July 11, 2022 Think you finally got the hang of telehealth? Don’t get too comfy just yet! The OCR recently released guidelines on how covered health care providers and health plans should utilize their remote communication technology to deliver audio-only telehealth services while also complying with HIPAA requirements. Why is Telehealth important? Let’s start at the beginning. Telehealth contributes to increasing a practice’s value and security by expanding access to health care across the nation and providing certain users who have difficulty using audio and video telehealth technologies. When systems are not properly secured, they pose risks to patient safety, health, and data. Cyberattacks and ransomware are extremely common in Telehealth and may quickly create issues that disclose medical information and other sensitive information. As a practice, it is critical and worthwhile to maintain excellent Telehealth especially now a days with the increased funding and resources the OCR has available. OCR Director, Lisa J. Pino, states, “Audio telehealth is an important tool to reach patients in rural communities, individuals with disabilities, and others seeking the convenience of remote options. This guidance explains how the HIPAA Rules permit health care providers and plans to offer audio telehealth while protecting the privacy and security of individuals’ health information.” With the OCR’s Telehealth Notification system possibly being taken down as early as July 15th, 2022, we recommend that practices stay alert and take every precaution by using your friendly, easy to use HIPAA-compliant software (hint Abyde) to assure full compliance today. The first step in remaining alert is to follow the guidance issued by the OCR in response to the recent news that the Telehealth Notification system may be shut down. The guidance below specifies the conditions under which telehealth may be utilized. The HHS is authorizing HIPAA-covered businesses to conduct telehealth and audio-only services using remote communication technology. However, these services must be provided in a private environment to the best of the entity’s abilities, and the individual’s identification must be verified. Even though HIPAA does not apply to audio-only telehealth services delivered through electronic communication methods, when offering telehealth services through mobile devices or applications, practices may face HIPAA compliance issues. Therefore, practices should identify all potential risks and vulnerabilities to PHI confidentiality as part of the risk analysis process prior to the completion of the PHE. Abyde will do anything possible to make sure you’re on top of your compliance game because the OCR may show up at any time! Allow us to guide you through these future changes – from our incredibly simple software to our readily available education, we will be your buddy in ensuring that you are prepared for any obstacles that show up at your door.
MORE MONEY, MORE PROBLEMS? OCR Budget Proposal Will Result in Greater Enforcement and More Fines
May 16, 2022 If you think the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) isn’t zeroed in on compliance, think again. OCR recently announced its request for a 55% increase in its overall funding, for a total of $60.2 million for the 2023 fiscal year. While this number may seem shocking, their plans for the money may make your jaw drop. Let’s take a look at why the increase is needed. Nearly 46,000 complaints were received in FY 2021, a dramatic increase from nearly 2,000 in 2003. Just this year, they’re expecting more than 28,000 related strictly to HIPAA. OCR states, “given the trend in complaints to OCR as well as the priorities articulated by the Administration, OCR anticipates a significant increase in the number of civil rights, information breaches, and cybersecurity complaints.” OCR opens an investigation for any breach that affects more than 500 people. In 2021, there were 714 of those instances, more than 30% growth over the last two years. Currently, OCR is limited to how many of these they can conduct a full investigation on. Imagine how powerful this could be if granted the resources to execute the necessary amount?! In addition, OCR is looking to add more regional investigators to address the backlog of existing complaints. With a goal of clearing the backlog by FY 2026, $8 million will be allocated to address the existing complaint inventory. OCR supports adding new regional investigators to “resolve new civil rights and HIPAA cases, address the backlog of complaints, and initiate compliance reviews in the Administration’s priority areas.” With a staff of 77 in 2020, they plan to add an additional 37 investigators and supervisory investigators in FY 2023. The budget accounts for a total increase of 64%, equating to 91 new employees. More staff could mean more knocks on your door! Still think that you’re the one that got (or will get) away?! This next bit is for you. Increasing fines and the institution of injunctive relief are more immediate than 2023. Not sure what a HIPAA violation could cost you? Don’t go get a tattoo of these any time soon – OCR is requesting increases based on a federal court evaluation. In 2019, then-OCR Director Roger Severino published a “notice of enforcement discretion” complementing the HITECH Act basing violation amounts on the party’s awareness and fault. While you could imagine this leaves some room for interpretation, the tiered fine structure will remain in place. Changing lanes, Injunctive relief essentially restrains a party from a certain action. OCR regulator, Adam Greene openly notes the HITECH Act “provides attorneys general with authority to seek injunctive relief.” Green continues to state, “If OCR were given authority to obtain injunctive relief, then it could require entities to take or discontinue actions –such as by requiring an entity to provide an individual with access to records or to discontinue a use or disclosure of protected health information – rather than only being able to penalize the entity after an act or omission occurs.” If you still aren’t convinced that OCR means business, let’s wrap up with a summary of what their request for extra dollar signs means for you. An increase in budget simply equates to an increase in resources – more employees to not only attack the existing backlog but the ability to complete more in-depth and frequent investigations. Higher fines and more meaningful corrective action plans mean greater penalties and violation costs. We hope you take your compliance seriously, OCR certainly is! Let us navigate these upcoming changes with you – from our simple software to our readily available education, we will be your companion in confidence that you are set up for any OCR changes that come our way.
Dentistry HIPAA Fines
March 29, 2022 Dental practices are no longer flying under the radar! The Office for Civil Rights (OCR) just concluded its twenty-seventh enforcement action since the HIPAA Right of Access Initiative began in 2019. Totaling over $170,000 across four penalties, the announcement of the verdicts includes two cases as part of the HIPAA Privacy Rule. The additional actions related to the disclosure of patients’ protected health information (PHI). Here is a brief breakdown of the three dental cases just released by HHS: The first dental action includes a $30,000 settlement against the initially cited $104,000 for failure to comply with the Right of Access provision stating covered entities must permit individuals to inspect and obtain a copy of their PHI. Nearly two-and-a-half years from the time of citation, the practice has completed a package of action plans, creating a costly and lengthy resolution process. Something as simple as Google review responses can get you fined! One provider learned the hard way the dos and don’ts of reputation management. A patient filed a complaint with the OCR after the provider included the patient’s full name and PHI in their review response. This cost the practice a whopping $50,000! Not the usual politician slip up, but a recent provider running for office learned not to mix business and pleasure. As part of his political campaign, the provider shared names and addresses of over 5,000 patients with both his campaign manager and third-party marketing partner to distribute letters and emails. Resulting in a final citation of $62,500, this surely put a roadblock on his campaign trail! As we see the OCR cracking down on their HIPAA Right of Access Initiative across dental practices, we encourage you to ensure you have the right HIPAA compliance measures in place. With an hour of your time, we will get you everything you need. How much is an hour of your time worth – we bet it’s not $170,000!
The Road to Meeting HIPAA Breach Reporting Requirements
February 23, 2022 Accidents happen, no matter how careful you try to be. That’s why a safe driver can find themselves in a fender bender and a “cyber-secured” healthcare practice can fall victim to a data breach. Without complete control over everything and everyone, there’s a risk we take just by connecting to the internet or getting behind the wheel. But while the 89% of providers who’ve experienced a cyberattack (and vast-majority of Florida drivers) have proven that you can’t always put the breaks on unpredictability – having an incident response plan in place helps to reduce the impact should an incident occur. So just as you wouldn’t flee the scene to turn a minor rear-end into a major hit and run, meeting HIPAA’s reporting requirements are key in preventing a minor breach from having major implications on your organization. Now whether you’re amongst last year’s 71% increase in healthcare data breaches, or just looking to take your breach response plan for a test drive, steering your practice in the right direction starts with understanding your responsibilities under the HIPAA Breach Notification Rule. Assessing the Breach Anything from an accidental mass email to a targeted ransomware attack can trigger a potential data breach. But the same way backing into a curb doesn’t necessarily warrant a police report, not every disclosure of protected health information (PHI) qualifies as a reportable breach. According to the Department of Health and Human Services (HHS), an impermissible use or disclosure of PHI is presumed to be a breach unless the organization can determine that there is a low risk of the patient information being compromised. Properly assessing the scope of the situation helps in figuring out what type of data was exposed, who exactly was impacted, and how you should best handle the next steps. Determining the risk level can be done with the help of our related article: What to Assess in a Possible HIPAA Breach Notifying the Right People Once you’ve assessed the breach, it’s time to get your apology letters en-route to the impacted patients. HIPAA requires covered entities to provide individual notifications “without unreasonable delay and in no case later than 60 days following the discovery of a breach.” The specifics of what should be included in individual breach notifications can be found in our related article: What is the Breach Notification Rule? Reporting in a Timely Manner Considering the fact that 60-80% of data breaches go unreported, notifying the HHS (and any additional state-specific parties if applicable) is an essential step that is too often missed. HIPAA law drives home some pretty specific reporting timeframes that require: The HHS has made it clear just how important timely notification is in reducing penalties resulting from a breach and has levied several fines, including a $2 million settlement with a hospital, for failing to report on time. So regardless of the number of people impacted, once a breach has been assessed and individual notifications have been sent, we recommend setting the HHS Breach Reporting Web Portal as your next destination. Documenting in Entirety Another step that practices too often speed past is documenting their breach response in entirety. With documentation usually taking the driver’s seat when it comes to proving the action your practice has taken in handling an incident, it’s important to keep a record of the breach analysis and reporting process for up to six years following the incident. Mitigating Further Risk And finally, whether it’s enhancing staff training, implementing stronger safeguards or just ensuring that your patient’s security remains a top priority moving forward – handling a data breach means mitigating whatever fueled it in the first place and taking measures to prevent any future incidents from happening down the road. Some final words of advice? If you have experienced a breach in 2021 and have yet to report it – you should probably get the pedal to the metal before the deadline passes. And if you haven’t experienced a breach and want to keep it that way, having a complete HIPAA and security program are great places to start. So while accidents aren’t always predictable or preventable, having safety measures in place – whether it’s a seatbelt or technical controls – can reduce your risk of an incident and help minimize the damage if there is. Because when it comes to protection, it pays to go the extra mile – especially when there’s a solution out there like Abyde that puts your practice’s compliance on cruise control.
The National Institute of Standards and Technology (NIST) Updates Guidance on HIPAA Compliance Rules
July 29, 2022 You know that exciting feeling when apps have an update that adds awesome new features?! It’s like Christmas morning over here for us at Abyde. The National Institute of Standards and Technology (NIST) just updated its guidelines and added an awesome new feature! After six years, NIST made a significant update by providing guidance to HIPAA-covered entities to follow the HIPAA Security Rule in order to better safeguard patients’ personal and protected health information. Read below to find out what changes were made to the guidelines. The revised guidance connected HIPAA Security Rule items to NIST Cybersecurity Framework subcategories. The advice remains mostly unchanged, with a few minor structural changes and a renewed emphasis on risk assessments and risk management. NIST Cybersecurity Specialist, Jeff Marron states, “We provide a resource that can assist you with implementing the Security Rule in your own organization, which may have particular needs. Our goal is to offer guidance and resources you can use in one readable publication.” NIST recommended the following guidelines for practices: NIST Cybersecurity Specialist, Jeff Marron also stated, “The identification of vulnerabilities or conditions that a threat could use to cause impact is an important component of risk assessment. While it is necessary to review threats and vulnerabilities as unique elements, they are often considered at the same time,”. It is important to note that HIPAA and cybersecurity operate best as a team, and a practice with both will operate smoothly. We all understand the need of HIPAA compliance, but practices must also understand the importance of cybersecurity. The more funding and resources allocated to IT security employees, the better off the firm will be when cyber dangers eventually arise. Satisfying HIPAA and cybersecurity regulations is critical to safeguarding your practice and patients from a data breach or HIPAA violation. While these are undoubtedly items that should be emphasized regardless of the government’s spending intentions, the suggestions by the government and NIST add a sense of urgency to ensuring that these vital protections are in place. With the increasing frequency of cyberattacks going on nowadays, ensuring HIPAA compliance is more important than ever. We were chatting with our Partner, Darkhorse Tech, and they talked about how HIPAA compliance services provide a framework for security (essential for any dental business), but they do not provide a proactive response to cyber threats. Instead, they provide preventative methods to safeguard your data and keep you in compliance. So in order to have everything covered your practice needs to adopt an additional layer of security, you should no longer rely exclusively on low-quality anti-virus software to defend you. By enlisting the help of specialists who are actively working to prevent an attack before it occurs, reacting to any threats in real-time, and staying up to speed on the current and impending dangers, you can shift your security measures from preventative and reactive to proactive. Darkhorse Tech CMO, Brian Ash, states, “The latest updates to HIPAA make compliance, reporting, and cyber security even more vital for our clients. While we have been recommending the addition of Abyde for HIPAA compliance for some time, the new guidelines make now the time to commit. Along with Abyde’s software we are making the addition of a Security Operations Center (SOC) our top priority. We vetted many options but are recommending Blackpoint Cyber as our SOC of choice.” As we can see, the NIST provided a great update to their Quizlet so that your practice can maintain a good grade in compliance school. So, I think it is time to take a step back and review that NIST guidance so that your practice can always pass the exam! So ensuring that you’re adequately securing this data begins with a thorough knowledge of what needs to be secured and that’s why we have the ideal study partner for you (Abyde) to assist you with all of your compliance needs!
NY Attorney General Announces $600K Settlement for HIPAA Breach Impacting 2.1M People
January 28, 2022 We aren’t even a full month into 2022 and it’s already looking like increasing HIPAA enforcement might be a New Year’s Resolution for the state of New York. Starting the year off strong, New York Attorney General Letitia James just announced a $600k settlement with vision benefits provider EyeMed as a result of a healthcare data breach that compromised the Protected Health Information (PHI) of over 2 million individuals. It all started back in June of 2020 when cybercriminals got ahold of an EyeMed email account after the provider failed to implement any multi-factor authentication and sufficient password management processes. In just a week of the hackers having access to the EyeMed email account, they were able to obtain emails and attachments from up to six years prior. The following month, the same attacker used the email account to send out 2,000 phishing emails, looking to acquire the login credentials of other EyeMed users. This lack of proper safeguards and security protocols enabled millions of individuals’ names, social security numbers, addresses, medical diagnoses’ and other sensitive data to be compromised. This latest settlement adds on to the continued rise in cyber attacks and government enforcement seen over past years, further proving just how important having a strong cybersecurity and HIPAA program are for healthcare providers. So if your New Year’s Resolution is to avoid a cyberattack yourself, we recommend ensuring that you have the following in place: While data breaches and cyberattacks aren’t always totally avoidable, checking off the list items above is a great way to reduce your chances. But in the case that you’ve already experienced a data breach in 2021, it’s important to note that the annual minor breach reporting deadline (classified by HIPAA as incidents impacting fewer than 500 individuals) is rapidly approaching on March 1, 2022. And as for any major incidents affecting 500+ individuals – the reporting requirement is within 60 days of discovery (or less depending on your state). So some final words of advice? Have the necessary compliance and security programs in place to protect your practice from falling victim to an attack like EyeMed. And in the chance that you do experience a breach, follow the breach reporting requirements to reduce the fines and penalties that could come as a result.
2021 HIPAA in Review
December 28, 2021 Break out your pen and paper because if you haven’t already started your list of new year’s resolutions, the past 12 months have given us plenty of ‘New Year, new me’ examples to take note of. From ratified legislation and appointed government officials to trending cyberthreat tactics (and binge-worthy Netflix series), there have been plenty of ways that 2021 has said, “out with the old, and in with the new”. But while the world around us continues to evolve, the importance of protecting your patients is something that has not and will never falter. So as we wrap up yet another eventful year – let’s take a look at what’s changed, what’s stayed the same and what we can expect to see from HIPAA as we take on 2022. Proposed HIPAA Privacy Rule Modifications 2021’s transformations began even before the new year countdown started with the announcement of proposed HIPAA Privacy Rule modifications made back in December 2020. The government’s proposed modifications help bring the HIPAA Privacy Rule up to current technology standards and address things like removing the barriers to value-based health care, reducing “unnecessary regulatory burdens” and improving the privacy of protected health information (PHI). These highlights only brush the surface of what the 357-page document aims to amend but until the ruling is officially finalized, it’s important for your practice to ensure your HIPAA compliance program is up to date and easy to manageas we should anticipate the new requirements coming into effect in the new year. HIPAA Safe Harbor Law 2021 checked off another one of its resolution list items back in early January by officially signing the HIPAA Safe Harbor Bill into law. The amendment of the HITECH Act takes into account whether healthcare organizations have “recognized cybersecurity practices” in place and allows for some leniency in fines and other enforcement actions in the case of a data breach. While there’s a bit of fine print to follow, the biggest thing for your practice to know is that as long as you have a Security Risk Analysis (SRA), technical safeguards, and other HIPAA Security Rule basics down – you can not only reduce the penalties associated with a data breach but lessen your chances of falling victim in the first place. 21st Century Cures Act Following the Safe Harbor Law’s lead, the 21st Century Cures Act came into effect just a few months later in April of 2021. The new legislation directed by the Office of the National Coordinator for Healthcare Technology (ONC) is centered around the ongoing balancing act that healthcare providers and app developers face in giving patients easy access to their ePHI while still maintaining data privacy and security. With patients at the focus, the Cures Act requirements enable things like transparency into the cost and outcomes of patient care, easier access to health data through apps that meet modern patient needs and the prevention of information blocking. Now, this law also requires a bit of further reading to see just how it impacts your practice but having a complete HIPAA program lays the foundation for meeting these additional requirements and ultimately protecting patient data. Proposed Budget & New Appointed OCR Director If all the new legislation wasn’t enough of a tell-tale sign that 2021 was the year of protecting patient rights along with healthcare and technology – the proposed 2022 HHS budget that increases its funding for those areas specifically sure is. In early June, the Biden Administration released their proposed budget calling for additional spending to better safeguard the healthcare industry from evolving cyber threats and support government efforts in compliance enforcement. This additional spending comes in the form of over $200 million for several different cybersecurity measures and $67 million in funding for the HHS and their HIPAA enforcement efforts. Much of this proposed budget includes an increase in hiring for these specific government agencies with the hope to add 39 staff members to the Office for Civil Rights (OCR) specifically. But the initiatives don’t just stop at the dollar signs – this past September the HHS officially appointed Lisa J. Pino as the new Director of the OCR, marking another step in the right direction of continuing their mission. HIPAA Waivers Extended In the midst of all the change, there have been some things that have stayed the same – one of them being the extension of the HIPAA Waivers and Enforcement Discretions. At the onset of COVID-19, the government issued a National Public Health Emergency. With it came several waivers and flexibilities that work in mitigating the risks to the health of the general public while assisting healthcare providers with the necessary accommodations to continue caring for their patients. So after several extensions to the waiver’s expiration date, we are starting off our second new year with the Public Health Emergency status with the hopes that the current end date of January 16, 2022 sticks. But even with the current flexibilities still in place, it’s important to adhere to HIPAA requirements for telehealth and PHI disclosure to avoid any violations once the enforcement discretion is lifted. Patient Right of Access Enforcement Now a seasoned veteran to the regulatory priority list, Patient Right of Access violations has had yet another impactful year in HIPAA enforcement. 2021’s Right of Access settlements has brought the total violation number to 25 and dollars collected to $1,505,650 since the government announced their initiative back in 2019. And just a few weeks ago, the OCR announced 5 Right of Access settlements in one day alone. So as the government’s focus on timely medical record access continues to reign, your practice should be adding HIPAA right of access standards to the top of your 2022 to-do list too. Data Breaches Last but certainly not least comes another trend that has shown little to no signs of stopping – data breaches. Between ransomware threats, phishing schemes, accidental disclosures and business associate incidents, 2021 has put up record numbers. And just in the past year alone, a total of 550 covered entities had experienced a data breach putting the PHI of over 40 million individuals at risk. So while maintaining strong cybersecurity within your organization is easier said than done, knowing how to identify a cyber threat and having
NJ Attorney General Imposes $425,000 Fine to Put out the Fire of HIPAA Violation
December 21, 2021 Handling sensitive information without having the right safeguards in place can be like playing with fire, and we’ve all seen enough headlines to know just how easily a data breach can send a healthcare organization up in smoke. Just last week, the New Jersey Office of the Attorney General and its Division of Consumer Affairs announced a $425,000 settlement with Regional Cancer Care Associates LLC (RCCA). Along with the payment, RCCA has agreed to strengthen data security and privacy practices to prevent further breaches. The investigation was sparked back in 2019 after RCCA reported two separate data breaches involving the protected health information (PHI) of 105,000 individuals. The first of the two breaches occurred after several RCCA employees fell victim to a targeted phishing scheme that gave unauthorized access to patient data stored on those accounts from April – June 2019. The phishing scheme exposed driver’s license, Social Security, and financial account numbers along with other health records. While the threat of a phishing scheme can be better avoided through proper cybersecurity measures and employee training, the even bigger problem began in RCCA’s attempt to put out the first set of flames. Following the Breach Notification Rule, the cancer care provider notified impacted patients in July of that same year. However, the third-party vendor they used to provide this notice, improperly mailed notification letters intended for 13,047 living patients by addressing the patients’ perspective next-of-kin. This mistake resulted in patients’ relatives being informed of their medical conditions without consent – essentially just adding even more fuel to the blaze that the initial breach set off. Now just one lit match wouldn’t ignite a settlement of this proportion, but rather RCCA’s failure to do all of the following: So while the rising trend of healthcare data breaches won’t be easily extinguished, keeping your practice best-protected starts with having a complete HIPAA and cybersecurity program in place. Better staff education and compliance measures should be a top priority and the message from Acting Attorney General Bruck stating, “We require healthcare providers to implement adequate security measures to protect patient data, and we will continue to hold accountable companies that fall short,” is hopefully something that will spark some change.
HHS Issues Guidance on HIPAA Disclosures for Extreme Risk Protection Orders
December 20, 2021 To combat HIPAA’s common misconception of acting as a barrier law, the Department of Health and Human Services (HHS) along with the Office for Civil Rights (OCR) has continued to emphasize that the law does not simply prohibit PHI disclosure altogether but rather permits the safe sharing of relevant information when necessary. While we’ve recently seen information published in response to HIPAA’s role in a public health emergency and disclosure of vaccination status – just today the government issued guidance addressing another widely important concern. The latest announcement helps clarify how the HIPAA Privacy Rule permits covered health care providers to disclose protected health information (PHI) for the purpose of extreme risk protection orders (ERPO) and to prevent an individual in crisis from accessing firearms. This guidance follows suit with the U.S. Department of Justice’s model extreme risk protection order legislation and aims to support law enforcement, family members and others who intervene in an effort to prevent firearm injuries and deaths. The issued guidance speaks to HIPAA’s requirements in relation to ERPO laws, stating that the Privacy Rule does allow a health care provider to disclose PHI in support of an application for an ERPO against an individual in limited circumstances. HIPAA allows entities to share an individual’s PHI without authorization if they feel that the individual poses a danger to themselves or others, if the disclosure is required by law, or when the disclosure is in response to an order of a court or other lawful process. It details specific examples for each permission along with general considerations for meeting the Privacy Rule’s “minimum necessary” standard. This standard requires covered entities and business associates to make reasonable efforts to limit the PHI disclosed to the minimum necessary to accomplish the intended purpose of the use or request. In response to the issued notice, recently appointed OCR Director, Lisa J. Pino states that, “HIPAA should not be a barrier to communication for law enforcement, concerned family members, health care providers, and others when they see an individual in crisis. Today’s guidance helps clarify legal requirements and to better support individuals in crisis.” This guidance is essential in not only improving the public’s safety but clarifying any confusion that could get in the way of doing that. “Too often, communities bear the weight of heartbreaking tragedies caused by the epidemic of gun violence in our country,” said HHS Secretary Xavier Becerra. “Today’s guidance on HIPAA and Extreme Risk Protection Orders is an important step the Biden-Harris Administration is taking towards protecting communities from gun violence by allowing law enforcement, concerned family members, or others to prevent a person in crisis from accessing firearms.” HIPAA plays a key role in not only protecting the privacy and security of patients’ health information but permitting health care providers to intervene in a safe and appropriate matter if ever necessary. So when it comes to keeping your patients and your practice’s best interest at heart, understanding HIPAA law and following guidance such as the one released today, is vital.
OCR Settles 5 HIPAA Right of Access Violations
December 1, 2021 In celebration of ‘Giving Tuesday’ this year, the Office for Civil Rights (OCR) came bearing gifts by the handful (literally) – announcing five separate HIPAA Right of Access violations all in one day. Now you might be thinking that this sounds like a historic first for same-day settlements, but just last September, the OCR made a similar five-violation announcement. The latest enforcement brings the Right of Access settlement total to 25 and dollars collected to $1,505,650 since the government announced their enforcement initiative back in 2019. And while the not-so-lucky receivers of the government’s “gifts” range by size, specialty, and location – failing to ensure individuals’ right to timely medical record access is one thing that all of these practices share. Wake Health Medical Group The first of five settlements went to a primary care provider out of North Carolina, who agreed to a $10,000 fine and corrective action plan to resolve their violation of the HIPAA Privacy Rules’ Right of Access standard. Denver Retina Center Violation number two was given to a Denver-based ophthalmologist and included a $30,000 settlement and one-year corrective action plan as a result of their potential HIPAA Right of Access violations. Advanced Spine & Pain Management (ASPM) The third settlement was gifted to a provider of management and treatment of chronic pain services out of Ohio, whose Privacy Rule violations landed them with a $32,150 fine and corrective action plan consisting of two years of monitoring. Rainrock Treatment Center, LLC (dba Monte Nido Rainrock) Violation number four went to a licensed eating disorder treatment provider out of Oregon who agreed to pay $160,000 and participate in a year-long corrective action plan to settle their HIPAA violations. Dr. Robert Glaser And last but certainly not least, the fifth settlement came as a result of not only failing to provide a patient with a copy of their medical records but also lacking cooperation with the OCR. The New York-based internal medicine and cardiovascular disease specialist ignored the OCR’s data requests and waived their rights to a hearing, leaving them with a civil money penalty of $100,000. In addition to the settlement announcement, the recently appointed OCR Director, Lisa J. Pino issued a statement in response: “Timely access to your health records is a powerful tool in staying healthy, patient privacy and it is your right under law. OCR will continue its enforcement actions by holding covered entities responsible for their HIPAA compliance and pursue civil money penalties for violations that are not addressed.” While these gifts might not have come wrapped in a bow, they did bring along a trending theme that we encourage all providers to do some unpacking themselves. Noncompliance with the HIPAA Right of Access standard continues to prove itself as a widespread gap that the OCR is committed to enforcing. So even though we might have to wait until next November to celebrate another “Giving Tuesday” – getting your organization HIPAA compliant and meeting all government requirements – including Patient Right of Access – is the year-round gift that keeps on giving so you can avoid making the next OCR settlement list.