Fine

Business Associate Risk Analysis Initiative Fine
Abyde News, Business Associates, Fines, HIPAA

Business Associate Accountability: Health Fitness Corporation’s $227k HIPAA Fine

March 27, 2025 No comments yet

March 27, 2025   With over $3.5 million of fines levied against Business Associates (BAs) so far in 2025, it’s fair to say that the Office for Civil Rights (OCR) is serious about holding them accountable. These fines in 2025 serve as a reminder that BAs play a crucial role in safeguarding Protected Health Information (PHI).  The latest BA HIPAA fine was enforced on the Health Fitness Corporation, which offers wellness plans nationwide.  After a flurry of breach reports, Health Fitness Corporation found itself in the crosshairs of a HIPAA investigation. This investigation exposed some critical missteps, leading to a $227,816 settlement and a two-year Corrective Action Plan (CAP).  At the center of this fine is a missing Security Risk Analysis (SRA). The SRA is a thorough assessment that identifies the organization’s vulnerabilities.  This fine was also the fifth enforcement of the Risk Analysis Initiative, a recent program by the OCR to ensure regulated entities complied with this HIPAA requirement.  This fine not only spotlights the importance of Business Associates following HIPAA, but also for all regulated entities to be aware of the Security Risk Analysis requirement.    What Happened?  In August 2015, PHI was exposed online due to a server misconfiguration. This breach was not discovered in June 2018, with an estimated 4,000 patients impacted by this security issue.  Four breach reports describing this incident were filed from the end of 2018 into early 2019.  This led to the OCR investigating Health Fitness Corporation. It was then uncovered that the organization did not complete a thorough SRA until 2024.  The SRA is an annual requirement for every HIPAA-regulated entity. This assessment should also be completed after any breach to review and address vulnerabilities.  As a result, the wellness program organization was fined $227,816 with government monitoring for the next two years.    How to Protect Your Organization  When working with PHI, all involved parties must know their responsibilities.  For Covered Entities and Business Associates, having a Business Associate Agreement (BAA) with any third parties with access to PHI is vital. BAAs define each party’s responsibilities, creating legal liability. This required document demonstrates that each party is willing and able to take responsibility for protecting sensitive patient data. In addition to being aware of HIPAA responsibilities, ensure your organization completes an SRA annually, and anytime a breach occurs. Risks can be mitigated by being on top and informed about your organization’s vulnerabilities.  Utilizing a smart software solution can streamline these requirements. Smart solutions can streamline the SRA and any BAAs, protecting your organization. To learn more about how you can automate and streamline compliance in your practice, schedule a consultation with an expert today.

Warby Parker HIPAA Fine
Abyde News, Fines, HIPAA

Warby Parker’s $1.5 Million HIPAA Fine: A Security Risk Analysis Eye-Opener

March 6, 2025 No comments yet

March 6, 2025   Warby Parker, the popular prescription eyewear retailer with a strong online presence and expanding physical stores, was recently fined $1.5 million for a HIPAA violation. This enforcement highlights that no matter how big your organization is, the government can and will investigate breaches of PHI.  In 2025, the Office for Civil Rights (OCR) has issued over $5 million in fines so far, almost all of which involved a missing Security Risk Analysis (SRA). The SRA thoroughly assesses your practice’s physical, technical, and administrative safeguards for securing patient Protected Health Information (PHI).  The Warby Parker fine is a stark reminder that the SRA, a detailed examination of your PHI safeguards, is not just a recommendation; it’s a necessity.    What Happened?  In late 2018, Warby Parker experienced numerous unusual login attempts on its site. It was discovered that customer logins were breached through credential stuffing or when information was pulled from unrelated breaches. For example, a customer’s login was likely reused on another hacked site.  The OCR began its investigation in December 2018, but the flurry of attacks continued. Warby Parker, which also provides eye exams, issued several addendums to its initial breach report, revealing that additional customer and patient accounts were compromised. Additional attacks occurred in 2020 and 2022. Overall, these cybercrimes impacted almost 200,000 patients.  As the OCR investigated Warby Parker, it discovered that Warby Parker did not conduct an adequate security risk analysis, implement sufficient technical safeguards to prevent further attacks, or regularly review system access. These failures to protect PHI led to a $1.5 million Civil Monetary Penalty (CMP), demonstrating that even massive organizations need to comply with HIPAA requirements.  How to Protect Your Organization The first step to HIPAA compliance for your practice is proactively maintaining an SRA. By evaluating and identifying your vulnerabilities, your practice can address these weaknesses before they become serious problems. As stated before, no matter how small or large your organization is, you must complete the SRA annually.  Regular reviews of PHI access are essential to identify and address breaches promptly, minimizing the number of affected patients. Implementing an access log is crucial as well, ensuring staff is held accountable for documenting when they interact with PHI.  Utilizing a compliance software solution can alleviate the stress of managing numerous requirements. Software solutions can streamline compliance and offer a SRA and an access log within the program. By outsourcing compliance, your team can focus more time on patient care.  To learn how to simplify HIPAA compliance for your practice, schedule a consultation with a compliance expert today.   

Outcomes of a HIPAA Investigation
Abyde News, Best Practices, HIPAA

The Final Verdict: HIPAA Investigation Outcomes

March 3, 2025 No comments yet

March 3, 2025   Welcome to the fourth and final installment of Abyde’s HIPAA Investigation Survival Series. We’ve already reviewed the initial breach, the letter you received, organizing documentation in response to the letter and data request from the OCR, and now the possible outcomes of a HIPAA investigation.  There are a few possible outcomes for a HIPAA investigation. As discussed at the end of the previous blog post, the ultimate judgment from the OCR could be levied months or even years after the investigation started.  What are the possible outcomes of a HIPAA Investigation? The most favorable outcome of an investigation is when the OCR closes your investigation. Your OCR investigator will inform you through writing, either through an official email or letter, that your documentation was sufficient, showcasing that your practice is implementing the right safeguards to secure Protected Health Information (PHI). Once an investigation is closed, you’ve officially passed the investigation.  However, the OCR can and will levy monetary fines if your documentation is insufficient. Monetary fines range from $141 to over $2 million per violation. Fines are tiered, starting with tier 1, which is the least serious based on a sincere lack of knowledge of a violation, to tier 4, or willful neglect of a situation if not corrected within 30 days. These fines are also adjusted yearly based on inflation.  HIPAA fines are categorized into two types: Civil Monetary Penalties and Settlements. Civil Monetary Penalties are imposed when a practice is found guilty of violating HIPAA regulations. The practice and the OCR negotiate settlements, and the practice does not admit to any HIPAA violations once paying the fine.  Both forms of penalties are highlighted on the OCR’s website as press releases and written about by numerous healthcare compliance news professionals, meaning this fine will live on the internet forever.  Lastly, the OCR can levy a Corrective Action Plan (CAP) in addition to a monetary penalty. A CAP requires a fined practice to be monitored by the OCR for several years, as defined by the CAP. This leaves the practice subject to government scrutiny, another hurdle.    How Can I Avoid This? Proactive measures are key when it comes to avoiding a HIPAA investigation. By implementing the appropriate safeguards before a situation occurs and properly training all staff, your practice can avoid common mistakes leading to breaches.  Utilizing a software solution is imperative when handling HIPAA compliance. Outsourcing compliance streamlines compliance for your practice, freeing your time and providing an easily accessible hub for all documentation.  To learn more about simplifying HIPAA compliance for your practice, schedule a consultation with one of our experts today.  To visit our first installment of this series about the breach that likely causes an investigation, please visit here, learn more about the audit letter, visit here, and learn more about organizing documentation for an investigation here.   

Business Associate HIPAA Fine
Business Associates, Fines, HIPAA

Choose Your Business Associates Wisely: An $80K Mistake

January 8, 2025 No comments yet

January 8, 2025 As we ring in the new year, it’s important to remember that Business Associates (BAs) are just as responsible for protecting patient health data as their Covered Entity counterparts. A major misstep by a BA was highlighted recently on a federal level, and the first fine of 2025 was imposed. Elgon, a Massachusetts-based medical record and billing support company for Covered Entities, was levied a $80,000 fine due to numerous violations of the Security Rule, which were exposed by the fallout of a ransomware attack. As a proposed update to the Security Rule is currently open for public comment and may take effect in the spring, it is crucial for Covered Entities to select Business Associates (BAs) who prioritize compliance. BAs are just as responsible for ensuring that Protected Health Information (PHI) is kept secure. What Happened? Elgon was the victim of a ransomware attack on March 25, 2023. Unfortunately, the BA didn’t realize the intrusion of its firewalls for over a week until a ransom note was discovered. Elgon then reported the breach, which affected over 30,000 patients of a Covered Entity. Thousands of social security numbers, addresses, and other personally identifiable information were leaked from the attack. When Elgon was investigated, it was uncovered that the organization failed to recognize its risks in a Security Risk Analysis (SRA). The SRA is at the foundation of a successful practice or business, giving an organization a benchmark on how it handles PHI and how it can improve. This fine is also the second enforcement of the OCR’s Risk Analysis Initiative, highlighting the importance of completing and maintaining this assessment. How to Protect Your Organization Covered Entities and Business Associates need to uphold their commitment to protecting patient data. This recent fine is a stark reminder of what can happen when the proper procedures are not followed, exposing the personal information of thousands of patients. To avoid and mitigate situations like this, Covered Entities must carefully choose the right BA to work with, ensuring they also understand the importance of protecting patient data.  For BAs, having the proper safeguards in place is vital, earning trust from Covered Entities that you can keep their patients’ PHI safe. A key document that establishes the liability of both parties is the Business Associate Agreement (BAA). The BAA is a written document required when working with Business Associates and vice versa. This signed agreement ensures both parties know their responsibilities when handling patient data. Proposed updates to the Security Rule expand on this, with BAs potentially having to verify they are enforcing the proper safeguards on a yearly basis, certified by a compliance expert. Overall, this fine sets the tone for a new year of significant changes and enforcement by the OCR. Covered Entities and Business Associates must both understand their critical role in protecting patients. To learn more about how you can become HIPAA compliant, schedule a consultation with our team of experts today.

Ransomware HIPAA Fines
Cybersecurity, Fines, HIPAA

The Price of Neglect: Ransomware Fines Hit Healthcare Practices

November 7, 2024 No comments yet

November 7, 2024 Healthcare practices felt quite a scare on Halloween, with over half a million dollars in fines levied on medical practices. These practices were fined for not taking the necessary precautions against ransomware breaches. The two practices impacted on this day of significant fines include Plastic Surgery Associates of South Dakota in Sioux Falls (PSASD), a multi-location organization, and the Bryan County Ambulance Authority (BCAA), an Oklahoma emergency medical services provider. PSASD was fined $500,000, and BCAA was fined $90,000. These significant fines are just the precipice of the future of healthcare breaches, with ransomware breaches increasing 264% since 2018. What Happened? Major ransomware attacks unfortunately impacted both of these healthcare providers. For PSASD, a breach was discovered that infected nine workstations and two servers in July 2017. This breach impacted over ten thousand patients, putting their data at risk. The malicious actors utilized trial and error to hack into the organization’s system. The data was unable to be restored. The investigation revealed significant gaps in their compliance program, including a missing Security Risk Analysis, inadequate policies and procedures for data handling and breach reporting, and insufficient training. This $500,000 penalty also includes two years of monitoring by the Office For Civil Rights (OCR). For the BCAA, its ransomware attack began in November 2021, but wasn’t reported until May of the following year. After a breach, depending on the severity, you must notify the OCR within 60 days. Since this breach impacted over 14,000 patients or over 500 people, it is considered a large breach. Similar requirements, such as a Security Risk Analysis, adequate policies, a risk management plan, and other safeguards, were missing as found in this investigation. It’s $90,000 fine includes a Corrective Action Plan as well. Protecting Your Practice from Ransomware Ransomware attacks will continue to affect our healthcare system. Although complete immunity is impossible, there are many precautions you can take to protect your practice. Implementing the right technical safeguards, such as firewalls, antivirus software, and a qualified IT team is crucial. Additionally, you can streamline your HIPAA compliance by using intelligent software solutions that help identify your compliance needs unique to your practice. In the event of an attack, these solutions can also guide you on how to respond effectively. To learn more about these smart solutions, meet with a compliance expert today.

Patient Record Access HIPAA Fine
Fines, HIPAA

Expensive Oversight: The Importance of Timely Patient Record Access

October 24, 2024 No comments yet

October 24, 2024 There has been a flurry of HIPAA fines in the past few weeks, with over half a million dollars levied in the last month.  Just one example is Gums Dental Care, LLC, a small dental practice in Maryland that was fined for a Right of Access violation. Right of Access violations, which involve failing to provide medical records in a timely manner, are a common HIPAA mistake. Another violation for this was issued in August.   What Happened?  A patient requested her medical records from Gums Dental on April 8, 2019. After not receiving them, she issued a complaint to the OCR in May 2019. The OCR contacted Gums Dental Care for technical assistance and believed the case was over.  This was just the beginning. This case spanned years, with a second complaint filed in August 2019 and the OCR sending several data requests through letters and calls to Gums Dental.  On October 1, 2020, the OCR sent Gums Dental a proposed resolution agreement and corrective action plan. At the end of the month, Dr. Gumbs wanted to present her case in front of a judge, believing the patient would commit Medicaid fraud with her records. She also said that the complainant didn’t pay a $25 administrative fee to release the medical records through mail. First, patients should always have access to their medical records, regardless of their reasons. Second, the fee would be waived if the patient requested it digitally, not through mail.   In December 2020, the OCR issued a Letter of Opportunity to Gums Dental. At the beginning of the next year, Dr. Gumbs once again justified her refusal to provide the records since she believed her patient would commit a crime with them. She also believed her website wasn’t secure enough to send them digitally. However, Gums Dental didn’t attempt to send the records at all.  By the time the Notice of Proposed Determination was sent in March 2022, roughly three years after the first medical record request, Gums Dental faced a Civil Monetary Penalty fine as high as $7,676,692. However, the OCR ultimately levied a $70,000 fine, recognizing the smaller size of the dental practice.    How to Protect Your Practice Common HIPAA fines often involve Right of Access violations. At the federal level, practices are required to provide patients with their medical records within 30 days, and some states have an even shorter timeline. Navigating these unique regulations can be challenging, so having an intelligent solution is crucial. Smart software can streamline compliance for your practice by generating policies and procedures tailored to your needs. These solutions also include access to a team of compliance experts who can help answer your questions and ensure that you are interacting with patients in a HIPAA-compliant manner.  To learn more about software solutions, with a compliance expert here.   

$240K Ransomware HIPAA Fine
Fines, HIPAA

The Rise of Ransomware in Healthcare: How a Phishing Breach Led to a $240K HIPAA Fine

October 14, 2024 No comments yet

October 14, 2024 Unfortunately, the future of data breaches is ransomware, accounting for nearly two-thirds of data breaches. As ransomware remains a significant threat in the healthcare sector, another HIPAA fine has been issued concerning a ransomware incident. Recently, a healthcare organization was fined $240,000 following ransomware attacks, including phishing, that compromised the Protected Health Information of over 85,000 patients. What happened?  The Center of Orthopaedic Specialists merged with Providence Medical Institute, a healthcare system in southern California. In February 2018, during the transition, an employee clicked on a malicious link from a phishing attempt, which encrypted over 85,000 files with ransomware. Subsequently, two more successful ransomware attacks were launched on the already vulnerable IT system. Between these attacks, PMI restored data using backup tapes. In the final ransomware attack, the malicious actors used stolen credentials from previous attempts to remotely access PMI’s systems. What could they have done? After the breach, several cybersecurity mistakes that affected almost 100,000 patients were brought to light. Before merging with PMI, the Center of Orthopaedic Specialists partnered with another IT company, Creative Solutions in Computers. However, PMI failed to sign a Business Associate Agreement with the IT company during the transition, a crucial HIPAA requirement. This agreement ensures that both parties understand and take the necessary precautions to protect PHI. Furthermore, PMI made numerous IT and cybersecurity mistakes, such as sharing logins, not properly separating private networks from public networks, failing to monitor access controls, and not encrypting ePHI, which allowed anyone with access to view it. The lack of proper IT infrastructure, which could have been easily avoided, significantly impacted numerous patients. What’s next?  After the recent HIPAA fine, it’s crucial for your practice to take the necessary precautions and implement cybersecurity measures to safeguard your patients’ data. When establishing a culture of compliance for your practice, using smart software solutions can help you assess your practice’s status and offer efficient solutions to meet requirements, such as electronically managed Business Associate Agreements. To find out more about how intelligent software solutions can protect your practice from cyber attacks, schedule a consultation with a compliance consultant.

$250K HIPAA Fine for Data Breach
Fines, HIPAA

$250K HIPAA Fine for Data Breach: The High Cost of Ignoring Cybersecurity Threats

October 3, 2024 No comments yet

October 3, 2024 Ransomware remains a significant threat to the healthcare industry, causing nearly two-thirds of data breaches. The Office for Civil Rights imposed a $250,000 HIPAA fine on Cascade Eye and Skin Centers, which provides ophthalmology and dermatology care in Washington state. This fine highlights the ongoing impact of ransomware attacks on the healthcare sector and emphasizes the importance of protecting medical practices. What Happened?  In May 2017, hackers held almost 300,000 electronic Protected Health Information (ePHI) files at Cascade Eye and Skin Centers for ransom. The practice lacked essential safeguards, such as a thorough Security Risk Analysis and effective data access monitoring, leaving patient data vulnerable to malicious actors.  The Aftermath  The $250,000 fine is a stark reminder of the OCR’s commitment to enforcing HIPAA compliance against cybercrimes. Several ransomware fines have been levied in the past year, and unfortunately, this trend is expected to continue as ransomware attacks against healthcare organizations rise. In addition to the substantial fine, the practice is subject to a Corrective Action Plan (CAP), with the OCR overseeing Cascade Eye and Skin Centers as it implements necessary initiatives and measures to safeguard its operations from cybersecurity breaches. Protecting Your Practice While no healthcare practice can be completely immune to cyber threats, there are proactive steps you can take. By implementing preventive measures, you can stop cyberattacks before they impact your practice.  Implementing a comprehensive Security Risk Analysis can help identify vulnerabilities and inform your risk management strategy, providing a comprehensive overview of what your practice currently has in place. Encrypting data provides another layer of protection by making it inaccessible to unauthorized individuals. Firewalls and antivirus software can also act as barriers to malicious attacks.  Beyond technical safeguards, a well-developed Disaster Recovery Plan is essential for minimizing the impact of a breach. Having a plan in place can help ensure a swift and effective response to incidents and limit disruption to patient care. Remote access and support capabilities can also be critical in managing compromised systems and restoring operations quickly. As technology continues to transform the healthcare industry, your compliance program should also evolve. By utilizing automated software, you can streamline compliance efforts, receive expert guidance, and stay informed about the latest cybersecurity threats.  Schedule a consultation with a compliance expert to learn more about how software solutions can help protect your practice. 

American Medical Response HIPAA Fine
Fines, HIPAA

Your Medical Records, Your Right: AMR Learns Costly Lesson

August 6, 2024 Comments Off on Your Medical Records, Your Right: AMR Learns Costly Lesson

August 6, 2024 Did you know the Office for Civil Rights (OCR) has launched a new initiative to ensure proper compliance with patients’ Rights of Access? American Medical Response (AMR), a private ambulance company, has now felt the impact of these efforts, becoming the 49th entity to face a HIPAA Right of Access Enforcement Action. AMR was recently fined $115,200 for failing to provide a patient with their medical records in a timely fashion.  AMR’s mistake was brought to the attention of the OCR through a patient complaint. On October 31, 2018, the patient requested a copy of her medical records. Instead of receiving them within the allotted 30 days, this sparked the beginning of a long battle for her records.  In January 2019, the patient sent follow-up requests to both AMR and its Business Associate, Centrex. AMR responded to the request in March 2019, sending the patient an invoice and requiring payment before the records were provided.  During the ongoing battle for her medical records, she warned AMR she would report the organization to the OCR if her records were not provided. The patient filed a complaint in July 2019. Finally, the records were provided on November 5, 2019, over a year after the initial request.  What is Right of Access?  HIPAA’s Right of Access rule, which falls under the HIPAA Privacy Rule, allows patients to receive access to their medical records within 30 days with minimal or no charges. These charges can only include the costs of copying and mailing medical records. In some states, this 30-day requirement is shorter, like in California, which requires access to copies within 15 days.  This right empowers patients to make informed healthcare decisions, such as sharing their medical history with new providers. What should my practice do?  First, proper training is essential to ensure that staff understand the importance of providing patients with their records on time. Additionally, staff must understand and follow the procedures for securely sharing medical information with the patient. Ensuring staff is properly trained and aware of the resources available to them is vital to staying compliant.  You could be adding more stress to your plate if you still use a dusty binder to track and manage HIPAA compliance. Keeping track of training, documentation, and the constantly evolving regulations is a complex task that demands a modern approach. Intelligent software solutions can offer staff a centralized compliance hub with everything they need to know when navigating patient requests. To learn more about how smart compliance software solutions can protect your practice, schedule a consultation with an expert today. 

Heritage Valley Health System HIPAA Fine
Fines, HIPAA

A Nearly Million Dollar Mistake: Heritage Valley Health System

July 3, 2024 Comments Off on A Nearly Million Dollar Mistake: Heritage Valley Health System

July 3, 2024 Did you know that ransomware attacks are becoming increasingly common in healthcare?  Since 2018, there has been a whopping 264% increase in large ransomware breaches. The devastating impact of a ransomware breach on an organization is wide-reaching, regardless of its size, as seen with the Change Healthcare breach. It’s imperative to take the proper precautions to ensure that Protected Health Information (PHI) is secure against hacking attempts.  At the center of the latest fine, Heritage Valley Health System (HVHS), which operates in Pennsylvania, Ohio, and West Virginia, fell victim to ransomware attacks. These attacks infected HVHS systems, affecting sensitive patient information.  As the Office for Civil Rights (OCR) reviewed the major data breach, several pieces of required documentation, such as a Security Risk Analysis (SRA) and an emergency plan, were absent.  This missing documentation has led to a $950,000 fine and three years of corrective monitoring.  Let’s explore what you can do to prevent this nearly million-dollar mistake. Importance of an SRA  The purpose of the SRA is to review your risks and vulnerabilities regarding the management of ePHI (electronic Protected Health Information). This comprehensive analysis notes the physical, technical, and administrative controls to protect your patient’s PHI.  Your SRA is documented proof that your organization understands its weaknesses and is making strides to address them and better protect patient data.  While the SRA is a very important document, it is frequently missed. From the last round of random HIPAA audits, which have resumed recently, only 83% of practices and Business Associates could produce a sufficient SRA.  SRAs are vital for practice compliance, showcasing growth, and best practices in safeguarding patient data. Check out our recent blog post here to learn more about the SRA. Why do I need plans in place?  When running a medical practice, it’s important to be prepared for any situation that could arise. That’s why policies and procedures are so important. If your practice faces a scenario that may compromise PHI, your team needs easy access to a plan for handling the situation calmly. By addressing potential challenges well in advance, your team will feel empowered and confident in their ability to respond. Moreover, as part of your preventive measures, it’s beneficial to designate specific roles and responsibilities for your staff. This ensures that everyone is aware of their duties in any given situation.  Cybersecurity Measures  Unfortunately, healthcare practices have become very common victims of ransomware attacks. To prepare your organization for this, follow best cybersecurity practices, such as encryption, reviewing access controls, and creating unique sign-ons for all employees.  Healthcare organizations should prioritize technical safeguards like encryption, access controls, and multi-factor authentication. However, security goes beyond technology.  Implement security awareness training for staff, establish a data breach response plan, and maintain regular backups. Regularly conduct risk assessments and evaluate the security practices of third-party vendors. It’s important to consider partnering with an IT company offering valuable expertise. They can recommend the right tools, update you on evolving threats, and monitor your systems for suspicious activity. This layered approach will strengthen your systems and prepare you for potential attacks. How Smart Software Can Help Fines for HIPAA non-compliance can be staggering, but there are alternatives to the manual tracking and paper binders you may be used to. Intelligent software systems are designed to save you time and headaches and ultimately protect your practice to avoid audits and fines. Software empowers your team to manage your program easily and enables a culture of compliance in the office. It streamlines commonly overlooked requirements such as the SRA with dynamically created documentation and develops comprehensive plans, policies, and procedures so you stay current with the latest requirements. Better yet, when using cloud-based software solutions, you get 24/7 secure access and real-time updates when compliance regulations change. Schedule an educational consultation today to learn more about how software solutions can protect your practice.     

How can HIPAA & HR non-compliance affect your practice? Join our live webinar with HR for Health on April 15.

REGISTER TODAY
X