Fines

$600K Settlement for HIPAA Breach
Fines, HIPAA

NY Attorney General Announces $600K Settlement for HIPAA Breach Impacting 2.1M People

January 28, 2022 Comments Off on NY Attorney General Announces $600K Settlement for HIPAA Breach Impacting 2.1M People

January 28, 2022 We aren’t even a full month into 2022 and it’s already looking like increasing HIPAA enforcement might be a New Year’s Resolution for the state of New York. Starting the year off strong, New York Attorney General Letitia James just announced a $600k settlement with vision benefits provider EyeMed as a result of a healthcare data breach that compromised the Protected Health Information (PHI) of over 2 million individuals. It all started back in June of 2020 when cybercriminals got ahold of an EyeMed email account after the provider failed to implement any multi-factor authentication and sufficient password management processes. In just a week of the hackers having access to the EyeMed email account, they were able to obtain emails and attachments from up to six years prior. The following month, the same attacker used the email account to send out 2,000 phishing emails, looking to acquire the login credentials of other EyeMed users. This lack of proper safeguards and security protocols enabled millions of individuals’ names, social security numbers,  addresses, medical diagnoses’ and other sensitive data to be compromised. This latest settlement adds on to the continued rise in cyber attacks and government enforcement seen over past years, further proving just how important having a strong cybersecurity and HIPAA program are for healthcare providers. So if your New Year’s Resolution is to avoid a cyberattack yourself, we recommend ensuring that you have the following in place: While data breaches and cyberattacks aren’t always totally avoidable, checking off the list items above is a great way to reduce your chances. But in the case that you’ve already experienced a data breach in 2021, it’s important to note that the annual minor breach reporting deadline (classified by HIPAA as incidents impacting fewer than 500 individuals) is rapidly approaching on March 1, 2022. And as for any major incidents affecting 500+ individuals – the reporting requirement is within 60 days of discovery (or less depending on your state). So some final words of advice? Have the necessary compliance and security programs in place to protect your practice from falling victim to an attack like EyeMed. And in the chance that you do experience a breach, follow the breach reporting requirements to reduce the fines and penalties that could come as a result.  

NJ Attorney General Imposes HIPAA Fine
Fines, HIPAA

NJ Attorney General Imposes $425,000 Fine to Put out the Fire of HIPAA Violation

December 21, 2021 Comments Off on NJ Attorney General Imposes $425,000 Fine to Put out the Fire of HIPAA Violation

December 21, 2021 Handling sensitive information without having the right safeguards in place can be like playing with fire, and we’ve all seen enough headlines to know just how easily a data breach can send a healthcare organization up in smoke. Just last week, the New Jersey Office of the Attorney General and its Division of Consumer Affairs announced a $425,000 settlement with Regional Cancer Care Associates LLC (RCCA). Along with the payment, RCCA has agreed to strengthen data security and privacy practices to prevent further breaches. The investigation was sparked back in 2019 after RCCA reported two separate data breaches involving the protected health information (PHI) of 105,000 individuals. The first of the two breaches occurred after several RCCA employees fell victim to a targeted phishing scheme that gave unauthorized access to patient data stored on those accounts from April – June 2019. The phishing scheme exposed driver’s license, Social Security, and financial account numbers along with other health records. While the threat of a phishing scheme can be better avoided through proper cybersecurity measures and employee training, the even bigger problem began in RCCA’s attempt to put out the first set of flames. Following the Breach Notification Rule, the cancer care provider notified impacted patients in July of that same year. However, the third-party vendor they used to provide this notice, improperly mailed notification letters intended for 13,047 living patients by addressing the patients’ perspective next-of-kin. This mistake resulted in patients’ relatives being informed of their medical conditions without consent – essentially just adding even more fuel to the blaze that the initial breach set off. Now just one lit match wouldn’t ignite a settlement of this proportion, but rather RCCA’s failure to do all of the following:  So while the rising trend of healthcare data breaches won’t be easily extinguished, keeping your practice best-protected starts with having a complete HIPAA and cybersecurity program in place. Better staff education and compliance measures should be a top priority and the message from Acting Attorney General Bruck stating, “We require healthcare providers to implement adequate security measures to protect patient data, and we will continue to hold accountable companies that fall short,” is hopefully something that will spark some change. 

5 HIPAA Right of Access Violations
Fines, HIPAA

OCR Settles 5 HIPAA Right of Access Violations

December 1, 2021 Comments Off on OCR Settles 5 HIPAA Right of Access Violations

December 1, 2021 In celebration of ‘Giving Tuesday’ this year, the Office for Civil Rights (OCR) came bearing gifts by the handful (literally) – announcing five separate HIPAA Right of Access violations all in one day. Now you might be thinking that this sounds like a historic first for same-day settlements, but just last September, the OCR made a similar five-violation announcement. The latest enforcement brings the Right of Access settlement total to 25 and dollars collected to $1,505,650 since the government announced their enforcement initiative back in 2019. And while the not-so-lucky receivers of the government’s “gifts” range by size, specialty, and location – failing to ensure individuals’ right to timely medical record access is one thing that all of these practices share. Wake Health Medical Group The first of five settlements went to a primary care provider out of North Carolina, who agreed to a $10,000 fine and corrective action plan to resolve their violation of the HIPAA Privacy Rules’ Right of Access standard.   Denver Retina Center Violation number two was given to a Denver-based ophthalmologist and included a $30,000 settlement and one-year corrective action plan as a result of their potential HIPAA Right of Access violations. Advanced Spine & Pain Management (ASPM) The third settlement was gifted to a provider of management and treatment of chronic pain services out of Ohio, whose Privacy Rule violations landed them with a $32,150 fine and corrective action plan consisting of two years of monitoring. Rainrock Treatment Center, LLC (dba Monte Nido Rainrock) Violation number four went to a licensed eating disorder treatment provider out of Oregon who agreed to pay $160,000 and participate in a year-long corrective action plan to settle their HIPAA violations.   Dr. Robert Glaser And last but certainly not least, the fifth settlement came as a result of not only failing to provide a patient with a copy of their medical records but also lacking cooperation with the OCR. The New York-based internal medicine and cardiovascular disease specialist ignored the OCR’s data requests and waived their rights to a hearing, leaving them with a civil money penalty of $100,000. In addition to the settlement announcement, the recently appointed OCR Director, Lisa J. Pino issued a statement in response: “Timely access to your health records is a powerful tool in staying healthy, patient privacy and it is your right under law. OCR will continue its enforcement actions by holding covered entities responsible for their HIPAA compliance and pursue civil money penalties for violations that are not addressed.”  While these gifts might not have come wrapped in a bow, they did bring along a trending theme that we encourage all providers to do some unpacking themselves. Noncompliance with the HIPAA Right of Access standard continues to prove itself as a widespread gap that the OCR is committed to enforcing. So even though we might have to wait until next November to celebrate another “Giving Tuesday” – getting your organization HIPAA compliant and meeting all government requirements – including Patient Right of Access – is the year-round gift that keeps on giving so you can avoid making the next OCR settlement list.

HIPAA Right of Access Initiative Fine
Fines, HIPAA

OCR Announces 20th HIPAA Right of Access Settlement

September 10, 2021 Comments Off on OCR Announces 20th HIPAA Right of Access Settlement

September 10, 2021 There might not be such thing as time travel but with the latest HIPAA settlement announcement, it’s looking like the Office for Civil Rights (OCR) has traveled back to their own version of the Roaring ‘20s. Two years, and now twenty resolutions later, the government initiative to support individuals’ right to timely record access has driven its own little economic boom – with the 20th financial penalty bringing the right of access running total to $1,173,500.  Children’s Hospital & Medical Center (CHMC) became the most recent healthcare organization to settle with the OCR, with a fine of $80,000 and requirement to adopt a corrective action plan that involves one year of government monitoring. But while the Nebraska-based pediatric provider probably isn’t too jazzed about the repercussions, the penalty comes as a result of an equally unhappy individual who was not provided the proper access that HIPAA strives to ensure. The issue was brought to the OCR’s attention back in May of 2020 after a parent filed a complaint alleging that CHMC failed to provide full access to her late daughter’s medical records. The complaint stated that while the organization fulfilled a portion of the request, CHMC failed to provide all of the requested records despite the parent’s several follow-up requests. The delay was in part due to the remainder of the requested records being needed to obtain from a different CHMC division but it wasn’t until after the OCR’s investigation that full access was provided. In addition to the resolution agreement, Acting OCR Director, Robinsue Frohboese released in a statement, “Generally, HIPAA requires covered entities to give parents timely access to their minor children’s medical records, when the parent is the child’s personal representative. OCR’s Right of Access Initiative supports patients’ and personal representatives’ fundamental right to their health information and underscores the importance of all covered entities’ compliance with this essential right.”  While this settlement shares plenty of similarities with the 19 other examples of noncompliance that we have seen since the enforcement initiative started, it’s important to note the fact that this $80,000 fine was the result of just one patient complaint. And though the Roaring ’20s might’ve been a relatively short-lived era, proposed updates to the HIPAA Privacy Rule and expansions to the OCR budget are enough to predict that the right of access enforcement initiative isn’t going anywhere, anytime soon. So with the latest settlement serving as the perfect example of just how much damage a single HIPAA complaint can have on a healthcare organization – ensuring you’re fulfilling all medical record requests in a timely and HIPAA-compliant manner is essential to avoid becoming lucky settlement number 21.

The Cost of a HIPAA Violation
Fines, HIPAA

The Cost of a HIPAA Violation

September 3, 2021 Comments Off on The Cost of a HIPAA Violation

September 3, 2021 We’ve all seen enough news headlines to know that the going rate for a HIPAA violation isn’t cheap. This past year has tallied up more than a handful of fines with numbers that might not have Jeff Bezos doing a double-take, but certainly have us seeing dollar signs. Not to mention that the first fine of 2021 brought in $5.1 million alone. And although not every HIPAA violation warrants front-page news status, even the minimum fine amount can do some major damage – especially when it’s a small, independent practice footing the bill.  So if you’re looking for an exact dollar amount, to date the Office for Civil Rights (OCR) has collected on 101 settlements to the tune of $135,328,482. We all know that a check that size doesn’t just add up without reason but what caused it to accumulate and why so high? Well back when HIPAA law was first introduced in 1996, the hope was to establish a set of standards to protect sensitive health information in the medical industry. But as the later published Privacy and Security Rules provided a laundry list of requirements for covered entities to follow, many failed to fully comply. So in 2006, the government came up with a solution and that’s where the HIPAA Enforcement Rule was born. It was this ruling that essentially started the tab on that billion-dollar bill, granting the OCR the right to hold covered entities and their business associates accountable with fines and other penalties for noncompliance.  Now just as the repercussions for speeding are understandably different than they are for a case of highway robbery, HIPAA fines also come with a “prices may vary” label attached. Each penalty is determined based on the extent to which the organization was aware that HIPAA rules were being violated and is broken down into the following four tiers: If you were wondering, that “per incident” statement is the reason why we see those multi-million dollar fines – and what comes with HIPAA’s many different rules is a lot of different ways to break them. But it’s not just the monetary penalties that violators have to worry about. HIPAA settlements are usually a package deal including a corrective action plan that typically involves anywhere from two to three years of OCR monitoring. And if hefty fines and the government breathing down your back aren’t enough to prove just how costly violations can be – in the case that the HHS decides that there was deliberate malicious intent, the Department of Justice can step in and also assign criminal penalties with maximum jail time of 10 years. We know that the mention of hefty fines and possible jail time definitely puts a damper on things, but with every “bad news” there’s typically good to follow. So the good news is there are ways to help avoid these worst-case scenarios, and recently passed legislation like the Safe Harbor Law to protect against incidents like data breaches that aren’t as easily avoidable. But the best protection? Having a full understanding of your organization’s responsibilities and a complete HIPAA compliance program to check all the governments’ boxes. Because after all – with how high the cost of a violation can be, you can’t put a price tag on the peace of mind that comes with being compliant.  

OCR Announces 19th Right of Access Settlement
Fines, HIPAA

OCR Announces 19th Right of Access Settlement

June 2, 2021 Comments Off on OCR Announces 19th Right of Access Settlement

June 2, 2021 With the official kickoff of summer only a few weeks away, the Office for Civil Rights (OCR) is getting some last minute spring cleaning in – announcing their latest HIPAA settlement with a practice whose Privacy Rule violations couldn’t be swept under the rug. Diabetes, Endocrinology & Lipidology Center, Inc. (DELC) was handed a $5,000 fine and tasked with a two-year corrective action plan (CAP) to help clean up their “HIPAA mess” that started back in 2019.  Today’s fine marks the 19th Patient Right of Access settlement since the OCR officially announced their initiative two years ago. And ironically enough – around the same time that the government was declaring their focus on enforcing the standards around patient rights, DELC became a perfect example of just how many practices weren’t upholding them.  The incident began in July of 2019 when a parent requested access to her minor child’s health records. After DELC failed to take timely action in response to the request, a complaint was filed with the OCR in early August 2019. It wasn’t until the OCR got involved that the healthcare organization finally provided access, almost two whole years after the initial request.  Though the fine amount might seem on the lower end of what the OCR typically doles out, the corrective action plan has plenty of requirements to make up for it and just to name a few: This hefty “honey-do list” shows that the dollar amount doesn’t cover all the costs associated with violating HIPAA and proves why it’s so important to get your practice’s compliance efforts in order before an incident occurs. So while DELC took longer to fulfill the request than it would to dust off every book in the Library of Congress, the OCR hasn’t delayed in performing quite a bit of housekeeping themselves. With 19 settlements and $1,093,500 collected on behalf of patient right of access violations, the OCR has stuck to their initiative and continued to sweep up any and all violators. And though the settlements all range in resolution amount, corrective action requirements, and organization size and specialty – the message has always been the same and was reiterated by Acting OCR Director Robinsue Frohboese in that, “It should not take a federal investigation before a HIPAA covered entity provides a parent with access to their child’s medical records. Covered entities owe it to their patients to provide timely access to medical records.”   

Peachstate Clinical Laboratory HIPAA Violation
Fines, HIPAA

OCR Announces HIPAA Settlement with Peachstate Clinical Laboratory for Security Rule Violations

May 25, 2021 Comments Off on OCR Announces HIPAA Settlement with Peachstate Clinical Laboratory for Security Rule Violations

May 25, 2021 No matter the time of year, HIPAA enforcement never goes out of season and we have today’s announcement from the Office for Civil Rights (OCR) to prove it. The latest HIPAA settlement and sixth of the year involves Peachstate Health Management, LLC – a Clinical Laboratory based out of Georgia who provides diagnostic and laboratory-developed tests. The violation stemmed from Peachstate’s failure to meet several of the HIPAA Security Rule requirements and led to a $25,000 fine and 3 year corrective action plan issued by the OCR – a result that probably didn’t leave the organization feeling too peachy afterall.  So what happened?  Well it may seem like comparing apples to oranges when looking at what triggered this settlement versus the ones we’ve recently seen centered around patient right of access violations and large cyberattacks. But the latest violation resulted from a variety of different and very relevant factors from data breaches to telehealth and business associates with systemic noncompliance at its core. It started back in 2015 after the U.S. The Department of Veterans Affairs (VA) reported a data breach involving their telehealth services program managed by its business associate, Authentidate Holding Corporation (AHC). A year later, the OCR initiated an investigation into the business associates’ compliance program where they uncovered that AHC and Peachstate had earlier entered into a reverse merger in January of 2016 whereby AHC acquired Peachstate. As a result of this finding, the OCR opened up another compliance review into Peachstate and found that the clinical laboratories were ripe for the picking in their ongoing noncompliance in the following key areas:   In addition to the fine and extensive corrective plan that the OCR issued, their response to the incident and message for other healthcare organizations is the cherry on top and should not be taken lightly. “Clinical laboratories, like other covered health care providers, must comply with the HIPAA Security Rule. The failure to implement basic Security Rule requirements makes HIPAA regulated entities attractive targets for malicious activity, and needlessly risks patients’ electronic health information,” said Robinsue Frohboese, Acting OCR Director. “This settlement reiterates OCR’s commitment to ensuring compliance with rules that protect the privacy and security of protected health information.”  So in other words – the only way to avoid being the low-hanging fruit for a HIPAA violation is ensuring that your healthcare organization has met these basic standards that Peachstate was missing. And while an apple a day might keep the doctor away, this latest settlement is yet another example of why having a complete compliance program in place is so essential to keeping your practice away from OCR scrutiny and avoiding a HIPAA fine like this one.   

OCR Postcard Scam
Best Practices, Fines

OCR Alert Warns of Postcard Disguised as Official Government Communication

April 28, 2021 Comments Off on OCR Alert Warns of Postcard Disguised as Official Government Communication

April 28, 2021 You’ve got mail! The Office for Civil Rights (OCR) just issued an alert warning of a potential HIPAA scam hitting your mailbox that you should be on the lookout for. The government was recently made aware that postcards disguised as official OCR communication were being sent to health care organizations informing recipients that they needed to complete a “Required Security Risk Assessment” and directing that completed assessments be sent to a non-governmental marketing consulting website that has since been taken down. This hand-delivered scare tactic came from a private entity and should NOT be mistaken as an official notification from the OCR or the U.S. Department of Health and Human Services (HHS).    In addition to keeping an eye out for these counterfeit postcards, the OCR recommends verifying any and all “government” communications to ensure they’re actually official and alerting all staff members to do the same. They suggest looking for the OCR email address, which will end in @hhs.gov, and recommend asking for a verification email from the OCR investigator’s hhs.gov email address. The OCR also provides the addresses for their HQ and Regional Offices which can be found at https://www.hhs.gov/ocr/about-us/contact-us/index.html and should be confirmed are properly listed in any communications received.  This isn’t the first and probably won’t be the last time we receive alerts of these types of HIPAA scams. Back in August of last year, a similar incident occurred where fraudulent postcards labeled on the OCR’s behalf were notifying healthcare organizations to complete a mandatory HIPAA compliance risk assessment and directing them to another marketing consulting service website. So while fake postcards seem to be a common approach, it’s important to be aware of any and all types of HIPAA scams, especially as hackers and other organizations with malicious intent get more and more creative in their efforts.  Though this postcard is by no means an official communication from the government, the mandatory Security Risk Analysis (SRA) at its focus should not be overlooked. So if fulfilling this HIPAA requirement brings more cause for concern than the scam itself, you’re not alone. In fact, the OCR’s latest audit industry report found that only 14% of covered entities and 17% of business associates had a proper SRA in place. So if your practice falls into the large majority of those that aren’t up to these HIPAA standards, this OCR alert should give you even more reason to do so and a software solution like Abyde gives you all the tools and resources needed to get there.     

Right of Access Settlement Announced
Fines, HIPAA

HIPAA Enforcement is on a Hot Streak – 18th Right of Access Settlement Just Announced

March 26, 2021 Comments Off on HIPAA Enforcement is on a Hot Streak – 18th Right of Access Settlement Just Announced

March 26, 2021 Looks like the Office for Civil Rights (OCR) just decided to play a quick round of 18 – announcing their 18th right of access settlement (and second of the week) with yet another practice who’s HIPAA compliance efforts were well below par.  Village Plastic Surgery (“VPS”) was the latest to tee off against the OCR in a matchup that resulted in a $30,000 fine and two year corrective action plan. And with the 17th right of access settlement announced only two days ago – the tough loss endured by the New Jersey-based provider was just par for the course.  The round began back in September of 2019, after a patient filed an all too familiar complaint to the OCR that the practice had failed to respond to their record request that was made a month prior. Unlike previous settlements where the organization was first provided with technical assistance, all it took was a single patient complaint for the OCR to determine that VPS failed to meet right of access standards – setting the tone that there are no mulligans when it comes to a HIPAA violation.  It’s pretty clear that if you’re not meeting HIPAA requirements, becoming the next opponent on the OCR’s lineup is anyone’s game. But if two fines in one week don’t drive the point home, maybe the latest statement from OCR Director Robinsue Frohboese will be right on target: “OCR’s Right of Access Initiative continues to support and enforce individuals’ vital right to receive copies of their medical records in a timely manner, covered entities must comply with their HIPAA obligations and OCR will take appropriate remedial actions if they do not.” So, with $5,540,000 collected in HIPAA fines just in 2021 alone and patient right of access being a clear government focus – ensuring that your practice’s compliance program is up to par is the best and only way to steer clear of the next round of OCR enforcement.  

OCR Right of Access Violation Settlement
Fines, HIPAA

OCR Continues to Take Non-Compliance By Storm – Announcing 17th Right Of Access Settlement

March 25, 2021 Comments Off on OCR Continues to Take Non-Compliance By Storm – Announcing 17th Right Of Access Settlement

March 25, 2021 We are definitely no meteorologists over here but if there’s one pattern that we’ve gotten pretty good at predicting, it’s the government’s focus on HIPAA non-compliance. And with another right of access settlement hitting our inboxes just yesterday – it’s looking like HIPAA enforcement season is in full effect.   Arbour, Inc., d.b.a Arbour Hospital (“Arbour”), was the latest to get caught in the Office for Civil Rights (OCR) storm – but instead of heavy rainfall and thunder, the Massachusetts-based behavioral health provider was hit with a whooping $65,000 fine and corrective action plan. The announcement marks the 17th right of access settlement since the OCR declared their enforcement initiative back in the fall of 2019, proving that whoever said that lightning never strikes the same place twice clearly didn’t know HIPAA.  Arbour first showed up on the OCR’s radar back in July of 2019, after they received a complaint alleging that the practice had failed to respond to a patient’s record request in a timely manner. Despite the OCR providing technical assistance, the practice took a rain check on providing record access and a second patient complaint came rolling in later that month. As a result of the OCR’s investigation, Arbour finally provided the patient with their records more than 5 months after the patient’s initial request – making the perfect storm for a HIPAA violation.  With 17 cases settled and $1,068,500 collected in fines since the right of access initiative began, it’s looking like when it rains, it pours as far as OCR enforcement is concerned. And if the numbers aren’t telling enough, Acting OCR Director Robinsue Frohboese made their storm-warning loud and clear in her latest statement: “Health care providers have a duty to provide their patients with timely access to their own health records, and OCR will hold providers accountable to this obligation so that patients can exercise their rights and get needed health information to be active participants in their health care.” A key takeaway from the 17 practices’ caught in the government’s flood zone? In more than half of the published settlements, the organization was notified twice by the OCR and provided with technical assistance. And if they had listened to the first warning siren, they could’ve potentially avoided the settlement entirely. Since taking timely action in response to a patient’s records request has shown to be an ongoing issue for covered entities of all specialties and size – with the proposed HIPAA Privacy Rule changes shortening the record response time from 30 days to 15 days, we can foresee dark skies ahead if practices don’t start complying.  So, how do you avoid the hailstorm that comes with an OCR audit? Simply put, ensuring your practice adheres to state and federal Patient Right of Access laws while also having the necessary policies and procedures to back it up is a great place to start. But in order to fully weather the elements of government enforcement, you must meet ALL of the requirements that fall under the HIPAA umbrella and keep your compliance program a priority come rain or shine.

Looking to finish your SRA for MIPS by the Dec 31 deadline? We're here to help you get compliant in minutes.

SCHEDULE CONSULTATION
X