Fine

OCR Announces 19th Right of Access Settlement
Fines, HIPAA

OCR Announces 19th Right of Access Settlement

June 2, 2021 Comments Off on OCR Announces 19th Right of Access Settlement

June 2, 2021 With the official kickoff of summer only a few weeks away, the Office for Civil Rights (OCR) is getting some last minute spring cleaning in – announcing their latest HIPAA settlement with a practice whose Privacy Rule violations couldn’t be swept under the rug. Diabetes, Endocrinology & Lipidology Center, Inc. (DELC) was handed a $5,000 fine and tasked with a two-year corrective action plan (CAP) to help clean up their “HIPAA mess” that started back in 2019.  Today’s fine marks the 19th Patient Right of Access settlement since the OCR officially announced their initiative two years ago. And ironically enough – around the same time that the government was declaring their focus on enforcing the standards around patient rights, DELC became a perfect example of just how many practices weren’t upholding them.  The incident began in July of 2019 when a parent requested access to her minor child’s health records. After DELC failed to take timely action in response to the request, a complaint was filed with the OCR in early August 2019. It wasn’t until the OCR got involved that the healthcare organization finally provided access, almost two whole years after the initial request.  Though the fine amount might seem on the lower end of what the OCR typically doles out, the corrective action plan has plenty of requirements to make up for it and just to name a few: This hefty “honey-do list” shows that the dollar amount doesn’t cover all the costs associated with violating HIPAA and proves why it’s so important to get your practice’s compliance efforts in order before an incident occurs. So while DELC took longer to fulfill the request than it would to dust off every book in the Library of Congress, the OCR hasn’t delayed in performing quite a bit of housekeeping themselves. With 19 settlements and $1,093,500 collected on behalf of patient right of access violations, the OCR has stuck to their initiative and continued to sweep up any and all violators. And though the settlements all range in resolution amount, corrective action requirements, and organization size and specialty – the message has always been the same and was reiterated by Acting OCR Director Robinsue Frohboese in that, “It should not take a federal investigation before a HIPAA covered entity provides a parent with access to their child’s medical records. Covered entities owe it to their patients to provide timely access to medical records.”   

Peachstate Clinical Laboratory HIPAA Violation
Fines, HIPAA

OCR Announces HIPAA Settlement with Peachstate Clinical Laboratory for Security Rule Violations

May 25, 2021 Comments Off on OCR Announces HIPAA Settlement with Peachstate Clinical Laboratory for Security Rule Violations

May 25, 2021 No matter the time of year, HIPAA enforcement never goes out of season and we have today’s announcement from the Office for Civil Rights (OCR) to prove it. The latest HIPAA settlement and sixth of the year involves Peachstate Health Management, LLC – a Clinical Laboratory based out of Georgia who provides diagnostic and laboratory-developed tests. The violation stemmed from Peachstate’s failure to meet several of the HIPAA Security Rule requirements and led to a $25,000 fine and 3 year corrective action plan issued by the OCR – a result that probably didn’t leave the organization feeling too peachy afterall.  So what happened?  Well it may seem like comparing apples to oranges when looking at what triggered this settlement versus the ones we’ve recently seen centered around patient right of access violations and large cyberattacks. But the latest violation resulted from a variety of different and very relevant factors from data breaches to telehealth and business associates with systemic noncompliance at its core. It started back in 2015 after the U.S. The Department of Veterans Affairs (VA) reported a data breach involving their telehealth services program managed by its business associate, Authentidate Holding Corporation (AHC). A year later, the OCR initiated an investigation into the business associates’ compliance program where they uncovered that AHC and Peachstate had earlier entered into a reverse merger in January of 2016 whereby AHC acquired Peachstate. As a result of this finding, the OCR opened up another compliance review into Peachstate and found that the clinical laboratories were ripe for the picking in their ongoing noncompliance in the following key areas:   In addition to the fine and extensive corrective plan that the OCR issued, their response to the incident and message for other healthcare organizations is the cherry on top and should not be taken lightly. “Clinical laboratories, like other covered health care providers, must comply with the HIPAA Security Rule. The failure to implement basic Security Rule requirements makes HIPAA regulated entities attractive targets for malicious activity, and needlessly risks patients’ electronic health information,” said Robinsue Frohboese, Acting OCR Director. “This settlement reiterates OCR’s commitment to ensuring compliance with rules that protect the privacy and security of protected health information.”  So in other words – the only way to avoid being the low-hanging fruit for a HIPAA violation is ensuring that your healthcare organization has met these basic standards that Peachstate was missing. And while an apple a day might keep the doctor away, this latest settlement is yet another example of why having a complete compliance program in place is so essential to keeping your practice away from OCR scrutiny and avoiding a HIPAA fine like this one.   

Right of Access Settlement Announced
Fines, HIPAA

HIPAA Enforcement is on a Hot Streak – 18th Right of Access Settlement Just Announced

March 26, 2021 Comments Off on HIPAA Enforcement is on a Hot Streak – 18th Right of Access Settlement Just Announced

March 26, 2021 Looks like the Office for Civil Rights (OCR) just decided to play a quick round of 18 – announcing their 18th right of access settlement (and second of the week) with yet another practice who’s HIPAA compliance efforts were well below par.  Village Plastic Surgery (“VPS”) was the latest to tee off against the OCR in a matchup that resulted in a $30,000 fine and two year corrective action plan. And with the 17th right of access settlement announced only two days ago – the tough loss endured by the New Jersey-based provider was just par for the course.  The round began back in September of 2019, after a patient filed an all too familiar complaint to the OCR that the practice had failed to respond to their record request that was made a month prior. Unlike previous settlements where the organization was first provided with technical assistance, all it took was a single patient complaint for the OCR to determine that VPS failed to meet right of access standards – setting the tone that there are no mulligans when it comes to a HIPAA violation.  It’s pretty clear that if you’re not meeting HIPAA requirements, becoming the next opponent on the OCR’s lineup is anyone’s game. But if two fines in one week don’t drive the point home, maybe the latest statement from OCR Director Robinsue Frohboese will be right on target: “OCR’s Right of Access Initiative continues to support and enforce individuals’ vital right to receive copies of their medical records in a timely manner, covered entities must comply with their HIPAA obligations and OCR will take appropriate remedial actions if they do not.” So, with $5,540,000 collected in HIPAA fines just in 2021 alone and patient right of access being a clear government focus – ensuring that your practice’s compliance program is up to par is the best and only way to steer clear of the next round of OCR enforcement.  

OCR Right of Access Violation Settlement
Fines, HIPAA

OCR Continues to Take Non-Compliance By Storm – Announcing 17th Right Of Access Settlement

March 25, 2021 Comments Off on OCR Continues to Take Non-Compliance By Storm – Announcing 17th Right Of Access Settlement

March 25, 2021 We are definitely no meteorologists over here but if there’s one pattern that we’ve gotten pretty good at predicting, it’s the government’s focus on HIPAA non-compliance. And with another right of access settlement hitting our inboxes just yesterday – it’s looking like HIPAA enforcement season is in full effect.   Arbour, Inc., d.b.a Arbour Hospital (“Arbour”), was the latest to get caught in the Office for Civil Rights (OCR) storm – but instead of heavy rainfall and thunder, the Massachusetts-based behavioral health provider was hit with a whooping $65,000 fine and corrective action plan. The announcement marks the 17th right of access settlement since the OCR declared their enforcement initiative back in the fall of 2019, proving that whoever said that lightning never strikes the same place twice clearly didn’t know HIPAA.  Arbour first showed up on the OCR’s radar back in July of 2019, after they received a complaint alleging that the practice had failed to respond to a patient’s record request in a timely manner. Despite the OCR providing technical assistance, the practice took a rain check on providing record access and a second patient complaint came rolling in later that month. As a result of the OCR’s investigation, Arbour finally provided the patient with their records more than 5 months after the patient’s initial request – making the perfect storm for a HIPAA violation.  With 17 cases settled and $1,068,500 collected in fines since the right of access initiative began, it’s looking like when it rains, it pours as far as OCR enforcement is concerned. And if the numbers aren’t telling enough, Acting OCR Director Robinsue Frohboese made their storm-warning loud and clear in her latest statement: “Health care providers have a duty to provide their patients with timely access to their own health records, and OCR will hold providers accountable to this obligation so that patients can exercise their rights and get needed health information to be active participants in their health care.” A key takeaway from the 17 practices’ caught in the government’s flood zone? In more than half of the published settlements, the organization was notified twice by the OCR and provided with technical assistance. And if they had listened to the first warning siren, they could’ve potentially avoided the settlement entirely. Since taking timely action in response to a patient’s records request has shown to be an ongoing issue for covered entities of all specialties and size – with the proposed HIPAA Privacy Rule changes shortening the record response time from 30 days to 15 days, we can foresee dark skies ahead if practices don’t start complying.  So, how do you avoid the hailstorm that comes with an OCR audit? Simply put, ensuring your practice adheres to state and federal Patient Right of Access laws while also having the necessary policies and procedures to back it up is a great place to start. But in order to fully weather the elements of government enforcement, you must meet ALL of the requirements that fall under the HIPAA umbrella and keep your compliance program a priority come rain or shine.

Sharp HealthCare HIPAA Fine
Fines, HIPAA

OCR Announces 16th Right of Access Settlement

February 12, 2021 Comments Off on OCR Announces 16th Right of Access Settlement

February 12, 2021 Today the Office for Civil Rights (OCR) is celebrating their Sweet 16 – sixteenth HIPAA Right of Access fine, to be exact. Instead of party hats and birthday cake, they’re kicking off the festivities with a hefty settlement and second HIPAA fine this week.   The not so lucky guest of honor is Sharp HealthCare, d.b.a. Sharp Rees-Stealy Medical Centers (“SRMC”), a health care provider based out of California. SRMC was gifted with a $70,000 fine along with a 2-year corrective action plan for violating HIPAA right of access requirements.    The ‘party’ began back in June of 2019 after the OCR received a complaint stating that SRMC failed to respond when a patient requested an electronic copy of their protected health information (PHI) be sent to a third party (sound familiar?).  The ‘party’ didn’t stop there, when even after providing technical assistance the OCR received a second complaint just two months later alleging that SRMC had still yet to provide the requested access. It wasn’t until after the OCR investigated further that SRMC finally fulfilled the patient’s request. Not only did today’s announcement take the cake (party pun intended) for the second fine released just this week, but the details of the most recent settlements are so similar we feel like we’re seeing double. Both fines were a result of patient right of access violations, and more specifically for the failure to provide an electronic copy of health records to a third party.  So the lesson to be learned? Ensure your practice is providing access in a timely manner and in the way it was requested. Acting OCR Director, Robinsue Frohboese emphasized the government’s continued focus in today’s press release, “Patients are entitled to timely access to their medical records. OCR created the Right of Access Initiative to enforce and support this critical right.” After a historic year in HIPAA enforcement, four HIPAA settlements in the first two months of 2021 should come as no shock. If crashing the HIPAA violation party isn’t something you’re keen on (we’re not the life of the party ourselves, but even we don’t think that would be too much fun) then having the right policies and procedures in place along with the proper employee training on how to respond to record requests is key.  

OCR Settles 15th Right of Access Violation
Fines, HIPAA

OCR Settles 15th Right of Access Violation

February 10, 2021 Comments Off on OCR Settles 15th Right of Access Violation

February 10, 2021 The Office for Civil Rights (OCR) started 2021 off with some heavy hitters – including a $5.1 MILLION fine only 15 days into the year – but their fifteenth HIPAA right of access settlement (and counting – we’re taking bets on how many they get in before the end of the year) emphasizes they’re not just going after the big guys when it comes to keeping HIPAA programs in check.  Renown Health, P.C., a private, not-for-profit health provider out of Nevada, became the third HIPAA violator of the new year after failing to meet HIPAA right of access requirements back in 2019. The violation came with a hefty penalty of $75,000, along with a 2-year corrective action plan.  So what happened?  This time two years ago, the OCR received a complaint that Renown Health failed to fulfill a patient’s request for an electronic copy of their medical and billing records. In this particular instance, the patient had requested to have it sent to a third party – something that HIPAA not only allows for, but expects providers to fulfill.  Singing the same tune as last year’s many access-related fines, it wasn’t until after the OCR got involved and investigated further that Renown Health finally provided access to all of the requested records. Acting OCR Director, Robinsue Frohboese, weighed in on the latest settlement, “access to one’s health records is an essential HIPAA right and health care providers have a legal obligation to their patients to provide access to their health information on a timely basis.”  What this means for you With 15 right of access settlements under their belt, the OCR has made it clear that providing proper access in the way records are requested is key – not to mention the ticking clock (30 days, or less depending on the state) that goes with any record request.  With the proposed changes to the HIPAA Privacy Rule suggesting an even shorter time frame to respond to record requests, providing timely access should be on every practice’s radar. If it’s not, or even if it is, making sure to have documented policies around how records are provided and recording requests in a written format is key to preparing your practice should you wind up as part of the OCR’s right of access crusade. Not sure where your current HIPAA program stands, especially when it comes to patient’s access rights? Schedule a complimentary consultation with one of our HIPAA experts today to see what you might be missing before it’s too late!   

HIPAA Right of Access Violations
Fines, HIPAA

OCR’s First Settlement of the Year: More HIPAA Right of Access Violations

January 12, 2021 Comments Off on OCR’s First Settlement of the Year: More HIPAA Right of Access Violations

January 12, 2021 The Office for Civil Rights (OCR) wasted no time starting on their new year’s resolutions, announcing their 14th settlement as part of the HIPAA right of Access initiative just 2 weeks into 2021. Patient right of access fines are starting to become a monthly occurrence, and it’s no surprise that the OCR would start off the new year with the same enforcement efforts they ended 2020 with. Banner Health, an Arizona-based non-profit health system operating 30 hospitals, primary care, urgent care, and specialty care facilities across the country, became the OCR’s first victim of the year with the largest right of access fine to date – $200,000.  This hefty payout comes as a result of two separate complaints filed against Banner Health, both highlighting the health systems noncompliance with the HIPAA right of access standard.  If today’s settlement isn’t enough reason to avoid dragging your feet on records requests and getting HIPAA compliant ASAP, maybe the latest statement from OCR Director Roger Severino will seal the deal: “This first resolution of the year signals that our Right of Access Initiative is still going strong and that providers of all sizes need to respect the right of patients to have timely access to their medical records.”   The OCR has clearly hit the ground running with HIPAA enforcement in the new year and it’s more important than ever to get your practice compliant. OCR Director Roger Severino has been beating the same right of access drum for over a year, and it’s no surprise given that audit results released just this past December show that most covered entities (a whopping 89%) don’t meet patient access requirements. Concerned your practice falls in that boat? Schedule a consultation today with one of our HIPAA experts to see where you currently stand and what you need to do to avoid falling into the government’s crosshairs in 2021.       

Dental OSHA Whistleblower Violation Fine
Fines, OSHA

North Texas Dental Practice, Fined $15K for OSHA Whistleblower Violations

January 7, 2021 Comments Off on North Texas Dental Practice, Fined $15K for OSHA Whistleblower Violations

March 3, 2023 Blow the whistle… No, not like the 2006 Too Short song but OSHA’s Whistleblower Protection Program. Whistleblower protection laws are in place to prevent retaliation against employees who report safety violations, discrimination, or other illegal activities in the workplace. Under the Occupational Safety and Health Administration (OSHA) Whistleblower Protection Program, employees who report such violations are protected from retaliation by their employers. This protection includes not only termination but also other forms of retaliation such as demotion, reduction in pay, or denial of overtime or promotions. Why would a practice retaliate for a complaint received instead of mitigating the risk and working toward a culture of compliance?  That is a $15,706 question and unfortunately, Roger and David Bohannan of Roger H. Bohannan DDS Inc. have to answer. While on furlough in early 2020, a dental hygienist and dental assistant at the practice asked what coronavirus safety measures would be in place once patients and employees returned. When the practice did reopen, those two employees were not reinstated simply because they expressed their concerns and cited guidance from the Centers for Disease Control (CDC) and OSHA. Further investigation found that Bohannan Dentristry discriminated against employees for exercising their rights under section 11(c) of the OSH Act which prohibits retaliation by employers against workers who “blow the whistle” by exposing health and safety hazards. In a statement made by an OSHA Regional Administrator in Dallas, Eric S. Harbin, “Like all workers, these two people had every right to speak up without the fear of losing their jobs. We want workers to know that OSHA is here to protect their rights, and we won’t hesitate to exercise our authority when they are violated.” OSHA administers more than 20 whistleblower statutes, with varying time limits for filing. The time frame for filing a complaint begins when the adverse action occurs and is communicated to the employee. There are varying reporting deadlines from 30-180 days specific to each statute.  It is important for employees to know that they have rights under the law to report safety violations and other illegal activities without fear of retaliation. Employers have a responsibility to provide a safe and healthy workplace, and OSHA’s Whistleblower Protection Program helps to ensure that employees can speak up when they see something that is not right.

Importance of Record Requests
Fines, HIPAA

OCR Announces 13th Right of Access Fine, Drives Home Importance of Record Requests

December 22, 2020 Comments Off on OCR Announces 13th Right of Access Fine, Drives Home Importance of Record Requests

December 22, 2020 The Office for Civil Rights (OCR) has been in the giving spirit the past few months, and they couldn’t close out 2020 without handing out at least one last holiday gift. We know there’s only 12 days of Christmas as the song goes – and we don’t think the OCR will be handing out lords-a-leaping or piper’s piping anytime soon – but there IS one more gift not mentioned in the classic song (at least the OCR 2020 edition): 13 patient right of access fines. The latest settlement adds to quite a historic year for HIPAA enforcement – and proves just how unprepared many practices have been when it comes to HIPAA compliance. This week’s extra gift went to Peter Wrobel, M.D whose practice Elite Primary Care out of Georgia found themselves doing a little extra holiday spending this year after settling with the OCR for $36,000.  The settlement resolved a patient right of access complaint from April 2019, which took over a year to fully wrap (present-related pun intended). Here’s the highlights from this latest fine: Important notes for any covered entity? Make sure to provide records in a timely manner, AND in the way the patient requests them. Additionally, requests can be submitted in any form (verbal, written or otherwise) but documented, written requests are always key to best protecting your practice and meeting timeframe requirements. Take a minute to brush up on how to handle access requests if your practice needs a refresher. Taking over a year to get records access is already a bad call, but proposed changes to the HIPAA Privacy Rule will make the typical 30 day timeframe to provide records even shorter. When it comes to patients getting access to their own PHI, the OCR is serious about keeping covered entities of all sizes in line.  While this may not have been the gift Elite Primary Care was wishing for this year, it did come with is some wise words of advice from OCR Director, Roger Severino: “OCR created the Right of Access Initiative to address the many instances where patients have not been given timely access to their medical records. Health care providers, large and small, must ensure that individuals get timely access to their health records, and for a reasonable cost-based fee.”  We hope your practice gets a better gift this year than a hefty fine – but if you aren’t certain where you stand, get the gift of confidence in your HIPAA program by scheduling an educational webinar today!   

HIPAA Right of Access Fine Streak
Fines, HIPAA

OCR Continues HIPAA Right of Access Fine Streak, Announces 12th Settlement

November 19, 2020 Comments Off on OCR Continues HIPAA Right of Access Fine Streak, Announces 12th Settlement

November 19, 2020 Reporting new HIPAA settlements has become a weekly routine this month (we’ve got our calendars marked for next week’s already), and after today’s announcement on the Office for Civil Rights (OCR) 12th right of access initiative settlement (the third in November), we now have enough patient right of access fines to last us a whole year. This week’s HIPAA headline goes to the University of Cincinnati Medical Center, LLC (UCMC), an academic medical center that provides healthcare services to the Greater Cincinnati Community. UCMC agreed to a $65,000 payout as well as a 2-year corrective action plan with the OCR to settle a violation of (you guessed it) the HIPAA right of access standard.  The by-now familiar story began back in May of 2019, when the OCR received a complaint that UCMC failed to respond to a patient’s request that her electronic health records (EHR) be sent directly to her lawyers on February 22, 2019. After further investigation and a little push from the OCR, the medical center finally provided the requested records in August of that year.  While we’ve seen more than a handful (2 handfuls plus two fingers to be exact) of patient right of access fines over the past year, this specific settlement is a great example of not only failing to provide patient records in a timely manner, but also in the proper format they were requested in. It is required under HIPAA law to be able to provide patients with a copy of their records in the format they request – either in paper or electronic form – as well as have the ability to transmit records directly to a third party if specified. If it isn’t possible to provide records the way a patient requests, the covered entity must agree to an alternative method with the requester. Emphasizing the importance of providing records in the format requested, OCR Director Roger Severino added that the “OCR is committed to enforcing patients’ right to access their medical records, including the right to direct electronic copies to a third party of their choice. HIPAA covered entities should review their policies and training programs to ensure they know and can fulfill all their HIPAA obligations whenever a patient seeks access to his or her records.”  Today’s settlement brings the running count of 2020 HIPAA fines to a total of $13,291,500 with 6 weeks still left in the year. If the weekly fine trend continues, we could expect at least 6 more HIPAA settlements and a whole lot of $$$ to come rolling in before 2020 finally ends. While we’re all looking forward to 2020 calling it quits, 6 more fines would blow 2019’s enforcement records out of the water.  With annual HIPAA deadlines right around the corner and weekly examples of why you should ensure your practice is compliant, we couldn’t think of a better time to add HIPAA to the top of your to-do list!

Are you sure you've got HIPAA covered? Get your compliance grade in 5 minutes.

TAKE THE CHALLENGE
X