Fine

MedEvolve Pays $350k HIPAA Settlement
Fines, HIPAA

MedEvolve Pays $350k Settlement Following HIPAA Violations

May 16, 2023 Comments Off on MedEvolve Pays $350k Settlement Following HIPAA Violations

May 16, 2023 The Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services disclosed a settlement concerning potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Rules. The settlement was with MedEvolve, Inc., a business associate offering practice management, revenue cycle management, and practice analytics software services to health care entities. This settlement brings an end to the OCR’s probe into a data breach incident where a server containing the protected health information of 230,572 individuals was left vulnerable and accessible on the internet. The potential HIPAA violations included the absence of an analysis to identify risks and vulnerabilities to electronic protected health information throughout the organization, and the failure to establish a business associate agreement with a subcontractor.  These agreements typically outline the permissible uses and disclosures of protected health information, implementation of appropriate safeguards, and the procedure for notifying the covered entity of any breaches. As a part of the settlement, MedEvolve paid a $350,000 monetary settlement to the OCR and consented to implement a corrective action plan to address these potential violations and enhance the security of electronic patient health information. OCR Director, Melanie Fontes Rainer, emphasized the importance of securing electronic protected health information, stating, “Ensuring that security measures are in place to protect electronic protected health information where it is stored is an integral part of cybersecurity and the protection of patient privacy.” The investigation into MedEvolve began in July 2018 after a breach notification report highlighted that an FTP server containing electronic protected health information was openly accessible on the internet. The exposed information included patient names, billing addresses, telephone numbers, primary health insurer and doctor’s office account numbers, and in some instances, Social Security numbers.  The OCR investigates every report of breaches affecting 500 or more people. In 2022, the most common type of large breach reported to the OCR was hacking/IT incidents, accounting for 79% of cases. It’s therefore essential for HIPAA-covered entities and their business associates to ramp up their efforts to identify and tackle cybersecurity threats. Under the settlement agreement, MedEvolve will be under OCR’s scrutiny for two years to ensure compliance with the HIPAA Security Rule. They have agreed to take measures such as conducting a comprehensive risk analysis, developing a risk management plan, revising policies and procedures as necessary, enhancing their HIPAA and Security Training Program, and reporting non-compliance within their workforce to the HHS within sixty days. In today’s world where data breaches are increasingly common, Abyde takes a proactive stance in ensuring that healthcare providers maintain the highest standards of compliance. Our comprehensive software solution is designed to alleviate the burden of HIPAA compliance for healthcare professionals, and mitigate the risk of a costly incident like MedEvolve’s.

No Practice Too Big
Cybersecurity, Fines, HIPAA

No Practice Too Big

May 11, 2023 Comments Off on No Practice Too Big

May 11, 2023 Small organizations are prime targets for cyberattacks because they are typically less likely to have robust cybersecurity systems if any at all. Yet Aspen Dental, with over 1,000 offices across the United States, recently fell victim to a cyberattack that disrupted its ability to access scheduling systems, phone systems, and other essential business applications. No organization of any size or industry is immune to cyberattacks. The Aspen Group has not confirmed whether or not patient information was compromised, and is still actively investigating the incident’s scope. The breach was first discovered on April 25 and if it turns out that sensitive, personal information was involved in the incident, Aspen Dental will notify the affected individuals in accordance with applicable laws. The healthcare industry is number one on the list of targets for cybercriminals due to the nature of the industry having massive amounts of sensitive personal data for patients ranging from medical records to credit card numbers to home addresses. Dr. Jay Wolfson, USF Associate Dean for Health Policy and Practice said, “Healthcare is the richest source of data for poor people looking to commit fraud and get data on people.” According to a report from healthcaredive.com, 385 million patient records have been exposed as a result of healthcare breaches from 2010 to 2022, emphasizing the critical need for comprehensive security measures like those provided by Abyde’s compliance solutions software. The insurmountable cost of a breach followed by investigations and legalities concerning HIPAA can be detrimental not only financially but also to the reputation of a healthcare entity.  In light of Aspen Dental’s breach, it is evident that using a Compliance-as-a-Software like Abyde’s would have significantly reduced the risk of a cyber event. Abyde’s software offers a comprehensive solution to help healthcare organizations maintain compliance, safeguard sensitive patient information, and ensure the safety of business operations. Investing in such preventative measures allows healthcare organizations to protect themselves from devastating cybersecurity incidents and the endless headache that is sure to follow. This incident goes on to prove that there is no practice too big for compliance.

Pittsburgh HIPAA Violation
Fines, HIPAA

Healthcare Provider Pays $15,000 Due to HIPAA Violation

May 9, 2023 Comments Off on Healthcare Provider Pays $15,000 Due to HIPAA Violation

May 9, 2023 The United States Department of Health and Human Services, Office for Civil Rights (HHS), recently settled a case against the Office of David Mente, MA, LPC, for a violation of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. The healthcare provider, who offers psychological care in Pittsburgh, Pennsylvania, has agreed to pay $15,000 and enter into a Corrective Action Plan (CAP). HHS received a complaint in December 2017 alleging that David Mente, MA, LPC refused to provide individual access to their minor children’s protected health information. After receiving technical assistance from HHS, a second complaint was filed in May 2018 concerning the continued noncompliance with the Privacy Rule. HHS investigated and found that David Mente, MA, LPC failed to provide timely access to protected health information since April 6, 2018. The parties agreed to resolve the matter without further investigation or formal proceedings. David Mente, MA, LPC, will pay a resolution amount of $15,000 and comply with a CAP to address the violation. The healthcare provider does not admit liability, nor does HHS concede that there is no violation of the HIPAA Rules. This situation could have been prevented with the help of the Abyde HIPAA Compliance Software Solution. The software offers a comprehensive and user-friendly solution to help healthcare providers maintain HIPAA compliance by assessing risk, implementing required policies and procedures, and providing ongoing support. By utilizing Abyde, healthcare providers can ensure that they are meeting the Privacy, Security, and Breach Notification Rules requirements and avoid costly settlements like the one faced by David Mente, MA, LPC.

Arizona Cybersecurity HIPAA Fine
Cybersecurity, Fines, HIPAA

Big Fish, Big Fine

February 3, 2023 Comments Off on Big Fish, Big Fine

February 3, 2023 A hacker dropped a line and an Arizona-based nonprofit health system got baited, hook line and sinker. Yesterday, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights announced a settlement resolving a data breach. The breach, executed by a “threat actor”, disclosed the protected health information of 2.1 million consumers. Ouch!  Outlined by the HHS, the HIPAA violations include: The investigation began back in 2016 after OCR received a receipt of a breach report. The hacker was able to access PHI such as patient names, physician names, dates of birth, addresses, Social Security numbers, clinical details, dates of service, claims information, lab results, medication, diagnoses and conditions, and health insurance information.  As part of the settlement, the hospital paid $1,250,000 to OCR and agreed to a Corrective Action Plan. The plan highlights efforts to resolve their violations against the HIPAA Security Rule.  Before you catch yourself becoming a victim of “here fishy fishy”, make sure all your ducks – or should we say fish – are in a row. As we continue to see the relevance and impact of cybersecurity incidents increase, you should be more alert and secure than ever. And if you’re thinking, well that was a hospital – that could never happen to me, be careful what your next Go Fish card is. Whether you’re a big fish in a little pond or a little fish in a big pond, hackers are targeting healthcare. This particular hospital is facing extensive hours of work to complete its Corrective Action Plan which includes conducting a risk analysis, developing a risk management plan, implementing and distributing policies and procedures, and regular follow-up with the HHS. Conveniently, these are all things Abyde can help with. Reach out today to find out how we can save you over 80 hours a year and a time-consuming Corrective Action Plan down the road.

January 2023 HIPAA Fine
Fines, HIPAA

With the first settlement announcement of 2023, OCR selects…

January 4, 2023 Comments Off on With the first settlement announcement of 2023, OCR selects…

January 4, 2023 We didn’t even make it through the first week of the new year before we saw the first settlement announcement. Yesterday, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services announced a settlement with a Georgia full-service diagnostic lab. The potential violation marks the 43rd associated with the HIPAA Right of Access Initiative to date. This is now the third Right of Access settlement we have seen in the last month.  The initial complaint was first filed back in August of 2021 when a personal representative was unable to obtain a copy of her deceased father’s medical records. While the lab finally complied in February of 2022, it took seven months for the requester to receive the records. The HIPAA right of access provision requires that patients be able to access their health information in a timely manner, typically within 30 days.  The lab has agreed to pay $16,500 and implement a corrective action plan to resolve this investigation. The corrective action plan includes two years of OCR monitoring. OCR Director, Melanie Fontes Rainer, shared her thoughts, “Access to medical records, including lab results, empowers patients to better manage their health, communicate with their treatment teams, and adhere to their treatment plans. The HIPAA Privacy Rule gives individuals and personal representatives a right to timely access their medical records from all covered entities, including laboratories.” While we all have the same goal in common – to provide the best experience for our customers and patients – that doesn’t always equate to direct care. Ensuring that their needs and requests are met is essential to the overall experience. From the first time they Google you all the way to a request for records, you are making an impression. And whether it’s the first impression or the last, don’t you want it to be a good one?

Fines, HIPAA

A costly race against the clock

December 16, 2022 Comments Off on A costly race against the clock

December 16, 2022 On Thursday, the HHS Office for Civil Rights announced a settlement with a Florida primary care practice over a violation of the HIPAA Privacy Rule’s right of access provision. This marks the 42nd case under the Right of Access Initiative to date and the second settlement this week.  All the way back in mid-2019, a daughter, serving as personal representative, was attempting to retrieve her deceased father’s records. After multiple attempts, the practice failed to provide timely access. HIPAA’s right of access standard requires a covered entity to take action on an access request within 30 days of receipt. The practice exceeded that allotted time; the daughter received all requested records nearly five months after the initial request.  OCR Director, Melanie Fontes Rainer, stated, “The right of patients to access their health information is one of the cornerstones of HIPAA, and one that OCR takes seriously.”  The FL primary care practice has since paid its $20,000 fine to the OCR and is working to implement a Corrective Action Plan. The plan will be closely monitored over the next two years and includes updating, distributing, and training on all applicable policies and procedures.  In the age of immediacy, there is no exception when it comes to patient record requests. When a patient requests access to their records, prioritize their request. You have 30 days to take action or you could face not only an OCR investigation but a big fine – one we bet is not worth rearranging your priorities to put the patient first.

New York OSH Center Case
Fines, OSHA

A New York Health Center’s Case is Denied Under OSH Act

November 28, 2022 Comments Off on A New York Health Center’s Case is Denied Under OSH Act

November 28, 2022 Hey, ref – blow the whistle already! Back in June of 2021, the U.S. Department of Labor filed suit against a New York health center due to an alleged violation of the OSH Act. It was reported that the NY health center suspended and later terminated an employee who had reported personal concerns about exposure to COVID-19. The employee, also known as the whistleblower did so under the OSH Act, which protects workers from retaliation when reporting a hazardous work condition.  The health center proceeded to file a motion in October of 2021, preventing the department from seeking damages for the whistleblower. Fast forward to September of this year, a federal court has rejected the health center’s case under the protection of the OSH Act.  Regional Solicitor of Labor, Jeffrey Rogoff adds, “This is a significant decision reaffirming the U.S. Department of Labor’s independent authority to pursue legal actions and relief for employees in the name of the public interest. The Office of the Solicitor of Labor will continue to aggressively bring cases seeking to vindicate the rights of whistleblowers, who are essential to the proper functioning of laws protecting the health and safety, wages, and wellbeing of the American workforce.” More investigations from the OSHA’s Division of Whistleblower Protection Programs are underway in New York. So what can we take away from this? As a reminder, the Whistleblower Protection Program enforces the provisions of more than 20 federal laws. These protect your employees from retaliation from raising or reporting their concerns about hazards of violations of various workplace safety and health. Make sure your office is a safe place where employees can voice their concerns, but more importantly you are taking the proper steps upfront to ensure your practice meets the necessary safety and health standards.

North Carolina Increases State OSHA Penalties
Fines, Legislation, OSHA

North Carolina Department of Labor Increases State OSHA Penalties and Updates Investigation Timelines

October 13, 2022 Comments Off on North Carolina Department of Labor Increases State OSHA Penalties and Updates Investigation Timelines

October 13, 2022 Do you get surprised and frustrated when policies change? How about when your bill was more expensive than you originally thought? We can relate. The North Carolina Department of Labor increased state OSHA penalties and investigations to match current Federal OSHA standards through the Appropriations Act. Starting October 1st, fines will increase and follow the same pattern every January 1st. Prior to this change, if a practice was fined the maximum under NC OSHA the cost to the practice would be: Wow, that’s a lot of dough – and we’re not talking about the pizza or cookie kind! And if you though that was expensive, here is what a violation will cost now: Notice anything special about the fines above? Some can be “per day”. We all know time is money and there’s no exception when it comes to OSHA. Not only are the penalties changing, but the time frame to issue citations is as well. Previously, citations could be levied up to six months from initial reporting. Also being implemented on October 1st, NC OSHA has six months from the first inspection to levy a citation, not from initial reporting like before. Don’t get me wrong – we love a good limbo at a party, but not when it comes to OSHA citations! The famous Pablo Piccaso said, “Action is the foundational key for all success”. With North Carolina amending a few OSHA policies, take the time to educate yourself to avoid any costly violations.

Dental Patient Right of Access
Audits, Fines, HIPAA

OCR Settles Three Cases with Dental Practices for Patient Right of Access under HIPAA

September 21, 2022 Comments Off on OCR Settles Three Cases with Dental Practices for Patient Right of Access under HIPAA

September 21, 2022 Boom! Pow! Bang! Three dental practices were sacked yesterday, resulting in nasty bruises and a loss of yards on the play. After heading into the locker room and studying some film, they recognized there were some lessons to be learned in the OCR’s HIPAA Right of Access playbook. The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced the completion of three investigations in its Health Insurance Portability and Accountability Act (HIPAA) Right of Access Initiative. The OCR’s HIPAA Right of Access Initiative started in 2019 to ensure patients receive their records in a timely and costly manner. With three actions in one day and a total of 20 just this year, we are seeing a 42% increase year over year in the enforcement of the Privacy Rule. The OCR’s effort has now raised the total to 41 Right of Access actions across the span of 3 years, setting a strong example for practices across the country on the importance of maintaining compliance. OCR Director, Melanie Fontes Rainer, states, “Patients have a fundamental right under HIPAA to receive their requested medical records, in most cases, within 30 days. I hope that these actions send the message of compliance so that patients do not have to file a complaint with OCR to have their medical records requests fulfilled.” Here is an instant replay of when three dental practices crossed the line of scrimmage:  The first dental practice had a delay of game penalty after failing to provide timely access to their former patient’s records. The former patient didn’t receive a complete copy of their records until October 2020, five months after they filed a complaint back in May 2020. This resulted in a $30,000 settlement and the implementation of a Corrective Action Plan. The second dental practice got a 15-yard penalty for not providing a patient with a copy of her records in a timely or costly manner. The practice refused to provide the records because the patient wouldn’t pay the $170 copying fee. That’s not a fair catch! After the OCR got involved, the dental practice had to cough up $80,000 in settlement and adopt a Corrective Action Plan. Maybe they should’ve read the HIPAA Rule book! The starting running back fumbled the ball when this practice failed to provide a mother and her son with copies of their PHI until after the play clock hit zero. After multiple requests and eight months of waiting, she finally got the medical records in her hands. The dental practice had to fork over $25,000 and implement a Corrective Action Plan. After watching the game footage, there is a clear solution here! Make sure your practice provides patients with timely and costly access to their medical records. Six dental practices have been sacked so far in 2022, which means we have already witnessed a 600% increase solely in the dental space compared to the 2021 season. That is not a statistic you can ignore! You could be next, so we encourage you to make sure you have the right compliance measures in place to avoid these large fines. Is your game plan ready?

OCR Settles Case Concerning Improper Disposal of Protected Health Information
Fines, HIPAA

OCR Settles Case Concerning Improper Disposal of Protected Health Information

August 24, 2022 Comments Off on OCR Settles Case Concerning Improper Disposal of Protected Health Information

August 24, 2022 When it’s time to clean out and organize that ole garage, you probably want to take time to make sure all your sensitive and sentimental items – files, photographs, etc. – are in the right spot before taking them to the dump. It should be no different when it comes to disposing of old devices or hard drives at the office that contain sensitive ePHI, yet practices continue to fail. In recent news, the OCR announced a settlement for a dermatology practice located in Massachusetts that failed to properly dispose of protected health information. As a result, the dermatology practice agreed to pay the hefty fine of $300,640 to the OCR and implement a Corrective Action Plan to resolve the investigation. It may be obvious that paper records require proper disposal – in most cases, shredding or recycling – so that the information cannot be read by the wrong parties. Despite this being common practice,  the Massachusetts dermatology practice had PHI that was exposed. Improper disposal is even more common when it comes to disposing of electronic protected health information (ePHI) properly. It is critical that your practice understands how and where to dispose of PHI. But what exactly constitutes proper digital data disposal? Disposing of your PHI is not as simple as clicking the delete or trash button. If you do not completely delete these files from your devices, they can be recovered using high-tech software. The following are some thorough methods for properly disposing of PHI: There are lots of devices that could have been used to store PHI even though you would never realize they do. These devices include: Before you burn those electronic devices in a campfire, remember that HIPAA requires practices to keep PHI for at least 6 years, and maybe longer depending on your state. Devices containing data that is older than six years should be backed up before being wiped clean, and data should be encrypted while being kept. At the end of the day, whether it is boxes of important documents in your garage at home or PHI at your very own practice, it is critical to dispose of it properly and safely.

Concerned about HIPAA & OSHA compliance requirements in 2025? Join our live webinar for expert answers to the most common questions to ensure your practice is protected.

REGISTER TODAY
X