Fine

5 HIPAA Settlements at Once
Fines, HIPAA

OCR Announces Historic 5 HIPAA Settlements at Once

September 15, 2020 Comments Off on OCR Announces Historic 5 HIPAA Settlements at Once

September 15, 2020 Earlier today the Office for Civil Rights (OCR) announced five HIPAA settlements (yes, you heard that right, five) breaking the record for total HIPAA settlements in one day.  Since 2019 the OCR has honed in on their HIPAA Right of Access Initiative, prioritizing patient’s ability to access their medical records in a timely manner. These five settlements bring the total to seven access related enforcement actions – so if you need any hints on what to make sure your practice is looking out for, this is it.    1. Housing Works Inc. This $38,000 fine resulted from a complaint received by the OCR last July alleging that Housing Works Inc., a New York City based non-profit organization, failed to provide the complainant with a copy of their medical records. The OCR received a second complaint a month later stating that the practice still hadn’t provided the patient with record access (strike number two) which ultimately led to a hefty fine along with a corrective action plan.   2. All Inclusive Medical Service, Inc. This Carmichael, CA based medical practice agreed to a $15,000 fine and corrective action plan after the OCR received a complaint in April 2018 that the practice had denied patient access to inspect and receive a copy of her records in January 2018. Only after the OCR’s investigation was the patient given access to her records – 32 months (almost three years) after she had initially requested.   3. Beth Israel Lahey Health Behavioral Services (BILHBS) This whopping $70,000 HIPAA settlement came from a complaint alleging that the behavioral health corporation failed to respond to a request from a personal representative seeking access to her father’s medical records in February 2019. The OCR investigation found that BILHBS failed to complete the request which meant a costly violation of HIPAA Right of Access.  4. Wise Psychiatry, PC This Psychiatry Practice based in Colorado agreed to a $10,000 settlement along with a corrective action plan after the OCR received a patient right of access complaint related to not providing a personal representative with access to their minor son’s medical records in February of 2018. The OCR provided the practice with technical assistance and closed the complaint just a few months later, but Wise Psychiatry found themselves back on the OCR’s radar in October 2018 when a second complaint from the same individual was filed noting records still had not been received. It wasn’t until May 2019 that the patient records were finally provided.  5. King MD Last but not least (actually, we take that back, this is the smallest HIPAA fine to date), Patricia King MD & Associates – a psychiatric care provider in Chesapeake, Virginia – agreed to pay a $3,500 fine along with adopting a corrective action plan to settle a potential HIPAA right of access violation. In October of 2018, the OCR received a complaint that the practice had failed to respond to an individual’s request to record access in August 2018. After the OCR provided them with technical assistance the complaint was closed. However, in February 2019, the OCR received a second complaint stating that King MD had still failed to provide the same patient with proper access and as a result, the practice was hit with a violation.   The main takeaways? Well if it isn’t already obvious, providing patients with timely access to their medical records is extremely important and is something that is commonly missed by practices. While Patient Right of Access is an enforcement priority for the OCR, that doesn’t mean it’s the only thing you have to watch out for. OCR Director Roger Severino emphasized in the announcement that, “Today’s announcement is about empowering patients and holding health care providers accountable for failing to take their HIPAA obligations seriously enough.”  If you needed any more reason to get HIPAA compliance to the top of your priority list – 5 violation settlements announced all in one day should do the trick.      

What is a HIPAA Corrective Action Plan?
Audits, Fines, HIPAA

What is a ‘Corrective Action Plan’?

September 9, 2020 Comments Off on What is a ‘Corrective Action Plan’?

September 9, 2020 HIPAA Settlements are more than just $$$ If you’re like most practices, you might just see $$$ when a HIPAA fine makes the news. And yeah – million dollar fines are no joke. But a HIPAA violation settlement is more than just a dollar sign, and often includes something called a ‘corrective action plan’.  This corrective action plan, or CAP, is basically equivalent to ‘you messed up, here’s two years of administrative paperwork to fix your issues and think about what you’ve done.’ Yeah, you read that right – two years. If you thought paying a fine and putting it behind you was the extent of the bad news, we’re here to tell you why a CAP is just as important if slapped with a HIPAA violation. ALL the Paperwork The goal of a CAP is to correct the issues that caused the HIPAA violation in the first place. However, CAP requirements aren’t just a simple ‘do this next time’ and involve quite a bit of paperwork. Over the course of the designated time frame, one to typically two years, practices are required to: Lets face it, no one likes paperwork (even hearing that word makes us cringe). Having to complete what’s required in a CAP is often far more paperwork than maintaining a regular HIPAA compliance program would be – another reason to be compliant before an incident occurs. Even More Consequences Failing to complete a corrective action plan within the designated time frame can void the initial settlement and can leave a practice open to additional fines and penalties – yikes. It may just be paperwork, but the OCR takes it seriously, and leaves practice’s having to juggle a CAP on top of their already full plate of patient care, regular operations, and reputation management after landing in the news for a HIPAA violation.  So, who doesn’t want to be stuck with a mound of paperwork and the OCR breathing down your neck? (We’re raising our hand – both hands actually.) Getting ahead of violations by completing the SRA and HIPAA program requirements before a breach, complaint or audit will save your practice the pain of a CAP and help avoid a violation in the first place. After all, if you have all the right policies, SRA, and risk management plan in place before a breach you’ve already got OCR requirements down – but with less time spent, on your own schedule, and without the OCR looking over your shoulder.

Top 4 HIPAA Violations
Fines, HIPAA

Top 4 HIPAA Violations Your Practice Should Avoid

September 4, 2020 Comments Off on Top 4 HIPAA Violations Your Practice Should Avoid

September 4, 2020 Even with everything else going on in the world today, HIPAA violations are still making headlines. While these news stories reinforce that the Office for Civil Rights (OCR) hasn’t let up on HIPAA enforcement, they also provide great examples of what not to do when it comes to your own practice. Based on these violations and recent OCR investigation data, we’ve compiled the top four types of violations investigated by the OCR:  1. Impermissible Uses & Disclosures The reigning champion of HIPAA violations over the past 5 years – impermissible uses or disclosures – covers any access, use, or sharing of protected health information (PHI) that is done in a manner not permitted under HIPAA and compromises the security or privacy of a patient’s sensitive information. Common culprits include: Having the right policies in place outlining the proper ways staff may use and disclose PHI is key to ensuring your practice doesn’t join the growing list of improper use violators.  2. Missing Physical, Technical and Administrative Safeguards HIPAA law requires practices to implement safeguards to ensure PHI is protected and secured. These safeguards include:  Failing to implement key safeguards is what gets practice’s into trouble, which is why it is essential to perform in-depth as well as ongoing Security Risk Analyses in order to properly identify which safeguards are missing  3. Improper Access Your data library shouldn’t be fair game to every employee regardless of their role. Even if just glancing at a patient’s information, any access to patient information that is not necessary to complete a specific job function is a violation of HIPAA. With remote work becoming more and more common, we can expect improper access violations to rise as employees use data in less secure environments and with less supervision than there would be in a typical practice setting. Appropriate access is featured heavily in HIPAA, and it’s important to limit and document your access roles. It’s not just internal access to PHI that can get your practice into trouble. There are specific guidelines for providing patients with medical records as well, and while this may seem straightforward 51% of providers fail to comply with HIPAA Right of Access laws. Understanding what Patient Right of Access laws entail is important to keeping your patients happy and avoiding a problem with the OCR.  4. Violations of Minimum Necessary Requirement Less is more when it comes to sensitive health information. Only the minimum information necessary should be provided when PHI is requested, accessed, or disclosed. Violations of this requirement could include providing additional information such as previous medical conditions that may not pertain to the actual purpose of the task at hand. Having proper training and documented policies in place that define what information is considered necessary is an essential piece to protecting your patient’s information and steering clear of a HIPAA violation.   A Violation is Just a Slap on the Wrist, Right? While a violation in any of these areas could be minor, a HIPAA violation fine ranges anywhere from a few hundred to a million dollars based on various factors such as:  The biggest fine so far? $16 million in a single settlement. Monetary fines aren’t the only thing you have to worry about if you find yourself facing a HIPAA violation. Jail time and extensive corrective action plans involving extra oversight and administrative work are real possibilities if a violation is found. So How Can You Best Avoid a HIPAA Violation? Many HIPAA violations can be attributed to a lack of employee education on what’s required under federal law. Violations aren’t usually intentional or malicious, which is why it’s so important to create a culture of compliance within your organization and promote good habits. Keeping up with your HIPAA compliance program and staying updated on any changes to federal regulations is the best way to keep your patients’ information secure and avoid ending up as another HIPAA headline. 

Two Major HIPAA Fines
Fines, HIPAA

OCR Levies Two HIPAA Fines Totalling $1,065,000 Amidst COVID-19

July 27, 2020 Comments Off on OCR Levies Two HIPAA Fines Totalling $1,065,000 Amidst COVID-19

July 27, 2020 Even in the midst of COVID-19, the Office for Civil Rights (OCR) hasn’t let up on finding and enforcing HIPAA violations. Within just this past week, both a small healthcare provider along with a larger health system found themselves facing HIPAA violations that resulted in hefty fines – $25,000 and $1.04 million, respectively – as well as extensive corrective action plans.  Continued Disregard for HIPAA A small practice based out of North Carolina, Metropolitan Community Health Services (d/b/a Agape Health Services) filed their initial breach report all the way back in 2011 when there was an impermissible disclosure of PHI to an unknown email account. While the violation may have been triggered by an impermissible disclosure of protected health information (PHI), the OCR’s hammer was brought down in large part by the practice’s continued disregard for HIPAA requirements and protections for their patient’s PHI. The disclosure impacted over 1,000 patients and the practice’s report opened the doors to an OCR investigation of their entire HIPAA program. The investigation shed light on the practice’s failure to comply with various HIPAA Security Rule regulations, including: Even after reporting the breach in 2011, the practice didn’t implement these missing HIPAA requirements in any hurry. Staff weren’t trained properly on HIPAA until 2016 – five years after the initial complaint was reported. The lack of progress made to safeguard their patients’ information resulted in the OCR levying a $25,000 fine years after the impermissible disclosure took place, in part as a result of continuously failing to mediate the gaps in their HIPAA program. OCR Director, Roger Severino, emphasized the practice’s lack of effort in his statement accompanying the press release. “Health care providers owe it to their patients to comply with the HIPAA Rules. When informed of potential HIPAA violations, providers owe it to their patients to quickly address problem areas to safeguard individuals’ health information.” This fine highlights that it is imperative to not only have a comprehensive HIPAA compliance program in place before a breach occurs, but also ensure that safeguards are implemented after a breach has been identified – the OCR has made it clear that showing a lack of progress is one way to guarantee you end up in their crosshairs.  Unencrypted Laptop The second violation involved a large healthcare system in Rhode Island, Lifespan ACE, and resulted in a whopping $1,040,000 resolution agreement. Back in 2017, a Lifespan employees’ car was broken into and a single unencrypted laptop containing patient information from various entities within the healthcare system was stolen. This data breach led to the impermissible disclosure of over 20,000 individuals PHI and opened the doors for the OCR’s further investigation. Upon investigation, it was found that they were missing various elements of their HIPAA program including:  Because the laptop was not encrypted, a single technical safeguard that could have prevented the violation, the PHI of any patient that was accessible using the device was at high risk for misuse. Part of the OCR’s investigation revealed “systemic non-compliance” with HIPAA, including various other media and device controls such as proper encryption. “Laptops, cellphones, and other mobile devices are stolen every day, that’s the hard reality.  Covered entities can best protect their patients’ data by encrypting mobile devices to thwart identity thieves,” added Roger Severino, OCR Director in the news release. This fine emphasizes that even when theft is outside of a covered entity’s control, the responsibility still falls on the provider to properly encrypt and safeguard that valuable data. While preventing every single possibility of a data breach might be unrealistic, maintaining a proactive HIPAA compliance program that meets federal requirements and includes all appropriate encryption and technical safeguards is achievable. Ensuring you have a complete program with all aspects of HIPAA reviewed and implemented is key – and stress-free when done with an intuitive software solution like Abyde.  

Missing Business Associate Agreements HIPAA Fine
Fines, HIPAA

Missing Business Associate Agreement with EHR Vendor Leads to $100,000 Fine

March 3, 2020 Comments Off on Missing Business Associate Agreement with EHR Vendor Leads to $100,000 Fine

March 3, 2020 Announced today, a medical practice in Utah has come to a $100,000 settlement with the OCR for their failure to meet HIPAA requirements under the Security Rule. The practice of Steven A. Porter, M.D. received the $100,000 monetary settlement in addition to submitting to a corrective action plan over the next two years after a breach report led to the OCR’s investigation of the practice’s HIPAA compliance program.  The investigation began after the practice filed a breach report regarding a complaint against a Business Associate of the practice’s EHR company. The Business Associate (BA) was blocking access to the practices’ patient’s electronic protected health information in exchange for $50,000 to be paid by the practice.  While the original complaint was against the BA, once the investigation was initiated by the Office for Civil Rights, it was the practice that found themselves in the government’s crosshairs. Within the compliance review, the OCR had found that the practice had failed to do the following:  Unfortunately for the practice, their lack of proper safeguarding and documentation of compliance cost them a hefty fine and put their patient’s PHI at risk. This breach, and corresponding financial settlement, highlights that even when working with typical healthcare vendors, such as EHR providers, the right Business Associate Agreements and HIPAA-compliant policies are required to prevent impermissible safeguarding or access to PHI. OCR Director, Roger Severino, included a statement in the HHS press release regarding the incident. “All health care providers, large and small, need to take their HIPAA obligations seriously, the failure to implement basic HIPAA requirements, such as an accurate and thorough risk analysis and risk management plan, continues to be an unacceptable and disturbing trend within the healthcare industry.” This fine follows a recent article highlighting the OCR’s focus on “low hanging fruit” and commitment to address an ongoing lack of HIPAA compliance among covered entities. As these violations continue to see costly outcomes, it is more important now than ever to ensure your practice has a full HIPAA program in place. 

1st HIPAA Right of Access Fine
Fines, HIPAA

OCR Settles First Case in HIPAA Right of Access Initiative

September 9, 2019 Comments Off on OCR Settles First Case in HIPAA Right of Access Initiative

September 9, 2019 Today, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services is announcing its first enforcement action and settlement in its Right of Access Initiative.  Earlier this year, OCR announced this initiative promising to vigorously enforce the rights of patients to receive copies of their medical records promptly and without being overcharged. Bayfront Health St. Petersburg (Bayfront) has paid $85,000 to OCR and has adopted a corrective action plan to settle a potential violation of the right of access provision of the Health Insurance Portability and Accountability Act (HIPAA) Rules after Bayfront failed to provide a mother timely access to records about her unborn child.  Bayfront, based in St. Petersburg, Florida, is a Level II trauma and tertiary care center licensed as a 480-bed hospital with over 550 affiliated physicians. OCR initiated its investigation based on a complaint from the mother.  As a result, Bayfront directly provided the individual with the requested health information more than nine months after the initial request. The HIPAA Rules generally require covered health care providers to provide medical records within 30 days of the request and providers can only charge a reasonable cost-based fee.  This right to patient records extends to parents who seek medical information about their minor children, and in this case, a mother who sought prenatal health records about her child. “Providing patients with their health information not only lowers costs and leads to better health outcomes, it’s the law,” said OCR Director Roger Severino.  “We aim to hold the health care industry accountable for ignoring peoples’ rights to access their medical records and those of their kids.” In addition to the monetary settlement, Bayfront will undertake a corrective action plan that includes one year of monitoring by OCR. The resolution agreement and corrective action plan may be found at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/bayfront/index.html

Record HIPAA Fine
Fines, HIPAA

Anthem Pays OCR $16 Million in Record HIPAA Settlement Following Largest U.S. Health Data Breach in History

October 16, 2018 Comments Off on Anthem Pays OCR $16 Million in Record HIPAA Settlement Following Largest U.S. Health Data Breach in History

October 16, 2018 Anthem, Inc. has agreed to pay $16 million to the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) and take substantial corrective action to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules after a series of cyberattacks led to the largest U.S. health data breach in history and exposed the electronic protected health information of almost 79 million people. The $16 million settlement eclipses the previous high of $5.55 million paid to OCR in 2016. Anthem is an independent licensee of the Blue Cross and Blue Shield Association operating throughout the United States and is one of the nation’s largest health benefits companies, providing medical care coverage to one in eight Americans through its affiliated health plans.  This breach affected electronic protected health information (ePHI) that Anthem, Inc. maintained for its affiliated health plans and any other covered entity health plans. On March 13, 2015, Anthem filed a breach report with the HHS Office for Civil Rights detailing that, on January 29, 2015, they discovered cyber-attackers had gained access to their IT system via an undetected continuous and targeted cyberattack for the apparent purpose of extracting data, otherwise known as an advanced persistent threat attack.  After filing their breach report, Anthem discovered cyber-attackers had infiltrated their system through spear phishing emails sent to an Anthem subsidiary after at least one employee responded to the malicious email and opened the door to further attacks. OCR’s investigation revealed that between December 2, 2014 and January 27, 2015, the cyber-attackers stole the ePHI of almost 79 million individuals, including names, social security numbers, medical identification numbers, addresses, dates of birth, email addresses, and employment information. In addition to the impermissible disclosure of ePHI, OCR’s investigation revealed that Anthem failed to conduct an enterprise-wide risk analysis, had insufficient procedures to regularly review information system activity, failed to identify and respond to suspected or known security incidents, and failed to implement adequate minimum access controls to prevent the cyber-attackers from accessing sensitive ePHI, beginning as early as February 18, 2014. In addition to the $16 million settlement, Anthem will undertake a robust corrective action plan to comply with the HIPAA Rules.  The resolution agreement and corrective action plan may be found on the OCR website at http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/anthem/index.html.

How can HIPAA & HR non-compliance affect your practice? Join our live webinar with HR for Health on April 15.

REGISTER TODAY
X