Fine

OCR Announces Eleven HIPAA Right of Access Fines
Fines, HIPAA

OCR Announces Eleven More HIPAA Right of Access Settlements

July 18, 2022 Comments Off on OCR Announces Eleven More HIPAA Right of Access Settlements

July 18, 2022 Waking up every morning is an eye-opening experience. Do you know what else is an eye-opening experience? Waking up to see all of the enforcement investigations the OCR launched against practices like yours. The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced the completion of eleven investigations in its Health Insurance Portability and Accountability Act (HIPAA) Right of Access Initiative. Under the HIPAA Privacy Rule, the OCR launched this effort to assist individuals’ right to timely access to their health records at a reasonable cost. HIPAA provides individuals with the right to view and get copies of their health information from their healthcare providers and health plans. A HIPAA-regulated entity has 30 days after receiving a request to provide an individual or their representative with their records in a timely manner. OCR Director, Lisa J. Pino, states, “Health care organizations should take note that there are now 38 enforcement actions in our Right of Access Initiative and understand that OCR is serious about upholding the law and peoples’ fundamental right to timely access to their medical records.”  Practices are no longer sneaking under the radar! The Office for Civil Rights (OCR) just concluded its thirty-eighth enforcement action since the HIPAA Right of Access Initiative began in 2019. Totaling over $646,000 across eleven penalties, the announcement of the verdicts includes eleven cases. Here is a brief breakdown of a couple of the cases just released by HHS:  The first dental action includes a $5,000 settlement for failure to comply with the Right of Access provision stating covered entities must permit individuals to inspect and obtain a copy of their PHI. An eye care practice made the mistake of not providing a copy of a patient’s medical records until three days after the OCR investigated. Now that is crazy! To settle a potential violation of the HIPAA Privacy Rule right of access standard, the practice agreed to take corrective actions and pay $22,500. Something as simple as not giving your patients access to their data quickly enough can result in a huge fine! One not-for-profit health system learned the hard way by not responding timely enough to a complainant’s access request. This cost the health system a whopping $240,000!  So, whether it’s responding to a request or delivering that request on time, you need to make sure your practice is on point to avoid these heavy penalties. As we can see the queen bee (Lisa Pino) isn’t joking around on pushing the OCR’s  HIPAA Right of Access Initiative across practices, we encourage you to ensure you have the right HIPAA compliance measures in place. So what’s the holdup? For less than a scratch-off ticket a day you can save your practice from those sneaky fines and become friends with Abyde today!

Oklahoma State University HIPAA Fine
Fines, HIPAA

Oklahoma State University – Center for Health Services Forks Over $875,000 to Settle Hacking Breach

July 15, 2022 Comments Off on Oklahoma State University – Center for Health Services Forks Over $875,000 to Settle Hacking Breach

July 15, 2022 What did the duck say when she went to buy lipstick? Put it on my bill! Speaking of bills (the money kind, not a beak), Oklahoma State University had to pay a huge bill of $875,000! It acts as a settlement for a huge hacking breach of the OSU CHS web servers. Oklahoma State University has agreed to pay the price and complete a corrective action plan over the next two years to resolve all of the violations of the Breach Notification Rules, Security, and HIPAA Privacy. OCR received a breach report in 2018 due to the hacking of the OSU’s web servers. They discovered that the hacker of this breach had access to 279,865 individuals’ electronic protected health information (ePHI). OSU found that the hackers had access to patients ePHI earlier than they originally thought, on March 9th, 2016. OCR Director, Lisa J. Pino, states, “HIPAA-covered entities are vulnerable to cyber-attackers if they fail to understand where ePHI is stored in their information systems.”  As technology in the healthcare business evolves, it is critical to understand how to appropriately secure personal health information (PHI) when being stored or sent. With cybersecurity dangers on the rise and electronic communication becoming more widespread, it’s imperative to secure your patients’ data. Encryption services are an excellent method to safeguard your practice and avoid those sticky HIPAA violations. Good news for you, you don’t have to be a sitting duck! (Cough, Abyde.)  The OCR reported that OSU failed to follow the HIPAA rules by: Unfortunately for the Cowboys, their failure to maintain proper security, risk analysis measures, and documentation of compliance cost them a large fine and put all of the OSU patients ePHI at risk. This breach, and corresponding financial settlement, highlight that even for huge organizations like OSU, the right risk analysis practices and HIPAA-compliant policies are a must in order to prevent impermissible safeguarding or access to ePHI.  Even as an independent practice, you may not feel like you have anything in common with a big fish like OSU. No matter if you’re a duck, fish, or cowboy, it doesn’t matter – everyone is monitored and at risk. As the penalties for these violations become more severe, it is more crucial than ever to ensure that your practice has a solid HIPAA program in place.

Dentistry HIPAA Fines
Fines, HIPAA

Dentistry HIPAA Fines

March 29, 2022 Comments Off on Dentistry HIPAA Fines

March 29, 2022 Dental practices are no longer flying under the radar! The Office for Civil Rights (OCR) just concluded its twenty-seventh enforcement action since the HIPAA Right of Access Initiative began in 2019. Totaling over $170,000 across four penalties, the announcement of the verdicts includes two cases as part of the HIPAA Privacy Rule. The additional actions related to the disclosure of patients’ protected health information (PHI). Here is a brief breakdown of the three dental cases just released by HHS:  The first dental action includes a $30,000 settlement against the initially cited $104,000 for failure to comply with the Right of Access provision stating covered entities must permit individuals to inspect and obtain a copy of their PHI. Nearly two-and-a-half years from the time of citation, the practice has completed a package of action plans, creating a costly and lengthy resolution process.  Something as simple as Google review responses can get you fined! One provider learned the hard way the dos and don’ts of reputation management. A patient filed a complaint with the OCR after the provider included the patient’s full name and PHI in their review response. This cost the practice a whopping $50,000!  Not the usual politician slip up, but a recent provider running for office learned not to mix business and pleasure. As part of his political campaign, the provider shared names and addresses of over 5,000 patients with both his campaign manager and third-party marketing partner to distribute letters and emails. Resulting in a final citation of $62,500, this surely put a roadblock on his campaign trail!  As we see the OCR cracking down on their HIPAA Right of Access Initiative across dental practices, we encourage you to ensure you have the right HIPAA compliance measures in place. With an hour of your time, we will get you everything you need. How much is an hour of your time worth – we bet it’s not $170,000!

$600K Settlement for HIPAA Breach
Fines, HIPAA

NY Attorney General Announces $600K Settlement for HIPAA Breach Impacting 2.1M People

January 28, 2022 Comments Off on NY Attorney General Announces $600K Settlement for HIPAA Breach Impacting 2.1M People

January 28, 2022 We aren’t even a full month into 2022 and it’s already looking like increasing HIPAA enforcement might be a New Year’s Resolution for the state of New York. Starting the year off strong, New York Attorney General Letitia James just announced a $600k settlement with vision benefits provider EyeMed as a result of a healthcare data breach that compromised the Protected Health Information (PHI) of over 2 million individuals. It all started back in June of 2020 when cybercriminals got ahold of an EyeMed email account after the provider failed to implement any multi-factor authentication and sufficient password management processes. In just a week of the hackers having access to the EyeMed email account, they were able to obtain emails and attachments from up to six years prior. The following month, the same attacker used the email account to send out 2,000 phishing emails, looking to acquire the login credentials of other EyeMed users. This lack of proper safeguards and security protocols enabled millions of individuals’ names, social security numbers,  addresses, medical diagnoses’ and other sensitive data to be compromised. This latest settlement adds on to the continued rise in cyber attacks and government enforcement seen over past years, further proving just how important having a strong cybersecurity and HIPAA program are for healthcare providers. So if your New Year’s Resolution is to avoid a cyberattack yourself, we recommend ensuring that you have the following in place: While data breaches and cyberattacks aren’t always totally avoidable, checking off the list items above is a great way to reduce your chances. But in the case that you’ve already experienced a data breach in 2021, it’s important to note that the annual minor breach reporting deadline (classified by HIPAA as incidents impacting fewer than 500 individuals) is rapidly approaching on March 1, 2022. And as for any major incidents affecting 500+ individuals – the reporting requirement is within 60 days of discovery (or less depending on your state). So some final words of advice? Have the necessary compliance and security programs in place to protect your practice from falling victim to an attack like EyeMed. And in the chance that you do experience a breach, follow the breach reporting requirements to reduce the fines and penalties that could come as a result.  

NJ Attorney General Imposes HIPAA Fine
Fines, HIPAA

NJ Attorney General Imposes $425,000 Fine to Put out the Fire of HIPAA Violation

December 21, 2021 Comments Off on NJ Attorney General Imposes $425,000 Fine to Put out the Fire of HIPAA Violation

December 21, 2021 Handling sensitive information without having the right safeguards in place can be like playing with fire, and we’ve all seen enough headlines to know just how easily a data breach can send a healthcare organization up in smoke. Just last week, the New Jersey Office of the Attorney General and its Division of Consumer Affairs announced a $425,000 settlement with Regional Cancer Care Associates LLC (RCCA). Along with the payment, RCCA has agreed to strengthen data security and privacy practices to prevent further breaches. The investigation was sparked back in 2019 after RCCA reported two separate data breaches involving the protected health information (PHI) of 105,000 individuals. The first of the two breaches occurred after several RCCA employees fell victim to a targeted phishing scheme that gave unauthorized access to patient data stored on those accounts from April – June 2019. The phishing scheme exposed driver’s license, Social Security, and financial account numbers along with other health records. While the threat of a phishing scheme can be better avoided through proper cybersecurity measures and employee training, the even bigger problem began in RCCA’s attempt to put out the first set of flames. Following the Breach Notification Rule, the cancer care provider notified impacted patients in July of that same year. However, the third-party vendor they used to provide this notice, improperly mailed notification letters intended for 13,047 living patients by addressing the patients’ perspective next-of-kin. This mistake resulted in patients’ relatives being informed of their medical conditions without consent – essentially just adding even more fuel to the blaze that the initial breach set off. Now just one lit match wouldn’t ignite a settlement of this proportion, but rather RCCA’s failure to do all of the following:  So while the rising trend of healthcare data breaches won’t be easily extinguished, keeping your practice best-protected starts with having a complete HIPAA and cybersecurity program in place. Better staff education and compliance measures should be a top priority and the message from Acting Attorney General Bruck stating, “We require healthcare providers to implement adequate security measures to protect patient data, and we will continue to hold accountable companies that fall short,” is hopefully something that will spark some change. 

5 HIPAA Right of Access Violations
Fines, HIPAA

OCR Settles 5 HIPAA Right of Access Violations

December 1, 2021 Comments Off on OCR Settles 5 HIPAA Right of Access Violations

December 1, 2021 In celebration of ‘Giving Tuesday’ this year, the Office for Civil Rights (OCR) came bearing gifts by the handful (literally) – announcing five separate HIPAA Right of Access violations all in one day. Now you might be thinking that this sounds like a historic first for same-day settlements, but just last September, the OCR made a similar five-violation announcement. The latest enforcement brings the Right of Access settlement total to 25 and dollars collected to $1,505,650 since the government announced their enforcement initiative back in 2019. And while the not-so-lucky receivers of the government’s “gifts” range by size, specialty, and location – failing to ensure individuals’ right to timely medical record access is one thing that all of these practices share. Wake Health Medical Group The first of five settlements went to a primary care provider out of North Carolina, who agreed to a $10,000 fine and corrective action plan to resolve their violation of the HIPAA Privacy Rules’ Right of Access standard.   Denver Retina Center Violation number two was given to a Denver-based ophthalmologist and included a $30,000 settlement and one-year corrective action plan as a result of their potential HIPAA Right of Access violations. Advanced Spine & Pain Management (ASPM) The third settlement was gifted to a provider of management and treatment of chronic pain services out of Ohio, whose Privacy Rule violations landed them with a $32,150 fine and corrective action plan consisting of two years of monitoring. Rainrock Treatment Center, LLC (dba Monte Nido Rainrock) Violation number four went to a licensed eating disorder treatment provider out of Oregon who agreed to pay $160,000 and participate in a year-long corrective action plan to settle their HIPAA violations.   Dr. Robert Glaser And last but certainly not least, the fifth settlement came as a result of not only failing to provide a patient with a copy of their medical records but also lacking cooperation with the OCR. The New York-based internal medicine and cardiovascular disease specialist ignored the OCR’s data requests and waived their rights to a hearing, leaving them with a civil money penalty of $100,000. In addition to the settlement announcement, the recently appointed OCR Director, Lisa J. Pino issued a statement in response: “Timely access to your health records is a powerful tool in staying healthy, patient privacy and it is your right under law. OCR will continue its enforcement actions by holding covered entities responsible for their HIPAA compliance and pursue civil money penalties for violations that are not addressed.”  While these gifts might not have come wrapped in a bow, they did bring along a trending theme that we encourage all providers to do some unpacking themselves. Noncompliance with the HIPAA Right of Access standard continues to prove itself as a widespread gap that the OCR is committed to enforcing. So even though we might have to wait until next November to celebrate another “Giving Tuesday” – getting your organization HIPAA compliant and meeting all government requirements – including Patient Right of Access – is the year-round gift that keeps on giving so you can avoid making the next OCR settlement list.

HIPAA Right of Access Initiative Fine
Fines, HIPAA

OCR Announces 20th HIPAA Right of Access Settlement

September 10, 2021 Comments Off on OCR Announces 20th HIPAA Right of Access Settlement

September 10, 2021 There might not be such thing as time travel but with the latest HIPAA settlement announcement, it’s looking like the Office for Civil Rights (OCR) has traveled back to their own version of the Roaring ‘20s. Two years, and now twenty resolutions later, the government initiative to support individuals’ right to timely record access has driven its own little economic boom – with the 20th financial penalty bringing the right of access running total to $1,173,500.  Children’s Hospital & Medical Center (CHMC) became the most recent healthcare organization to settle with the OCR, with a fine of $80,000 and requirement to adopt a corrective action plan that involves one year of government monitoring. But while the Nebraska-based pediatric provider probably isn’t too jazzed about the repercussions, the penalty comes as a result of an equally unhappy individual who was not provided the proper access that HIPAA strives to ensure. The issue was brought to the OCR’s attention back in May of 2020 after a parent filed a complaint alleging that CHMC failed to provide full access to her late daughter’s medical records. The complaint stated that while the organization fulfilled a portion of the request, CHMC failed to provide all of the requested records despite the parent’s several follow-up requests. The delay was in part due to the remainder of the requested records being needed to obtain from a different CHMC division but it wasn’t until after the OCR’s investigation that full access was provided. In addition to the resolution agreement, Acting OCR Director, Robinsue Frohboese released in a statement, “Generally, HIPAA requires covered entities to give parents timely access to their minor children’s medical records, when the parent is the child’s personal representative. OCR’s Right of Access Initiative supports patients’ and personal representatives’ fundamental right to their health information and underscores the importance of all covered entities’ compliance with this essential right.”  While this settlement shares plenty of similarities with the 19 other examples of noncompliance that we have seen since the enforcement initiative started, it’s important to note the fact that this $80,000 fine was the result of just one patient complaint. And though the Roaring ’20s might’ve been a relatively short-lived era, proposed updates to the HIPAA Privacy Rule and expansions to the OCR budget are enough to predict that the right of access enforcement initiative isn’t going anywhere, anytime soon. So with the latest settlement serving as the perfect example of just how much damage a single HIPAA complaint can have on a healthcare organization – ensuring you’re fulfilling all medical record requests in a timely and HIPAA-compliant manner is essential to avoid becoming lucky settlement number 21.

The Cost of a HIPAA Violation
Fines, HIPAA

The Cost of a HIPAA Violation

September 3, 2021 Comments Off on The Cost of a HIPAA Violation

September 3, 2021 We’ve all seen enough news headlines to know that the going rate for a HIPAA violation isn’t cheap. This past year has tallied up more than a handful of fines with numbers that might not have Jeff Bezos doing a double-take, but certainly have us seeing dollar signs. Not to mention that the first fine of 2021 brought in $5.1 million alone. And although not every HIPAA violation warrants front-page news status, even the minimum fine amount can do some major damage – especially when it’s a small, independent practice footing the bill.  So if you’re looking for an exact dollar amount, to date the Office for Civil Rights (OCR) has collected on 101 settlements to the tune of $135,328,482. We all know that a check that size doesn’t just add up without reason but what caused it to accumulate and why so high? Well back when HIPAA law was first introduced in 1996, the hope was to establish a set of standards to protect sensitive health information in the medical industry. But as the later published Privacy and Security Rules provided a laundry list of requirements for covered entities to follow, many failed to fully comply. So in 2006, the government came up with a solution and that’s where the HIPAA Enforcement Rule was born. It was this ruling that essentially started the tab on that billion-dollar bill, granting the OCR the right to hold covered entities and their business associates accountable with fines and other penalties for noncompliance.  Now just as the repercussions for speeding are understandably different than they are for a case of highway robbery, HIPAA fines also come with a “prices may vary” label attached. Each penalty is determined based on the extent to which the organization was aware that HIPAA rules were being violated and is broken down into the following four tiers: If you were wondering, that “per incident” statement is the reason why we see those multi-million dollar fines – and what comes with HIPAA’s many different rules is a lot of different ways to break them. But it’s not just the monetary penalties that violators have to worry about. HIPAA settlements are usually a package deal including a corrective action plan that typically involves anywhere from two to three years of OCR monitoring. And if hefty fines and the government breathing down your back aren’t enough to prove just how costly violations can be – in the case that the HHS decides that there was deliberate malicious intent, the Department of Justice can step in and also assign criminal penalties with maximum jail time of 10 years. We know that the mention of hefty fines and possible jail time definitely puts a damper on things, but with every “bad news” there’s typically good to follow. So the good news is there are ways to help avoid these worst-case scenarios, and recently passed legislation like the Safe Harbor Law to protect against incidents like data breaches that aren’t as easily avoidable. But the best protection? Having a full understanding of your organization’s responsibilities and a complete HIPAA compliance program to check all the governments’ boxes. Because after all – with how high the cost of a violation can be, you can’t put a price tag on the peace of mind that comes with being compliant.  

OCR Announces 19th Right of Access Settlement
Fines, HIPAA

OCR Announces 19th Right of Access Settlement

June 2, 2021 Comments Off on OCR Announces 19th Right of Access Settlement

June 2, 2021 With the official kickoff of summer only a few weeks away, the Office for Civil Rights (OCR) is getting some last minute spring cleaning in – announcing their latest HIPAA settlement with a practice whose Privacy Rule violations couldn’t be swept under the rug. Diabetes, Endocrinology & Lipidology Center, Inc. (DELC) was handed a $5,000 fine and tasked with a two-year corrective action plan (CAP) to help clean up their “HIPAA mess” that started back in 2019.  Today’s fine marks the 19th Patient Right of Access settlement since the OCR officially announced their initiative two years ago. And ironically enough – around the same time that the government was declaring their focus on enforcing the standards around patient rights, DELC became a perfect example of just how many practices weren’t upholding them.  The incident began in July of 2019 when a parent requested access to her minor child’s health records. After DELC failed to take timely action in response to the request, a complaint was filed with the OCR in early August 2019. It wasn’t until the OCR got involved that the healthcare organization finally provided access, almost two whole years after the initial request.  Though the fine amount might seem on the lower end of what the OCR typically doles out, the corrective action plan has plenty of requirements to make up for it and just to name a few: This hefty “honey-do list” shows that the dollar amount doesn’t cover all the costs associated with violating HIPAA and proves why it’s so important to get your practice’s compliance efforts in order before an incident occurs. So while DELC took longer to fulfill the request than it would to dust off every book in the Library of Congress, the OCR hasn’t delayed in performing quite a bit of housekeeping themselves. With 19 settlements and $1,093,500 collected on behalf of patient right of access violations, the OCR has stuck to their initiative and continued to sweep up any and all violators. And though the settlements all range in resolution amount, corrective action requirements, and organization size and specialty – the message has always been the same and was reiterated by Acting OCR Director Robinsue Frohboese in that, “It should not take a federal investigation before a HIPAA covered entity provides a parent with access to their child’s medical records. Covered entities owe it to their patients to provide timely access to medical records.”   

Peachstate Clinical Laboratory HIPAA Violation
Fines, HIPAA

OCR Announces HIPAA Settlement with Peachstate Clinical Laboratory for Security Rule Violations

May 25, 2021 Comments Off on OCR Announces HIPAA Settlement with Peachstate Clinical Laboratory for Security Rule Violations

May 25, 2021 No matter the time of year, HIPAA enforcement never goes out of season and we have today’s announcement from the Office for Civil Rights (OCR) to prove it. The latest HIPAA settlement and sixth of the year involves Peachstate Health Management, LLC – a Clinical Laboratory based out of Georgia who provides diagnostic and laboratory-developed tests. The violation stemmed from Peachstate’s failure to meet several of the HIPAA Security Rule requirements and led to a $25,000 fine and 3 year corrective action plan issued by the OCR – a result that probably didn’t leave the organization feeling too peachy afterall.  So what happened?  Well it may seem like comparing apples to oranges when looking at what triggered this settlement versus the ones we’ve recently seen centered around patient right of access violations and large cyberattacks. But the latest violation resulted from a variety of different and very relevant factors from data breaches to telehealth and business associates with systemic noncompliance at its core. It started back in 2015 after the U.S. The Department of Veterans Affairs (VA) reported a data breach involving their telehealth services program managed by its business associate, Authentidate Holding Corporation (AHC). A year later, the OCR initiated an investigation into the business associates’ compliance program where they uncovered that AHC and Peachstate had earlier entered into a reverse merger in January of 2016 whereby AHC acquired Peachstate. As a result of this finding, the OCR opened up another compliance review into Peachstate and found that the clinical laboratories were ripe for the picking in their ongoing noncompliance in the following key areas:   In addition to the fine and extensive corrective plan that the OCR issued, their response to the incident and message for other healthcare organizations is the cherry on top and should not be taken lightly. “Clinical laboratories, like other covered health care providers, must comply with the HIPAA Security Rule. The failure to implement basic Security Rule requirements makes HIPAA regulated entities attractive targets for malicious activity, and needlessly risks patients’ electronic health information,” said Robinsue Frohboese, Acting OCR Director. “This settlement reiterates OCR’s commitment to ensuring compliance with rules that protect the privacy and security of protected health information.”  So in other words – the only way to avoid being the low-hanging fruit for a HIPAA violation is ensuring that your healthcare organization has met these basic standards that Peachstate was missing. And while an apple a day might keep the doctor away, this latest settlement is yet another example of why having a complete compliance program in place is so essential to keeping your practice away from OCR scrutiny and avoiding a HIPAA fine like this one.   

Concerned about HIPAA & OSHA compliance requirements in 2025? Join our live webinar for expert answers to the most common questions to ensure your practice is protected.

REGISTER TODAY
X