six months from the first inspection to levy a citation, not from initial reporting like before. Don’t get me wrong – we love a good limbo at a party, but not when it comes to OSHA citations! The famous Pablo Piccaso said, “Action is the foundational key for all success”. With North Carolina amending a few OSHA policies, take the time to educate yourself to avoid any costly violations.

Dental Patient Right of Access
Audits, Fines, HIPAA

OCR Settles Three Cases with Dental Practices for Patient Right of Access under HIPAA

September 21, 2022 Comments Off on OCR Settles Three Cases with Dental Practices for Patient Right of Access under HIPAA

September 21, 2022 Boom! Pow! Bang! Three dental practices were sacked yesterday, resulting in nasty bruises and a loss of yards on the play. After heading into the locker room and studying some film, they recognized there were some lessons to be learned in the OCR’s HIPAA Right of Access playbook. The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced the completion of three investigations in its Health Insurance Portability and Accountability Act (HIPAA) Right of Access Initiative. The OCR’s HIPAA Right of Access Initiative started in 2019 to ensure patients receive their records in a timely and costly manner. With three actions in one day and a total of 20 just this year, we are seeing a 42% increase year over year in the enforcement of the Privacy Rule. The OCR’s effort has now raised the total to 41 Right of Access actions across the span of 3 years, setting a strong example for practices across the country on the importance of maintaining compliance. OCR Director, Melanie Fontes Rainer, states, “Patients have a fundamental right under HIPAA to receive their requested medical records, in most cases, within 30 days. I hope that these actions send the message of compliance so that patients do not have to file a complaint with OCR to have their medical records requests fulfilled.” Here is an instant replay of when three dental practices crossed the line of scrimmage:  The first dental practice had a delay of game penalty after failing to provide timely access to their former patient’s records. The former patient didn’t receive a complete copy of their records until October 2020, five months after they filed a complaint back in May 2020. This resulted in a $30,000 settlement and the implementation of a Corrective Action Plan. The second dental practice got a 15-yard penalty for not providing a patient with a copy of her records in a timely or costly manner. The practice refused to provide the records because the patient wouldn’t pay the $170 copying fee. That’s not a fair catch! After the OCR got involved, the dental practice had to cough up $80,000 in settlement and adopt a Corrective Action Plan. Maybe they should’ve read the HIPAA Rule book! The starting running back fumbled the ball when this practice failed to provide a mother and her son with copies of their PHI until after the play clock hit zero. After multiple requests and eight months of waiting, she finally got the medical records in her hands. The dental practice had to fork over $25,000 and implement a Corrective Action Plan. After watching the game footage, there is a clear solution here! Make sure your practice provides patients with timely and costly access to their medical records. Six dental practices have been sacked so far in 2022, which means we have already witnessed a 600% increase solely in the dental space compared to the 2021 season. That is not a statistic you can ignore! You could be next, so we encourage you to make sure you have the right compliance measures in place to avoid these large fines. Is your game plan ready?

OCR Settles Case Concerning Improper Disposal of Protected Health Information
Fines, HIPAA

OCR Settles Case Concerning Improper Disposal of Protected Health Information

August 24, 2022 Comments Off on OCR Settles Case Concerning Improper Disposal of Protected Health Information

August 24, 2022 When it’s time to clean out and organize that ole garage, you probably want to take time to make sure all your sensitive and sentimental items – files, photographs, etc. – are in the right spot before taking them to the dump. It should be no different when it comes to disposing of old devices or hard drives at the office that contain sensitive ePHI, yet practices continue to fail. In recent news, the OCR announced a settlement for a dermatology practice located in Massachusetts that failed to properly dispose of protected health information. As a result, the dermatology practice agreed to pay the hefty fine of $300,640 to the OCR and implement a Corrective Action Plan to resolve the investigation. It may be obvious that paper records require proper disposal – in most cases, shredding or recycling – so that the information cannot be read by the wrong parties. Despite this being common practice,  the Massachusetts dermatology practice had PHI that was exposed. Improper disposal is even more common when it comes to disposing of electronic protected health information (ePHI) properly. It is critical that your practice understands how and where to dispose of PHI. But what exactly constitutes proper digital data disposal? Disposing of your PHI is not as simple as clicking the delete or trash button. If you do not completely delete these files from your devices, they can be recovered using high-tech software. The following are some thorough methods for properly disposing of PHI: There are lots of devices that could have been used to store PHI even though you would never realize they do. These devices include: Before you burn those electronic devices in a campfire, remember that HIPAA requires practices to keep PHI for at least 6 years, and maybe longer depending on your state. Devices containing data that is older than six years should be backed up before being wiped clean, and data should be encrypted while being kept. At the end of the day, whether it is boxes of important documents in your garage at home or PHI at your very own practice, it is critical to dispose of it properly and safely.

OCR Announces Eleven HIPAA Right of Access Fines
Fines, HIPAA

OCR Announces Eleven More HIPAA Right of Access Settlements

July 18, 2022 Comments Off on OCR Announces Eleven More HIPAA Right of Access Settlements

July 18, 2022 Waking up every morning is an eye-opening experience. Do you know what else is an eye-opening experience? Waking up to see all of the enforcement investigations the OCR launched against practices like yours. The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced the completion of eleven investigations in its Health Insurance Portability and Accountability Act (HIPAA) Right of Access Initiative. Under the HIPAA Privacy Rule, the OCR launched this effort to assist individuals’ right to timely access to their health records at a reasonable cost. HIPAA provides individuals with the right to view and get copies of their health information from their healthcare providers and health plans. A HIPAA-regulated entity has 30 days after receiving a request to provide an individual or their representative with their records in a timely manner. OCR Director, Lisa J. Pino, states, “Health care organizations should take note that there are now 38 enforcement actions in our Right of Access Initiative and understand that OCR is serious about upholding the law and peoples’ fundamental right to timely access to their medical records.”  Practices are no longer sneaking under the radar! The Office for Civil Rights (OCR) just concluded its thirty-eighth enforcement action since the HIPAA Right of Access Initiative began in 2019. Totaling over $646,000 across eleven penalties, the announcement of the verdicts includes eleven cases. Here is a brief breakdown of a couple of the cases just released by HHS:  The first dental action includes a $5,000 settlement for failure to comply with the Right of Access provision stating covered entities must permit individuals to inspect and obtain a copy of their PHI. An eye care practice made the mistake of not providing a copy of a patient’s medical records until three days after the OCR investigated. Now that is crazy! To settle a potential violation of the HIPAA Privacy Rule right of access standard, the practice agreed to take corrective actions and pay $22,500. Something as simple as not giving your patients access to their data quickly enough can result in a huge fine! One not-for-profit health system learned the hard way by not responding timely enough to a complainant’s access request. This cost the health system a whopping $240,000!  So, whether it’s responding to a request or delivering that request on time, you need to make sure your practice is on point to avoid these heavy penalties. As we can see the queen bee (Lisa Pino) isn’t joking around on pushing the OCR’s  HIPAA Right of Access Initiative across practices, we encourage you to ensure you have the right HIPAA compliance measures in place. So what’s the holdup? For less than a scratch-off ticket a day you can save your practice from those sneaky fines and become friends with Abyde today!

Oklahoma State University HIPAA Fine
Fines, HIPAA

Oklahoma State University – Center for Health Services Forks Over $875,000 to Settle Hacking Breach

July 15, 2022 Comments Off on Oklahoma State University – Center for Health Services Forks Over $875,000 to Settle Hacking Breach

July 15, 2022 What did the duck say when she went to buy lipstick? Put it on my bill! Speaking of bills (the money kind, not a beak), Oklahoma State University had to pay a huge bill of $875,000! It acts as a settlement for a huge hacking breach of the OSU CHS web servers. Oklahoma State University has agreed to pay the price and complete a corrective action plan over the next two years to resolve all of the violations of the Breach Notification Rules, Security, and HIPAA Privacy. OCR received a breach report in 2018 due to the hacking of the OSU’s web servers. They discovered that the hacker of this breach had access to 279,865 individuals’ electronic protected health information (ePHI). OSU found that the hackers had access to patients ePHI earlier than they originally thought, on March 9th, 2016. OCR Director, Lisa J. Pino, states, “HIPAA-covered entities are vulnerable to cyber-attackers if they fail to understand where ePHI is stored in their information systems.”  As technology in the healthcare business evolves, it is critical to understand how to appropriately secure personal health information (PHI) when being stored or sent. With cybersecurity dangers on the rise and electronic communication becoming more widespread, it’s imperative to secure your patients’ data. Encryption services are an excellent method to safeguard your practice and avoid those sticky HIPAA violations. Good news for you, you don’t have to be a sitting duck! (Cough, Abyde.)  The OCR reported that OSU failed to follow the HIPAA rules by: Unfortunately for the Cowboys, their failure to maintain proper security, risk analysis measures, and documentation of compliance cost them a large fine and put all of the OSU patients ePHI at risk. This breach, and corresponding financial settlement, highlight that even for huge organizations like OSU, the right risk analysis practices and HIPAA-compliant policies are a must in order to prevent impermissible safeguarding or access to ePHI.  Even as an independent practice, you may not feel like you have anything in common with a big fish like OSU. No matter if you’re a duck, fish, or cowboy, it doesn’t matter – everyone is monitored and at risk. As the penalties for these violations become more severe, it is more crucial than ever to ensure that your practice has a solid HIPAA program in place.

Dentistry HIPAA Fines
Fines, HIPAA

Dentistry HIPAA Fines

March 29, 2022 Comments Off on Dentistry HIPAA Fines

March 29, 2022 Dental practices are no longer flying under the radar! The Office for Civil Rights (OCR) just concluded its twenty-seventh enforcement action since the HIPAA Right of Access Initiative began in 2019. Totaling over $170,000 across four penalties, the announcement of the verdicts includes two cases as part of the HIPAA Privacy Rule. The additional actions related to the disclosure of patients’ protected health information (PHI). Here is a brief breakdown of the three dental cases just released by HHS:  The first dental action includes a $30,000 settlement against the initially cited $104,000 for failure to comply with the Right of Access provision stating covered entities must permit individuals to inspect and obtain a copy of their PHI. Nearly two-and-a-half years from the time of citation, the practice has completed a package of action plans, creating a costly and lengthy resolution process.  Something as simple as Google review responses can get you fined! One provider learned the hard way the dos and don’ts of reputation management. A patient filed a complaint with the OCR after the provider included the patient’s full name and PHI in their review response. This cost the practice a whopping $50,000!  Not the usual politician slip up, but a recent provider running for office learned not to mix business and pleasure. As part of his political campaign, the provider shared names and addresses of over 5,000 patients with both his campaign manager and third-party marketing partner to distribute letters and emails. Resulting in a final citation of $62,500, this surely put a roadblock on his campaign trail!  As we see the OCR cracking down on their HIPAA Right of Access Initiative across dental practices, we encourage you to ensure you have the right HIPAA compliance measures in place. With an hour of your time, we will get you everything you need. How much is an hour of your time worth – we bet it’s not $170,000!

$600K Settlement for HIPAA Breach
Fines, HIPAA

NY Attorney General Announces $600K Settlement for HIPAA Breach Impacting 2.1M People

January 28, 2022 Comments Off on NY Attorney General Announces $600K Settlement for HIPAA Breach Impacting 2.1M People

January 28, 2022 We aren’t even a full month into 2022 and it’s already looking like increasing HIPAA enforcement might be a New Year’s Resolution for the state of New York. Starting the year off strong, New York Attorney General Letitia James just announced a $600k settlement with vision benefits provider EyeMed as a result of a healthcare data breach that compromised the Protected Health Information (PHI) of over 2 million individuals. It all started back in June of 2020 when cybercriminals got ahold of an EyeMed email account after the provider failed to implement any multi-factor authentication and sufficient password management processes. In just a week of the hackers having access to the EyeMed email account, they were able to obtain emails and attachments from up to six years prior. The following month, the same attacker used the email account to send out 2,000 phishing emails, looking to acquire the login credentials of other EyeMed users. This lack of proper safeguards and security protocols enabled millions of individuals’ names, social security numbers,  addresses, medical diagnoses’ and other sensitive data to be compromised. This latest settlement adds on to the continued rise in cyber attacks and government enforcement seen over past years, further proving just how important having a strong cybersecurity and HIPAA program are for healthcare providers. So if your New Year’s Resolution is to avoid a cyberattack yourself, we recommend ensuring that you have the following in place: While data breaches and cyberattacks aren’t always totally avoidable, checking off the list items above is a great way to reduce your chances. But in the case that you’ve already experienced a data breach in 2021, it’s important to note that the annual minor breach reporting deadline (classified by HIPAA as incidents impacting fewer than 500 individuals) is rapidly approaching on March 1, 2022. And as for any major incidents affecting 500+ individuals – the reporting requirement is within 60 days of discovery (or less depending on your state). So some final words of advice? Have the necessary compliance and security programs in place to protect your practice from falling victim to an attack like EyeMed. And in the chance that you do experience a breach, follow the breach reporting requirements to reduce the fines and penalties that could come as a result.  

NJ Attorney General Imposes HIPAA Fine
Fines, HIPAA

NJ Attorney General Imposes $425,000 Fine to Put out the Fire of HIPAA Violation

December 21, 2021 Comments Off on NJ Attorney General Imposes $425,000 Fine to Put out the Fire of HIPAA Violation

December 21, 2021 Handling sensitive information without having the right safeguards in place can be like playing with fire, and we’ve all seen enough headlines to know just how easily a data breach can send a healthcare organization up in smoke. Just last week, the New Jersey Office of the Attorney General and its Division of Consumer Affairs announced a $425,000 settlement with Regional Cancer Care Associates LLC (RCCA). Along with the payment, RCCA has agreed to strengthen data security and privacy practices to prevent further breaches. The investigation was sparked back in 2019 after RCCA reported two separate data breaches involving the protected health information (PHI) of 105,000 individuals. The first of the two breaches occurred after several RCCA employees fell victim to a targeted phishing scheme that gave unauthorized access to patient data stored on those accounts from April – June 2019. The phishing scheme exposed driver’s license, Social Security, and financial account numbers along with other health records. While the threat of a phishing scheme can be better avoided through proper cybersecurity measures and employee training, the even bigger problem began in RCCA’s attempt to put out the first set of flames. Following the Breach Notification Rule, the cancer care provider notified impacted patients in July of that same year. However, the third-party vendor they used to provide this notice, improperly mailed notification letters intended for 13,047 living patients by addressing the patients’ perspective next-of-kin. This mistake resulted in patients’ relatives being informed of their medical conditions without consent – essentially just adding even more fuel to the blaze that the initial breach set off. Now just one lit match wouldn’t ignite a settlement of this proportion, but rather RCCA’s failure to do all of the following:  So while the rising trend of healthcare data breaches won’t be easily extinguished, keeping your practice best-protected starts with having a complete HIPAA and cybersecurity program in place. Better staff education and compliance measures should be a top priority and the message from Acting Attorney General Bruck stating, “We require healthcare providers to implement adequate security measures to protect patient data, and we will continue to hold accountable companies that fall short,” is hopefully something that will spark some change. 

5 HIPAA Right of Access Violations
Fines, HIPAA

OCR Settles 5 HIPAA Right of Access Violations

December 1, 2021 Comments Off on OCR Settles 5 HIPAA Right of Access Violations

December 1, 2021 In celebration of ‘Giving Tuesday’ this year, the Office for Civil Rights (OCR) came bearing gifts by the handful (literally) – announcing five separate HIPAA Right of Access violations all in one day. Now you might be thinking that this sounds like a historic first for same-day settlements, but just last September, the OCR made a similar five-violation announcement. The latest enforcement brings the Right of Access settlement total to 25 and dollars collected to $1,505,650 since the government announced their enforcement initiative back in 2019. And while the not-so-lucky receivers of the government’s “gifts” range by size, specialty, and location – failing to ensure individuals’ right to timely medical record access is one thing that all of these practices share. Wake Health Medical Group The first of five settlements went to a primary care provider out of North Carolina, who agreed to a $10,000 fine and corrective action plan to resolve their violation of the HIPAA Privacy Rules’ Right of Access standard.   Denver Retina Center Violation number two was given to a Denver-based ophthalmologist and included a $30,000 settlement and one-year corrective action plan as a result of their potential HIPAA Right of Access violations. Advanced Spine & Pain Management (ASPM) The third settlement was gifted to a provider of management and treatment of chronic pain services out of Ohio, whose Privacy Rule violations landed them with a $32,150 fine and corrective action plan consisting of two years of monitoring. Rainrock Treatment Center, LLC (dba Monte Nido Rainrock) Violation number four went to a licensed eating disorder treatment provider out of Oregon who agreed to pay $160,000 and participate in a year-long corrective action plan to settle their HIPAA violations.   Dr. Robert Glaser And last but certainly not least, the fifth settlement came as a result of not only failing to provide a patient with a copy of their medical records but also lacking cooperation with the OCR. The New York-based internal medicine and cardiovascular disease specialist ignored the OCR’s data requests and waived their rights to a hearing, leaving them with a civil money penalty of $100,000. In addition to the settlement announcement, the recently appointed OCR Director, Lisa J. Pino issued a statement in response: “Timely access to your health records is a powerful tool in staying healthy, patient privacy and it is your right under law. OCR will continue its enforcement actions by holding covered entities responsible for their HIPAA compliance and pursue civil money penalties for violations that are not addressed.”  While these gifts might not have come wrapped in a bow, they did bring along a trending theme that we encourage all providers to do some unpacking themselves. Noncompliance with the HIPAA Right of Access standard continues to prove itself as a widespread gap that the OCR is committed to enforcing. So even though we might have to wait until next November to celebrate another “Giving Tuesday” – getting your organization HIPAA compliant and meeting all government requirements – including Patient Right of Access – is the year-round gift that keeps on giving so you can avoid making the next OCR settlement list.

Are you prepared for OSHA's Workplace Violence Prevention requirements? Learn what you need to do to be compliant.

DOWNLOAD CHECKLIST
X