May 25, 2021 No matter the time of year, HIPAA enforcement never goes out of season and we have today’s announcement from the Office for Civil Rights (OCR) to prove it. The latest HIPAA settlement and sixth of the year involves Peachstate Health Management, LLC – a Clinical Laboratory based out of Georgia who provides diagnostic and laboratory-developed tests. The violation stemmed from Peachstate’s failure to meet several of the HIPAA Security Rule requirements and led to a $25,000 fine and 3 year corrective action plan issued by the OCR – a result that probably didn’t leave the organization feeling too peachy afterall. So what happened? Well it may seem like comparing apples to oranges when looking at what triggered this settlement versus the ones we’ve recently seen centered around patient right of access violations and large cyberattacks. But the latest violation resulted from a variety of different and very relevant factors from data breaches to telehealth and business associates with systemic noncompliance at its core. It started back in 2015 after the U.S. The Department of Veterans Affairs (VA) reported a data breach involving their telehealth services program managed by its business associate, Authentidate Holding Corporation (AHC). A year later, the OCR initiated an investigation into the business associates’ compliance program where they uncovered that AHC and Peachstate had earlier entered into a reverse merger in January of 2016 whereby AHC acquired Peachstate. As a result of this finding, the OCR opened up another compliance review into Peachstate and found that the clinical laboratories were ripe for the picking in their ongoing noncompliance in the following key areas: In addition to the fine and extensive corrective plan that the OCR issued, their response to the incident and message for other healthcare organizations is the cherry on top and should not be taken lightly. “Clinical laboratories, like other covered health care providers, must comply with the HIPAA Security Rule. The failure to implement basic Security Rule requirements makes HIPAA regulated entities attractive targets for malicious activity, and needlessly risks patients’ electronic health information,” said Robinsue Frohboese, Acting OCR Director. “This settlement reiterates OCR’s commitment to ensuring compliance with rules that protect the privacy and security of protected health information.” So in other words – the only way to avoid being the low-hanging fruit for a HIPAA violation is ensuring that your healthcare organization has met these basic standards that Peachstate was missing. And while an apple a day might keep the doctor away, this latest settlement is yet another example of why having a complete compliance program in place is so essential to keeping your practice away from OCR scrutiny and avoiding a HIPAA fine like this one.
OCR Alert Warns of Postcard Disguised as Official Government Communication
April 28, 2021 You’ve got mail! The Office for Civil Rights (OCR) just issued an alert warning of a potential HIPAA scam hitting your mailbox that you should be on the lookout for. The government was recently made aware that postcards disguised as official OCR communication were being sent to health care organizations informing recipients that they needed to complete a “Required Security Risk Assessment” and directing that completed assessments be sent to a non-governmental marketing consulting website that has since been taken down. This hand-delivered scare tactic came from a private entity and should NOT be mistaken as an official notification from the OCR or the U.S. Department of Health and Human Services (HHS). In addition to keeping an eye out for these counterfeit postcards, the OCR recommends verifying any and all “government” communications to ensure they’re actually official and alerting all staff members to do the same. They suggest looking for the OCR email address, which will end in @hhs.gov, and recommend asking for a verification email from the OCR investigator’s hhs.gov email address. The OCR also provides the addresses for their HQ and Regional Offices which can be found at https://www.hhs.gov/ocr/about-us/contact-us/index.html and should be confirmed are properly listed in any communications received. This isn’t the first and probably won’t be the last time we receive alerts of these types of HIPAA scams. Back in August of last year, a similar incident occurred where fraudulent postcards labeled on the OCR’s behalf were notifying healthcare organizations to complete a mandatory HIPAA compliance risk assessment and directing them to another marketing consulting service website. So while fake postcards seem to be a common approach, it’s important to be aware of any and all types of HIPAA scams, especially as hackers and other organizations with malicious intent get more and more creative in their efforts. Though this postcard is by no means an official communication from the government, the mandatory Security Risk Analysis (SRA) at its focus should not be overlooked. So if fulfilling this HIPAA requirement brings more cause for concern than the scam itself, you’re not alone. In fact, the OCR’s latest audit industry report found that only 14% of covered entities and 17% of business associates had a proper SRA in place. So if your practice falls into the large majority of those that aren’t up to these HIPAA standards, this OCR alert should give you even more reason to do so and a software solution like Abyde gives you all the tools and resources needed to get there.
HIPAA Enforcement is on a Hot Streak – 18th Right of Access Settlement Just Announced
March 26, 2021 Looks like the Office for Civil Rights (OCR) just decided to play a quick round of 18 – announcing their 18th right of access settlement (and second of the week) with yet another practice who’s HIPAA compliance efforts were well below par. Village Plastic Surgery (“VPS”) was the latest to tee off against the OCR in a matchup that resulted in a $30,000 fine and two year corrective action plan. And with the 17th right of access settlement announced only two days ago – the tough loss endured by the New Jersey-based provider was just par for the course. The round began back in September of 2019, after a patient filed an all too familiar complaint to the OCR that the practice had failed to respond to their record request that was made a month prior. Unlike previous settlements where the organization was first provided with technical assistance, all it took was a single patient complaint for the OCR to determine that VPS failed to meet right of access standards – setting the tone that there are no mulligans when it comes to a HIPAA violation. It’s pretty clear that if you’re not meeting HIPAA requirements, becoming the next opponent on the OCR’s lineup is anyone’s game. But if two fines in one week don’t drive the point home, maybe the latest statement from OCR Director Robinsue Frohboese will be right on target: “OCR’s Right of Access Initiative continues to support and enforce individuals’ vital right to receive copies of their medical records in a timely manner, covered entities must comply with their HIPAA obligations and OCR will take appropriate remedial actions if they do not.” So, with $5,540,000 collected in HIPAA fines just in 2021 alone and patient right of access being a clear government focus – ensuring that your practice’s compliance program is up to par is the best and only way to steer clear of the next round of OCR enforcement.
OCR Continues to Take Non-Compliance By Storm – Announcing 17th Right Of Access Settlement
March 25, 2021 We are definitely no meteorologists over here but if there’s one pattern that we’ve gotten pretty good at predicting, it’s the government’s focus on HIPAA non-compliance. And with another right of access settlement hitting our inboxes just yesterday – it’s looking like HIPAA enforcement season is in full effect. Arbour, Inc., d.b.a Arbour Hospital (“Arbour”), was the latest to get caught in the Office for Civil Rights (OCR) storm – but instead of heavy rainfall and thunder, the Massachusetts-based behavioral health provider was hit with a whooping $65,000 fine and corrective action plan. The announcement marks the 17th right of access settlement since the OCR declared their enforcement initiative back in the fall of 2019, proving that whoever said that lightning never strikes the same place twice clearly didn’t know HIPAA. Arbour first showed up on the OCR’s radar back in July of 2019, after they received a complaint alleging that the practice had failed to respond to a patient’s record request in a timely manner. Despite the OCR providing technical assistance, the practice took a rain check on providing record access and a second patient complaint came rolling in later that month. As a result of the OCR’s investigation, Arbour finally provided the patient with their records more than 5 months after the patient’s initial request – making the perfect storm for a HIPAA violation. With 17 cases settled and $1,068,500 collected in fines since the right of access initiative began, it’s looking like when it rains, it pours as far as OCR enforcement is concerned. And if the numbers aren’t telling enough, Acting OCR Director Robinsue Frohboese made their storm-warning loud and clear in her latest statement: “Health care providers have a duty to provide their patients with timely access to their own health records, and OCR will hold providers accountable to this obligation so that patients can exercise their rights and get needed health information to be active participants in their health care.” A key takeaway from the 17 practices’ caught in the government’s flood zone? In more than half of the published settlements, the organization was notified twice by the OCR and provided with technical assistance. And if they had listened to the first warning siren, they could’ve potentially avoided the settlement entirely. Since taking timely action in response to a patient’s records request has shown to be an ongoing issue for covered entities of all specialties and size – with the proposed HIPAA Privacy Rule changes shortening the record response time from 30 days to 15 days, we can foresee dark skies ahead if practices don’t start complying. So, how do you avoid the hailstorm that comes with an OCR audit? Simply put, ensuring your practice adheres to state and federal Patient Right of Access laws while also having the necessary policies and procedures to back it up is a great place to start. But in order to fully weather the elements of government enforcement, you must meet ALL of the requirements that fall under the HIPAA umbrella and keep your compliance program a priority come rain or shine.
OCR Announces 16th Right of Access Settlement
February 12, 2021 Today the Office for Civil Rights (OCR) is celebrating their Sweet 16 – sixteenth HIPAA Right of Access fine, to be exact. Instead of party hats and birthday cake, they’re kicking off the festivities with a hefty settlement and second HIPAA fine this week. The not so lucky guest of honor is Sharp HealthCare, d.b.a. Sharp Rees-Stealy Medical Centers (“SRMC”), a health care provider based out of California. SRMC was gifted with a $70,000 fine along with a 2-year corrective action plan for violating HIPAA right of access requirements. The ‘party’ began back in June of 2019 after the OCR received a complaint stating that SRMC failed to respond when a patient requested an electronic copy of their protected health information (PHI) be sent to a third party (sound familiar?). The ‘party’ didn’t stop there, when even after providing technical assistance the OCR received a second complaint just two months later alleging that SRMC had still yet to provide the requested access. It wasn’t until after the OCR investigated further that SRMC finally fulfilled the patient’s request. Not only did today’s announcement take the cake (party pun intended) for the second fine released just this week, but the details of the most recent settlements are so similar we feel like we’re seeing double. Both fines were a result of patient right of access violations, and more specifically for the failure to provide an electronic copy of health records to a third party. So the lesson to be learned? Ensure your practice is providing access in a timely manner and in the way it was requested. Acting OCR Director, Robinsue Frohboese emphasized the government’s continued focus in today’s press release, “Patients are entitled to timely access to their medical records. OCR created the Right of Access Initiative to enforce and support this critical right.” After a historic year in HIPAA enforcement, four HIPAA settlements in the first two months of 2021 should come as no shock. If crashing the HIPAA violation party isn’t something you’re keen on (we’re not the life of the party ourselves, but even we don’t think that would be too much fun) then having the right policies and procedures in place along with the proper employee training on how to respond to record requests is key.
OCR Settles 15th Right of Access Violation
February 10, 2021 The Office for Civil Rights (OCR) started 2021 off with some heavy hitters – including a $5.1 MILLION fine only 15 days into the year – but their fifteenth HIPAA right of access settlement (and counting – we’re taking bets on how many they get in before the end of the year) emphasizes they’re not just going after the big guys when it comes to keeping HIPAA programs in check. Renown Health, P.C., a private, not-for-profit health provider out of Nevada, became the third HIPAA violator of the new year after failing to meet HIPAA right of access requirements back in 2019. The violation came with a hefty penalty of $75,000, along with a 2-year corrective action plan. So what happened? This time two years ago, the OCR received a complaint that Renown Health failed to fulfill a patient’s request for an electronic copy of their medical and billing records. In this particular instance, the patient had requested to have it sent to a third party – something that HIPAA not only allows for, but expects providers to fulfill. Singing the same tune as last year’s many access-related fines, it wasn’t until after the OCR got involved and investigated further that Renown Health finally provided access to all of the requested records. Acting OCR Director, Robinsue Frohboese, weighed in on the latest settlement, “access to one’s health records is an essential HIPAA right and health care providers have a legal obligation to their patients to provide access to their health information on a timely basis.” What this means for you With 15 right of access settlements under their belt, the OCR has made it clear that providing proper access in the way records are requested is key – not to mention the ticking clock (30 days, or less depending on the state) that goes with any record request. With the proposed changes to the HIPAA Privacy Rule suggesting an even shorter time frame to respond to record requests, providing timely access should be on every practice’s radar. If it’s not, or even if it is, making sure to have documented policies around how records are provided and recording requests in a written format is key to preparing your practice should you wind up as part of the OCR’s right of access crusade. Not sure where your current HIPAA program stands, especially when it comes to patient’s access rights? Schedule a complimentary consultation with one of our HIPAA experts today to see what you might be missing before it’s too late!
OCR Announces 2nd HIPAA Settlement of 2021 with Health Insurer for $5.1 Million
January 15, 2021 Buckle your seatbelts – it’s only 15 days into 2021 and it’s already looking like this year will be a wild ride when it comes to HIPAA enforcement. The Office for Civil Rights (OCR) just announced another HIPAA settlement (and a doozy at that), bringing in not one but TWO fines just this week. The latest (and greatest) HIPAA fine of 2021 was just awarded to Excellus Health Plan, Inc., a health insurance provider serving over 1.5 million people in New York. The settlement includes a whopping $5.1 million fine and a 2-year corrective action plan, the result of cyber attack affecting more than 9 million records along with a slew of other HIPAA Privacy and Security Rule violations. Fun fact: the OCR didn’t reach $5 million in total fines levied until September of last year, and today’s announcement means they’ve already exceeded the $5 million mark just 15 days into 2021 – talk about starting the year off strong! Excellus’ story all started when the OCR received a breach report on September 9, 2015 that cyber-attackers had gained access to Excellus Health Plan’s information technology systems. Of note with this particular breach story is that the hackers in Excellus’ case were accessing their systems so long, they not only set up shop but practically built a whole mall to go with it – hanging out in the health plans’ database from December 23, 2013 allllll the way until May 11, 2015 – an entire year and a half. Their overextended stay allowed the hackers to install malware in addition to other malicious activities that provided unauthorized access to the protected health information (PHI) of over 9.3 million individuals – improperly accessing everything from names, to addresses, social security numbers, financial information and clinical treatment information. If having hackers in your IT system for almost 2 years wasn’t bad enough, the OCR also found that Excellus had violated some pretty important HIPAA rules, including: As a great example of what NOT to do when it comes to your HIPAA and technical security programs, today’s fine also offered words of wisdom from the OCR: “Hacking continues to be the greatest threat to the privacy and security of individuals’ health information. In this case, a health plan did not stop hackers from roaming inside its health record system undetected for over a year which endangered the privacy of millions of its beneficiaries,” said OCR Director Roger Severino. “We know that the most dangerous hackers are sophisticated, patient, and persistent. Health care entities need to step up their game to protect the privacy of people’s health information from this growing threat.” One positive when it comes to increasingly concerning cyberthreats? The recently passed HIPAA Safe Harbor Bill offers your practice the chance to receive smaller HIPAA fines (even more important with the whopping $5.1 million precedent just set) IF you have the necessary safeguards in place 12 months BEFORE a cyber event. Even though data breaches and hacking incidents aren’t always in your control, practice’s preparation beforehand is – and could mean the difference between a smaller, manageable fine and ranking among the top 10 greatest hits on the OCR’s fine list.
OCR’s First Settlement of the Year: More HIPAA Right of Access Violations
January 12, 2021 The Office for Civil Rights (OCR) wasted no time starting on their new year’s resolutions, announcing their 14th settlement as part of the HIPAA right of Access initiative just 2 weeks into 2021. Patient right of access fines are starting to become a monthly occurrence, and it’s no surprise that the OCR would start off the new year with the same enforcement efforts they ended 2020 with. Banner Health, an Arizona-based non-profit health system operating 30 hospitals, primary care, urgent care, and specialty care facilities across the country, became the OCR’s first victim of the year with the largest right of access fine to date – $200,000. This hefty payout comes as a result of two separate complaints filed against Banner Health, both highlighting the health systems noncompliance with the HIPAA right of access standard. If today’s settlement isn’t enough reason to avoid dragging your feet on records requests and getting HIPAA compliant ASAP, maybe the latest statement from OCR Director Roger Severino will seal the deal: “This first resolution of the year signals that our Right of Access Initiative is still going strong and that providers of all sizes need to respect the right of patients to have timely access to their medical records.” The OCR has clearly hit the ground running with HIPAA enforcement in the new year and it’s more important than ever to get your practice compliant. OCR Director Roger Severino has been beating the same right of access drum for over a year, and it’s no surprise given that audit results released just this past December show that most covered entities (a whopping 89%) don’t meet patient access requirements. Concerned your practice falls in that boat? Schedule a consultation today with one of our HIPAA experts to see where you currently stand and what you need to do to avoid falling into the government’s crosshairs in 2021.
North Texas Dental Practice, Fined $15K for OSHA Whistleblower Violations
March 3, 2023 Blow the whistle… No, not like the 2006 Too Short song but OSHA’s Whistleblower Protection Program. Whistleblower protection laws are in place to prevent retaliation against employees who report safety violations, discrimination, or other illegal activities in the workplace. Under the Occupational Safety and Health Administration (OSHA) Whistleblower Protection Program, employees who report such violations are protected from retaliation by their employers. This protection includes not only termination but also other forms of retaliation such as demotion, reduction in pay, or denial of overtime or promotions. Why would a practice retaliate for a complaint received instead of mitigating the risk and working toward a culture of compliance? That is a $15,706 question and unfortunately, Roger and David Bohannan of Roger H. Bohannan DDS Inc. have to answer. While on furlough in early 2020, a dental hygienist and dental assistant at the practice asked what coronavirus safety measures would be in place once patients and employees returned. When the practice did reopen, those two employees were not reinstated simply because they expressed their concerns and cited guidance from the Centers for Disease Control (CDC) and OSHA. Further investigation found that Bohannan Dentristry discriminated against employees for exercising their rights under section 11(c) of the OSH Act which prohibits retaliation by employers against workers who “blow the whistle” by exposing health and safety hazards. In a statement made by an OSHA Regional Administrator in Dallas, Eric S. Harbin, “Like all workers, these two people had every right to speak up without the fear of losing their jobs. We want workers to know that OSHA is here to protect their rights, and we won’t hesitate to exercise our authority when they are violated.” OSHA administers more than 20 whistleblower statutes, with varying time limits for filing. The time frame for filing a complaint begins when the adverse action occurs and is communicated to the employee. There are varying reporting deadlines from 30-180 days specific to each statute. It is important for employees to know that they have rights under the law to report safety violations and other illegal activities without fear of retaliation. Employers have a responsibility to provide a safe and healthy workplace, and OSHA’s Whistleblower Protection Program helps to ensure that employees can speak up when they see something that is not right.
OCR Announces 13th Right of Access Fine, Drives Home Importance of Record Requests
December 22, 2020 The Office for Civil Rights (OCR) has been in the giving spirit the past few months, and they couldn’t close out 2020 without handing out at least one last holiday gift. We know there’s only 12 days of Christmas as the song goes – and we don’t think the OCR will be handing out lords-a-leaping or piper’s piping anytime soon – but there IS one more gift not mentioned in the classic song (at least the OCR 2020 edition): 13 patient right of access fines. The latest settlement adds to quite a historic year for HIPAA enforcement – and proves just how unprepared many practices have been when it comes to HIPAA compliance. This week’s extra gift went to Peter Wrobel, M.D whose practice Elite Primary Care out of Georgia found themselves doing a little extra holiday spending this year after settling with the OCR for $36,000. The settlement resolved a patient right of access complaint from April 2019, which took over a year to fully wrap (present-related pun intended). Here’s the highlights from this latest fine: Important notes for any covered entity? Make sure to provide records in a timely manner, AND in the way the patient requests them. Additionally, requests can be submitted in any form (verbal, written or otherwise) but documented, written requests are always key to best protecting your practice and meeting timeframe requirements. Take a minute to brush up on how to handle access requests if your practice needs a refresher. Taking over a year to get records access is already a bad call, but proposed changes to the HIPAA Privacy Rule will make the typical 30 day timeframe to provide records even shorter. When it comes to patients getting access to their own PHI, the OCR is serious about keeping covered entities of all sizes in line. While this may not have been the gift Elite Primary Care was wishing for this year, it did come with is some wise words of advice from OCR Director, Roger Severino: “OCR created the Right of Access Initiative to address the many instances where patients have not been given timely access to their medical records. Health care providers, large and small, must ensure that individuals get timely access to their health records, and for a reasonable cost-based fee.” We hope your practice gets a better gift this year than a hefty fine – but if you aren’t certain where you stand, get the gift of confidence in your HIPAA program by scheduling an educational webinar today!