Fines

Two Major HIPAA Fines
Fines, HIPAA

OCR Levies Two HIPAA Fines Totalling $1,065,000 Amidst COVID-19

July 27, 2020 Comments Off on OCR Levies Two HIPAA Fines Totalling $1,065,000 Amidst COVID-19

July 27, 2020 Even in the midst of COVID-19, the Office for Civil Rights (OCR) hasn’t let up on finding and enforcing HIPAA violations. Within just this past week, both a small healthcare provider along with a larger health system found themselves facing HIPAA violations that resulted in hefty fines – $25,000 and $1.04 million, respectively – as well as extensive corrective action plans.  Continued Disregard for HIPAA A small practice based out of North Carolina, Metropolitan Community Health Services (d/b/a Agape Health Services) filed their initial breach report all the way back in 2011 when there was an impermissible disclosure of PHI to an unknown email account. While the violation may have been triggered by an impermissible disclosure of protected health information (PHI), the OCR’s hammer was brought down in large part by the practice’s continued disregard for HIPAA requirements and protections for their patient’s PHI. The disclosure impacted over 1,000 patients and the practice’s report opened the doors to an OCR investigation of their entire HIPAA program. The investigation shed light on the practice’s failure to comply with various HIPAA Security Rule regulations, including: Even after reporting the breach in 2011, the practice didn’t implement these missing HIPAA requirements in any hurry. Staff weren’t trained properly on HIPAA until 2016 – five years after the initial complaint was reported. The lack of progress made to safeguard their patients’ information resulted in the OCR levying a $25,000 fine years after the impermissible disclosure took place, in part as a result of continuously failing to mediate the gaps in their HIPAA program. OCR Director, Roger Severino, emphasized the practice’s lack of effort in his statement accompanying the press release. “Health care providers owe it to their patients to comply with the HIPAA Rules. When informed of potential HIPAA violations, providers owe it to their patients to quickly address problem areas to safeguard individuals’ health information.” This fine highlights that it is imperative to not only have a comprehensive HIPAA compliance program in place before a breach occurs, but also ensure that safeguards are implemented after a breach has been identified – the OCR has made it clear that showing a lack of progress is one way to guarantee you end up in their crosshairs.  Unencrypted Laptop The second violation involved a large healthcare system in Rhode Island, Lifespan ACE, and resulted in a whopping $1,040,000 resolution agreement. Back in 2017, a Lifespan employees’ car was broken into and a single unencrypted laptop containing patient information from various entities within the healthcare system was stolen. This data breach led to the impermissible disclosure of over 20,000 individuals PHI and opened the doors for the OCR’s further investigation. Upon investigation, it was found that they were missing various elements of their HIPAA program including:  Because the laptop was not encrypted, a single technical safeguard that could have prevented the violation, the PHI of any patient that was accessible using the device was at high risk for misuse. Part of the OCR’s investigation revealed “systemic non-compliance” with HIPAA, including various other media and device controls such as proper encryption. “Laptops, cellphones, and other mobile devices are stolen every day, that’s the hard reality.  Covered entities can best protect their patients’ data by encrypting mobile devices to thwart identity thieves,” added Roger Severino, OCR Director in the news release. This fine emphasizes that even when theft is outside of a covered entity’s control, the responsibility still falls on the provider to properly encrypt and safeguard that valuable data. While preventing every single possibility of a data breach might be unrealistic, maintaining a proactive HIPAA compliance program that meets federal requirements and includes all appropriate encryption and technical safeguards is achievable. Ensuring you have a complete program with all aspects of HIPAA reviewed and implemented is key – and stress-free when done with an intuitive software solution like Abyde.  

Missing Business Associate Agreements HIPAA Fine
Fines, HIPAA

Missing Business Associate Agreement with EHR Vendor Leads to $100,000 Fine

March 3, 2020 Comments Off on Missing Business Associate Agreement with EHR Vendor Leads to $100,000 Fine

March 3, 2020 Announced today, a medical practice in Utah has come to a $100,000 settlement with the OCR for their failure to meet HIPAA requirements under the Security Rule. The practice of Steven A. Porter, M.D. received the $100,000 monetary settlement in addition to submitting to a corrective action plan over the next two years after a breach report led to the OCR’s investigation of the practice’s HIPAA compliance program.  The investigation began after the practice filed a breach report regarding a complaint against a Business Associate of the practice’s EHR company. The Business Associate (BA) was blocking access to the practices’ patient’s electronic protected health information in exchange for $50,000 to be paid by the practice.  While the original complaint was against the BA, once the investigation was initiated by the Office for Civil Rights, it was the practice that found themselves in the government’s crosshairs. Within the compliance review, the OCR had found that the practice had failed to do the following:  Unfortunately for the practice, their lack of proper safeguarding and documentation of compliance cost them a hefty fine and put their patient’s PHI at risk. This breach, and corresponding financial settlement, highlights that even when working with typical healthcare vendors, such as EHR providers, the right Business Associate Agreements and HIPAA-compliant policies are required to prevent impermissible safeguarding or access to PHI. OCR Director, Roger Severino, included a statement in the HHS press release regarding the incident. “All health care providers, large and small, need to take their HIPAA obligations seriously, the failure to implement basic HIPAA requirements, such as an accurate and thorough risk analysis and risk management plan, continues to be an unacceptable and disturbing trend within the healthcare industry.” This fine follows a recent article highlighting the OCR’s focus on “low hanging fruit” and commitment to address an ongoing lack of HIPAA compliance among covered entities. As these violations continue to see costly outcomes, it is more important now than ever to ensure your practice has a full HIPAA program in place. 

1st HIPAA Right of Access Fine
Fines, HIPAA

OCR Settles First Case in HIPAA Right of Access Initiative

September 9, 2019 Comments Off on OCR Settles First Case in HIPAA Right of Access Initiative

September 9, 2019 Today, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services is announcing its first enforcement action and settlement in its Right of Access Initiative.  Earlier this year, OCR announced this initiative promising to vigorously enforce the rights of patients to receive copies of their medical records promptly and without being overcharged. Bayfront Health St. Petersburg (Bayfront) has paid $85,000 to OCR and has adopted a corrective action plan to settle a potential violation of the right of access provision of the Health Insurance Portability and Accountability Act (HIPAA) Rules after Bayfront failed to provide a mother timely access to records about her unborn child.  Bayfront, based in St. Petersburg, Florida, is a Level II trauma and tertiary care center licensed as a 480-bed hospital with over 550 affiliated physicians. OCR initiated its investigation based on a complaint from the mother.  As a result, Bayfront directly provided the individual with the requested health information more than nine months after the initial request. The HIPAA Rules generally require covered health care providers to provide medical records within 30 days of the request and providers can only charge a reasonable cost-based fee.  This right to patient records extends to parents who seek medical information about their minor children, and in this case, a mother who sought prenatal health records about her child. “Providing patients with their health information not only lowers costs and leads to better health outcomes, it’s the law,” said OCR Director Roger Severino.  “We aim to hold the health care industry accountable for ignoring peoples’ rights to access their medical records and those of their kids.” In addition to the monetary settlement, Bayfront will undertake a corrective action plan that includes one year of monitoring by OCR. The resolution agreement and corrective action plan may be found at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/bayfront/index.html

Record HIPAA Fine
Fines, HIPAA

Anthem Pays OCR $16 Million in Record HIPAA Settlement Following Largest U.S. Health Data Breach in History

October 16, 2018 Comments Off on Anthem Pays OCR $16 Million in Record HIPAA Settlement Following Largest U.S. Health Data Breach in History

October 16, 2018 Anthem, Inc. has agreed to pay $16 million to the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) and take substantial corrective action to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules after a series of cyberattacks led to the largest U.S. health data breach in history and exposed the electronic protected health information of almost 79 million people. The $16 million settlement eclipses the previous high of $5.55 million paid to OCR in 2016. Anthem is an independent licensee of the Blue Cross and Blue Shield Association operating throughout the United States and is one of the nation’s largest health benefits companies, providing medical care coverage to one in eight Americans through its affiliated health plans.  This breach affected electronic protected health information (ePHI) that Anthem, Inc. maintained for its affiliated health plans and any other covered entity health plans. On March 13, 2015, Anthem filed a breach report with the HHS Office for Civil Rights detailing that, on January 29, 2015, they discovered cyber-attackers had gained access to their IT system via an undetected continuous and targeted cyberattack for the apparent purpose of extracting data, otherwise known as an advanced persistent threat attack.  After filing their breach report, Anthem discovered cyber-attackers had infiltrated their system through spear phishing emails sent to an Anthem subsidiary after at least one employee responded to the malicious email and opened the door to further attacks. OCR’s investigation revealed that between December 2, 2014 and January 27, 2015, the cyber-attackers stole the ePHI of almost 79 million individuals, including names, social security numbers, medical identification numbers, addresses, dates of birth, email addresses, and employment information. In addition to the impermissible disclosure of ePHI, OCR’s investigation revealed that Anthem failed to conduct an enterprise-wide risk analysis, had insufficient procedures to regularly review information system activity, failed to identify and respond to suspected or known security incidents, and failed to implement adequate minimum access controls to prevent the cyber-attackers from accessing sensitive ePHI, beginning as early as February 18, 2014. In addition to the $16 million settlement, Anthem will undertake a robust corrective action plan to comply with the HIPAA Rules.  The resolution agreement and corrective action plan may be found on the OCR website at http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/anthem/index.html.

Looking to finish your SRA for MIPS by the Dec 31 deadline? We're here to help you get compliant in minutes.

SCHEDULE CONSULTATION
X