Fines

HIPAA Right of Access Violations
Fines, HIPAA

OCR’s First Settlement of the Year: More HIPAA Right of Access Violations

January 12, 2021 Comments Off on OCR’s First Settlement of the Year: More HIPAA Right of Access Violations

January 12, 2021 The Office for Civil Rights (OCR) wasted no time starting on their new year’s resolutions, announcing their 14th settlement as part of the HIPAA right of Access initiative just 2 weeks into 2021. Patient right of access fines are starting to become a monthly occurrence, and it’s no surprise that the OCR would start off the new year with the same enforcement efforts they ended 2020 with. Banner Health, an Arizona-based non-profit health system operating 30 hospitals, primary care, urgent care, and specialty care facilities across the country, became the OCR’s first victim of the year with the largest right of access fine to date – $200,000.  This hefty payout comes as a result of two separate complaints filed against Banner Health, both highlighting the health systems noncompliance with the HIPAA right of access standard.  If today’s settlement isn’t enough reason to avoid dragging your feet on records requests and getting HIPAA compliant ASAP, maybe the latest statement from OCR Director Roger Severino will seal the deal: “This first resolution of the year signals that our Right of Access Initiative is still going strong and that providers of all sizes need to respect the right of patients to have timely access to their medical records.”   The OCR has clearly hit the ground running with HIPAA enforcement in the new year and it’s more important than ever to get your practice compliant. OCR Director Roger Severino has been beating the same right of access drum for over a year, and it’s no surprise given that audit results released just this past December show that most covered entities (a whopping 89%) don’t meet patient access requirements. Concerned your practice falls in that boat? Schedule a consultation today with one of our HIPAA experts to see where you currently stand and what you need to do to avoid falling into the government’s crosshairs in 2021.       

Dental OSHA Whistleblower Violation Fine
Fines, OSHA

North Texas Dental Practice, Fined $15K for OSHA Whistleblower Violations

January 7, 2021 Comments Off on North Texas Dental Practice, Fined $15K for OSHA Whistleblower Violations

March 3, 2023 Blow the whistle… No, not like the 2006 Too Short song but OSHA’s Whistleblower Protection Program. Whistleblower protection laws are in place to prevent retaliation against employees who report safety violations, discrimination, or other illegal activities in the workplace. Under the Occupational Safety and Health Administration (OSHA) Whistleblower Protection Program, employees who report such violations are protected from retaliation by their employers. This protection includes not only termination but also other forms of retaliation such as demotion, reduction in pay, or denial of overtime or promotions. Why would a practice retaliate for a complaint received instead of mitigating the risk and working toward a culture of compliance?  That is a $15,706 question and unfortunately, Roger and David Bohannan of Roger H. Bohannan DDS Inc. have to answer. While on furlough in early 2020, a dental hygienist and dental assistant at the practice asked what coronavirus safety measures would be in place once patients and employees returned. When the practice did reopen, those two employees were not reinstated simply because they expressed their concerns and cited guidance from the Centers for Disease Control (CDC) and OSHA. Further investigation found that Bohannan Dentristry discriminated against employees for exercising their rights under section 11(c) of the OSH Act which prohibits retaliation by employers against workers who “blow the whistle” by exposing health and safety hazards. In a statement made by an OSHA Regional Administrator in Dallas, Eric S. Harbin, “Like all workers, these two people had every right to speak up without the fear of losing their jobs. We want workers to know that OSHA is here to protect their rights, and we won’t hesitate to exercise our authority when they are violated.” OSHA administers more than 20 whistleblower statutes, with varying time limits for filing. The time frame for filing a complaint begins when the adverse action occurs and is communicated to the employee. There are varying reporting deadlines from 30-180 days specific to each statute.  It is important for employees to know that they have rights under the law to report safety violations and other illegal activities without fear of retaliation. Employers have a responsibility to provide a safe and healthy workplace, and OSHA’s Whistleblower Protection Program helps to ensure that employees can speak up when they see something that is not right.

Importance of Record Requests
Fines, HIPAA

OCR Announces 13th Right of Access Fine, Drives Home Importance of Record Requests

December 22, 2020 Comments Off on OCR Announces 13th Right of Access Fine, Drives Home Importance of Record Requests

December 22, 2020 The Office for Civil Rights (OCR) has been in the giving spirit the past few months, and they couldn’t close out 2020 without handing out at least one last holiday gift. We know there’s only 12 days of Christmas as the song goes – and we don’t think the OCR will be handing out lords-a-leaping or piper’s piping anytime soon – but there IS one more gift not mentioned in the classic song (at least the OCR 2020 edition): 13 patient right of access fines. The latest settlement adds to quite a historic year for HIPAA enforcement – and proves just how unprepared many practices have been when it comes to HIPAA compliance. This week’s extra gift went to Peter Wrobel, M.D whose practice Elite Primary Care out of Georgia found themselves doing a little extra holiday spending this year after settling with the OCR for $36,000.  The settlement resolved a patient right of access complaint from April 2019, which took over a year to fully wrap (present-related pun intended). Here’s the highlights from this latest fine: Important notes for any covered entity? Make sure to provide records in a timely manner, AND in the way the patient requests them. Additionally, requests can be submitted in any form (verbal, written or otherwise) but documented, written requests are always key to best protecting your practice and meeting timeframe requirements. Take a minute to brush up on how to handle access requests if your practice needs a refresher. Taking over a year to get records access is already a bad call, but proposed changes to the HIPAA Privacy Rule will make the typical 30 day timeframe to provide records even shorter. When it comes to patients getting access to their own PHI, the OCR is serious about keeping covered entities of all sizes in line.  While this may not have been the gift Elite Primary Care was wishing for this year, it did come with is some wise words of advice from OCR Director, Roger Severino: “OCR created the Right of Access Initiative to address the many instances where patients have not been given timely access to their medical records. Health care providers, large and small, must ensure that individuals get timely access to their health records, and for a reasonable cost-based fee.”  We hope your practice gets a better gift this year than a hefty fine – but if you aren’t certain where you stand, get the gift of confidence in your HIPAA program by scheduling an educational webinar today!   

HIPAA Right of Access Fine Streak
Fines, HIPAA

OCR Continues HIPAA Right of Access Fine Streak, Announces 12th Settlement

November 19, 2020 Comments Off on OCR Continues HIPAA Right of Access Fine Streak, Announces 12th Settlement

November 19, 2020 Reporting new HIPAA settlements has become a weekly routine this month (we’ve got our calendars marked for next week’s already), and after today’s announcement on the Office for Civil Rights (OCR) 12th right of access initiative settlement (the third in November), we now have enough patient right of access fines to last us a whole year. This week’s HIPAA headline goes to the University of Cincinnati Medical Center, LLC (UCMC), an academic medical center that provides healthcare services to the Greater Cincinnati Community. UCMC agreed to a $65,000 payout as well as a 2-year corrective action plan with the OCR to settle a violation of (you guessed it) the HIPAA right of access standard.  The by-now familiar story began back in May of 2019, when the OCR received a complaint that UCMC failed to respond to a patient’s request that her electronic health records (EHR) be sent directly to her lawyers on February 22, 2019. After further investigation and a little push from the OCR, the medical center finally provided the requested records in August of that year.  While we’ve seen more than a handful (2 handfuls plus two fingers to be exact) of patient right of access fines over the past year, this specific settlement is a great example of not only failing to provide patient records in a timely manner, but also in the proper format they were requested in. It is required under HIPAA law to be able to provide patients with a copy of their records in the format they request – either in paper or electronic form – as well as have the ability to transmit records directly to a third party if specified. If it isn’t possible to provide records the way a patient requests, the covered entity must agree to an alternative method with the requester. Emphasizing the importance of providing records in the format requested, OCR Director Roger Severino added that the “OCR is committed to enforcing patients’ right to access their medical records, including the right to direct electronic copies to a third party of their choice. HIPAA covered entities should review their policies and training programs to ensure they know and can fulfill all their HIPAA obligations whenever a patient seeks access to his or her records.”  Today’s settlement brings the running count of 2020 HIPAA fines to a total of $13,291,500 with 6 weeks still left in the year. If the weekly fine trend continues, we could expect at least 6 more HIPAA settlements and a whole lot of $$$ to come rolling in before 2020 finally ends. While we’re all looking forward to 2020 calling it quits, 6 more fines would blow 2019’s enforcement records out of the water.  With annual HIPAA deadlines right around the corner and weekly examples of why you should ensure your practice is compliant, we couldn’t think of a better time to add HIPAA to the top of your to-do list!

HIPAA Right of Access Fine Announcement
Fines, HIPAA

OCR Announces the 11th HIPAA Right of Access Settlement

November 12, 2020 Comments Off on OCR Announces the 11th HIPAA Right of Access Settlement

November 12, 2020 The last few months have shown that it’s not a matter of when the next Office for Civil Rights (OCR) HIPAA fine will drop, it’s how much the fine will be for. It’s sort of become a race at the Abyde office to share the news first when the OCR’s next press release hits our inboxes (seriously – this blog’s authors are winning in case you were concerned). Today’s entry into our fine-marathon is yet another patient right of access violation – bringing total access settlements to 11 and 2020’s fine count to $13,226,500.     The latest right of access violator is Dr. Rajendra Bhayani, a private practitioner specializing in otolaryngology (a specialty focused on the ears, nose, and throat, if you aren’t a medical specialties trivia whiz) out of New York. The settlement comes as a result of a patient complaint regarding a violation of the Privacy Rule’s right of access standard and left Dr. Bhayani with a $15,000 bill and a two-year corrective action plan to boot.  Back in September 2018, the OCR received a complaint that Dr. Bhayani failed to respond to a patient’s request for medical records made in July of that year. The OCR responded by providing the doctor with technical assistance on the issue, and it was case-closed (or so they thought). Half a year later, complaint number two came rolling in, noting that even in July of 2019 the patient still hadn’t received their requested records. Only after further OCR investigation were the records finally provided in September of 2020 – two whole years after the initial complaint.  The OCR is certainly taking this right of access fine-marathon seriously, sprinting to the end of 2020 with 9 right of access related fines since September. “Doctor’s offices, large and small, must provide patients their medical records in a timely fashion,” stated OCR Director, Roger Severino, “we will continue to prioritize HIPAA Right of Access cases for enforcement until providers get the message.”  The best way to tell the OCR ‘message received’? Get your HIPAA program in order NOW, particularly all the pieces that go into patient right of access – HIPAA authorization forms, the right access policies and timeframes, staff training, and more. OCR Director Severino said it best – it doesn’t matter if your practice has 3 employees and sees only a handful of patients, dealing correctly with HIPAA requirements is essential to avoiding $$$ in fines and the scrutiny of the OCR.  

California Right of Access Settlement
Fines, HIPAA

OCR Announces the 10th HIPAA Right of Access Settlement

November 6, 2020 Comments Off on OCR Announces the 10th HIPAA Right of Access Settlement

November 6, 2020 The Office for Civil Rights (OCR) wasn’t kidding when they emphasized HIPAA Right of Access enforcement last year – if you STILL don’t believe the many (so, so many) blog articles we’ve written on previous fines, maybe today’s 10th fine announcement will do the trick. Patient right of access has been a trending topic (waiting for the hashtag to trend any day now) over the past few months, and the latest settlement is just another reminder of what your practice needs to watch for.     Today’s fine goes to Riverside Psychiatric Medical Group (RPMG), out of Riverside, California who agreed to a $25,000 payout and two-year corrective action plan to settle a violation of the Privacy Rule’s patient right of access standard.  The latest settlement comes as a result of a patient complaint received just last year, in March of 2019. The complaint claimed that RPMG failed to provide access to requested medical records – even after multiple requests, OCR technical assistance after the first complaint, and a second complaint a month later. In this particular case, unlike other patient right of access fines levied thus far, RPMG claimed they didn’t provide access because the requested records included psychotherapy notes.  Psychotherapy notes include documentation of private counseling sessions, separate from regular medical records, and are able to be withheld under HIPAA law because of the nature of the records. So was the practice actually in the wrong? While psychotherapy notes CAN be withheld, HIPAA still requires:  Since RPMG failed to do either, they found themselves with $25,000 less in their pockets and two whole years of administrative paperwork to be completed. Even if your practice doesn’t deal with mental or behavioral health services, RPMG’s case includes some important lessons for all types of providers.  When records can’t be provided (for legitimate reasons only people) a written explanation and a copy of the records can and should be provided to the patient. No one likes to be left hanging, said best by OCR Director, Roger Severino himself: “When patients request copies of their health records, they must be given a timely response, not a run-around.”  Avoid being an enforcement victim by reviewing what your practice has in place now, and what is required when a patient requests their records. Make sure you have a designated method for patients to request records and fulfill their requests within the right time frame – within 30 days at the federal level, though it varies by state. And just in case you’re keeping score (just us?) this fine brings 2020’s running total to $13,211,500.  

City of New Haven Reaches HIPAA Settlement
Fines, HIPAA

City of New Haven Reaches HIPAA Settlement After Former Employee Steals Patient Information

October 30, 2020 Comments Off on City of New Haven Reaches HIPAA Settlement After Former Employee Steals Patient Information

October 30, 2020 Just when we thought the month was over, the Office for Civil Rights (OCR) decided to sneak one more HIPAA fine in at the last minute. Earlier today the OCR announced October’s FOURTH fine – this time with the City of New Haven, Connecticut who has agreed to pay a $202,400 fine and complete 2-year corrective action plan after violating the HIPAA Privacy and Security Rules.  The 15th settlement of the year came as a result of HIPAA violation back in January 2017 that sounds almost like a TV drama. Back in 2017, the incident began when the New Haven Health Department notified the OCR that a former employee appeared to have accessed a file on a computer containing protected health information (PHI).  After some OCR sleuthing, it was revealed that 8 days after being fired in July 2016, the same employee returned to the health department and logged into her old computer with still-active credentials (we’re picturing her with a large hat, sunglasses and a trench coat) and downloaded the PHI of 498 individuals to a USB drive. The malicious download included patient names, addresses, and other personal medical information. And as if this really was a binge-worthy TV show (grab the popcorn) the former employee then shared her login ID and password with an intern – who continued to do the dirty work for her.  On top of the drama-filled breach, the OCR investigation also uncovered major gaps in the health department’s HIPAA program, including:  We’ve seen a number of recent HIPAA settlements centering around improper access, but in this case the unauthorized access came as a result of the New Haven Health Departments’ failure to have proper employee offboarding procedures. The simplest task of deactivating the employee’s login credentials could have saved the organization a huge chunk of change, and kept 498 patients’ information better protected.  You can never really predict when an employee will ‘go rogue’, and not having a termination system in place – or even just waiting a few days to disable access – can be a costly mistake. Having a comprehensive plan from an employee’s first day to their last is an important aspect of general operations, but especially your HIPAA compliance program. OCR Director Roger Severino said it best: “Medical providers need to know who in their organization can access patient data at all times. When someone’s employment ends, so must their access to patient records.”  

Million Dollar HIPAA Settlement
Fines, HIPAA

OCR Announces $1,000,000 Settlement With Aetna for Multiple HIPAA breaches

October 28, 2020 Comments Off on OCR Announces $1,000,000 Settlement With Aetna for Multiple HIPAA breaches

October 28, 2020 Thought we’d be able to skate through the rest of October without another HIPAA fine? Not so fast. The Office for Civil Rights (OCR) just announced another $1,000,000 settlement to add to October’s tab, settling with Aetna on not one, not two, but three separate HIPAA violations.  Aetna Life Insurance Company, as well as the affiliated covered entity (Aetna), agreed to a million-dollar payout in addition to a two year corrective action plan as a result of multiple HIPAA incidents experienced back in 2017.  The first violation occurred in April 2017, after Aetna discovered that two web services used to display plan-related documents to their members did not have the necessary login protections and were accessible through regular internet search engines. Aetna’s report noted that the incident exposed the protected health information (PHI) of over 5,000 individuals.  Violation number two came just a few months later in July, when Aetna received complaints that sensitive health information was made visible through benefit notice mailers. The 11,887 affected individuals’ medication information could be seen through the window of the envelope below the member’s name and address, clearly exposing their PHI to anyone who happened across the mailings.  Last but not least, the third violation occurred in September 2017, after a similar mailer was sent to 1,600 individuals displaying the name and logo of a research study on atrial fibrillation (irregular heartbeat) that some members were participating in. Because the logo on the envelope clearly conveyed the type of study the recipients were a part of, it was automatically an impermissible disclosure of PHI. Three HIPAA violations in one year is already enough to get you on the OCR’s bad side, but after further investigation, they found other aspects of Aetna’s HIPAA compliance program missing, including:  2017 was certainly a bad year for Aetna, and 2020 has now been a very bad year for all covered entities – practices, insurance companies and business associates alike – without a complete HIPAA compliance program in place. This latest settlement brings this year’s total to a whopping $13,186,500 – almost a million dollars over last year’s total fines, with 2 months still left on the clock in 2020.  We know you’re sick of hearing us harp on the importance of being compliant before an incident happens (seriously, we’re turning into our own mothers) but in the OCR Director, Roger Severino’s own words, “Aetna’s failure to follow the HIPAA Rules resulted in three breaches in a six-month period, leading to this million dollar settlement.” 

2020 HIPAA Fines
Fines, HIPAA

State HIPAA Fines Add to Growing 2020 Fine Totals

October 23, 2020 Comments Off on State HIPAA Fines Add to Growing 2020 Fine Totals

October 23, 2020 The Office for Civil Rights (OCR) has left practices taking hit after hit after hit when it comes to HIPAA fines this year, but two recent multi-state HIPAA fines have added just as many $$$ to this year’s enforcement totals. While the OCR certainly makes headlines, state enforcement and state-specific HIPAA regulations are just as important to adhere to as federal laws. In fact, depending on the incident and patients affected, many states require their attorney general be notified of a breach and have the option to pursue the HIPAA violation in addition to the investigation at the federal level.  Driving the point home for us, two healthcare organizations found themselves emptying their pockets for a second time in the past few weeks – agreeing to multi-million dollar settlements with multiple states for HIPAA violations already settled with the OCR. These fines are the latest in over $66 million collected by states as part of HIPAA enforcement actions.  Anthem, Inc.  The health insurance provider Anthem went one round with the HIPAA police in 2018, and suffered their first loss against the Office for Civil Rights (OCR) with a $16 million settlement relating to a breach that exposed almost 79 million patients records back in 2014. The results of round 2 have just come in, and it’s a K.O. – Anthem, Inc. has just settled with 43-states and California relating to the same HIPAA breach, with a whopping $48.2 million in total fines.  If you aren’t able to recite every HIPAA fine from memory (it’s ok, we’re probably the only ones that would win that trivia contest) the original incident resulted from a cyberattack that exposed almost 79 million individuals records. OCR investigation revealed Anthem was missing an enterprise-wide security risk analysis, various technical safeguards, and the proper response to suspected or known security incidents – resulting in the first place trophy for largest HIPAA settlement ever. Community Health System (CHS) Just last month, the OCR settled a $2.3 million fine with a business associate, Community Health System (CHS), who exposed 6.1 million patients records as a result of another 2014 cyber attack. While most of us wish we could fast forward to 2021 and escape 2020, we’re sure CHS probably feels that way more than anyone after the announcement of another $5 million added to their tab in a 28-state settlement of the same incident. These recent fines are starting to feel like deja-vu, so here’s more on the announcement to help jog your memory. Not surprisingly, in their investigation the OCR found CHS was missing a security risk analysis, had no proper security incident procedures in place, and failed to implement necessary access controls.   While the breaches themselves may be old news, the latest settlements are a fresh reminder of how healthcare practices must take notice of state HIPAA enforcement. Both state fines mentioned above, though split among all the states listed in each settlement, actually totalled more than the amount the OCR fined each organization.  Having a complete HIPAA compliance program with necessary safeguards in place will not only reduce your risk of being targeted by a hacker, as was the case in both these incidents, but will also keep your chances of federal and state-level fines to a minimum. Federal HIPAA requirements certainly put enough on your plate, but having a HIPAA partner that can provide all your state-specific HIPAA requirements for you makes complying that much easier – and helps avoid costly state audits. 

HIPAA Right of Access Investigation
Fines, HIPAA

OCR Settles Ninth HIPAA Right of Access Investigation

October 9, 2020 Comments Off on OCR Settles Ninth HIPAA Right of Access Investigation

October 9, 2020 The OCR has proven they keep their promises (unlike that former friend we all know), taking only two days to fulfill their recent pledge of continued right of access enforcement and announcing yet another HIPAA fine. For those of you counting, that’s 7 right of access fines in less than a month – so take the hint, and pay attention to what your practice should be doing when it comes to patient right of access. This time, the fine goes to NY Spine Medicine (NY Spine), a New York based neurology and pain management medical practice, who was hit with a $100,000 fine and two year corrective action plan for failing to provide records to a patient in 2019. After making multiple requests beginning in June 2019, NY Spine failed to provide diagnostic film records to a patient, only providing the records in October 2020 after OCR investigation. Important to note about this case is that NY Spine did provide some records to the patient, but not the ones she had actually requested – making this still a right of access violation.  As OCR Director Roger Severino put it, “no one should have to wait over a year to get copies of their medical records. HIPAA entitles patients to timely access to their records and we will continue our stepped up enforcement of the right of access until covered entities get the message.”  If you’re a covered entity of any kind, now would be the right time to say ’message received’. If the OCR’s words aren’t enough, take a look at the stats: If you need a refresher, read up on the five right of access fines announced in September or this Wednesday’s $160,000 right of access fine.  What should your practice be doing right now? First, don’t panic. Second, if you think you might not be up to snuff on patient right of access, we have the inside scoop on how to get compliant and update your policies and know-how (wink wink). Just sign up for an educational webinar to learn what steps you can take right away to prevent being the next enforcement victim. 

Are you prepared for OSHA's Workplace Violence Prevention requirements? Learn what you need to do to be compliant.

DOWNLOAD CHECKLIST
X