Tuesday, March 3, 2020

Recent OCR Enforcement Actions and Civil Monetary Penalties

by Elizabeth Curtis, MA, RHIA, CHPS, FAHIMA 


This is a new feature of the OHIMA blog feature entitled "HIPAA NEWS" - watch for these articles quarterly over the next year!
 
The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services continued to be very active in 2019, after a record year in 2018. 

In 2019, OCR settled 10 cases totaling $12,274,000 from enforcement actions and civil monetary penalties.  

Here is a summary of actions related to the HIPAA Privacy and Security Rules, from the last half of 2019.  There have been no actions announced yet in 2020.

Ambulance Company Pays $65,000 to Settle Allegations of Longstanding HIPAA Noncompliance
On December 30, 2019, OCR announced West Georgia Ambulance, Inc. (West Georgia) agreed to pay $65,000 to OCR and to adopt a corrective action plan to settle potential violations of the HIPAA Security Rule. West Georgia provides emergency and non-emergency ambulance services.
OCR began its investigation after West Georgia filed a breach report in 2013 concerning the loss of an unencrypted laptop containing the protected health information (PHI) of 500 individuals. OCR’s investigation uncovered long-standing noncompliance with the HIPAA Rules, including failures to conduct a risk analysis, provide a security awareness and training program, and implement HIPAA Security Rule policies and procedures.
OCR Settles Second Case in HIPAA Right of Access Initiative
On December 21, 2019, OCR announced its second enforcement action and settlement under its HIPAA Right of Access Initiative. OCR announced this initiative earlier in 2019 promising to vigorously enforce the rights of patients to get access to their medical records promptly, without being overcharged, and in the readily producible format of their choice. Korunda Medical, LLC agreed to take corrective actions and pay $85,000 to settle a potential violation of HIPAA's right of access provision. Korunda is a Florida-based company that provides pain management.
In March of 2019, OCR received a complaint concerning a Korunda patient alleging that, despite repeatedly asking, Korunda failed to forward a patient's medical records in electronic format to a third party. Korunda failed to timely provide the records to the third party, failed to provide them in the requested electronic format, and charged more than allowed under HIPAA. OCR provided Korunda with technical assistance on how to correct these matters and closed the complaint. Despite OCR's assistance, Korunda continued to fail to provide the requested records, resulting in another complaint to OCR. As a result of OCR's second intervention, the requested records were provided for free in May 2019, and in the format requested.
OCR Secures $2.175 Million HIPAA Settlement after Hospitals Failed to Properly Notify HHS of a Breach of Unsecured Protected Health Information

In an agreement with the OCR announced November 27, 2019, Sentara Hospitals agreed to take corrective actions and pay $2.175 million to settle potential violations of the HIPAA Breach Notification and Privacy Rules.  Sentara is comprised of 12 acute care hospitals with more than 300 sites of care throughout Virginia and North Carolina.

In April of 2017, HHS received a complaint alleging that Sentara had sent a bill to an individual containing another patient’s PHI. OCR’s investigation determined that Sentara mailed 577 patients’ PHI to wrong addresses that included patient names, account numbers, and dates of services.  Sentara reported this incident as a breach affecting 8 individuals, because Sentara concluded, incorrectly, that unless the disclosure included patient diagnosis, treatment information or other medical information, no reportable breach of PHI had occurred.  Sentara persisted in its refusal to properly report the breach even after being explicitly advised of their duty to do so by OCR. OCR also determined that Sentara failed to have a business associate agreement in place with Sentara Healthcare, an entity that performed business associate services for Sentara.
OCR Imposes a $1.6 Million Civil Money Penalty against Texas Health and Human Services Commission for HIPAA Violations

OCR announced November 7,2019 that it imposed a $1,600,000 civil money penalty against the Texas Health and Human Services Commission (TX HHSC), for violations of the HIPAA Privacy and Security Rules between 2013 and 2017. TX HHSC is part of the Texas HHS system. The Department of Aging and Disability Services (DADS) was reorganized into TX HHSC in September 2017.
On June 11, 2015, DADS filed a breach report with OCR stating that the electronic protected health information (ePHI) of 6,617 individuals was viewable over the internet, including names, addresses, social security numbers, and treatment information. The breach occurred when an internal application was moved from a private, secure server to a public server and a flaw in the software code allowed access to ePHI without access credentials. OCR's investigation determined that, in addition to the impermissible disclosure, DADS failed to conduct an enterprise-wide risk analysis, and implement access and audit controls on its information systems and applications as required by the HIPAA Security Rule. Because of inadequate audit controls, DADS was unable to determine how many unauthorized persons accessed individuals' ePHI.
Failure to Encrypt Mobile Devices Leads to $3 Million HIPAA Settlement

On November 5, 2019, OCR announced The University of Rochester Medical Center (URMC) agreed to pay $3 million to the OCR and take substantial corrective action to settle potential HIPAA violations.

URMC filed breach reports with OCR in 2013 and 2017 following its discovery that protected health information (PHI) had been impermissibly disclosed through the loss of an unencrypted flash drive and theft of an unencrypted laptop, respectively. OCR's investigation revealed that URMC failed to conduct an enterprise-wide risk analysis; implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level; utilize device and media controls; and employ a mechanism to encrypt and decrypt electronic protected health information (ePHI) when it was reasonable and appropriate to do so. In 2010, OCR investigated URMC concerning a similar breach involving a lost unencrypted flash drive and provided technical assistance to URMC. Despite the previous OCR investigation, and URMC's own identification of a lack of encryption as a high risk to ePHI, URMC permitted the continued use of unencrypted mobile devices.
OCR Imposes a $2.15 Million Civil Money Penalty against Jackson Health System for HIPAA Violations

OCR announced on October 23, 2019 it had imposed a civil money penalty of $2,154,000 against Jackson Health System (JHS) for HIPAA violations between 2013 and 2016. JHS is a nonprofit academic medical system based in Miami, Florida.
On August 22, 2013, JHS submitted a breach report to OCR stating that its Health Information Management Department had lost paper records containing the PHI of 756 patients in January 2013. JHS's internal investigation determined that an additional three boxes of patient records were also lost in December 2012; however, JHS did not report the additional loss or the increased number of individuals affected to 1,436, until June 7, 2016.
In July 2015, OCR initiated an investigation following a media report that disclosed the PHI of a JHS patient. A reporter had shared a photograph of a JHS operating room screen containing the patient's medical information on social media. JHS subsequently determined that two employees had accessed this patient's electronic medical record without a job-related purpose.
On February 19, 2016, JHS submitted a breach report to OCR reporting that an employee had been selling patient PHI. The employee had inappropriately accessed over 24,000 patients' records since 2011.
OCR's investigation concluded that JHS failed to provide timely and accurate breach notification to the Secretary of HHS, conduct enterprise-wide risk analyses, manage identified risks to a reasonable and appropriate level, regularly review information system activity records, and restrict authorization of its workforce members' access to patient ePHI to the minimum necessary to accomplish their job duties.

Dental Practice Pays $10,000 to Settle Social Media Disclosures of Patients’ Protected Health Information
Elite Dental Associates, Dallas (“Elite”) agreed to pay $10,000 to the OCR and to adopt a corrective action plan to settle potential violations of the HIPAA Privacy Rule, the OCR announced on October 2, 2019.  Elite is a privately-owned dental practice located in Dallas, Texas.
On June 5, 2016, OCR received a complaint from an Elite patient alleging that Elite had responded to a social media review by disclosing the patient’s last name and details of the patient’s health condition.  OCR’s investigation found that Elite had impermissibly disclosed the protected health information (PHI) of multiple patients in response to patient reviews on the Elite Yelp review page.  Additionally, Elite did not have a policy and procedure regarding disclosures of PHI to ensure that its social media interactions protect the PHI of its patients or a Notice of Privacy Practices that complied with the HIPAA Privacy Rule.  OCR accepted a substantially reduced settlement amount in consideration of Elite’s size, financial circumstances, and cooperation with OCR’s investigation.
OCR Settles First Case in HIPAA Right of Access Initiative
On September 9, 2019, OCR announced its first enforcement action and settlement in its Right of Access Initiative.  Earlier in 2019, OCR announced this initiative promising to vigorously enforce the rights of patients to receive copies of their medical records promptly and without being overcharged.
Bayfront Health St. Petersburg (Bayfront) paid $85,000 to OCR and has adopted a corrective action plan to settle a potential violation of the right of access provision of the HIPAA Rules after Bayfront failed to provide a mother timely access to records about her unborn child.  Bayfront, based in St. Petersburg, Florida, is a Level II trauma and tertiary care center licensed as a 480-bed hospital.
OCR initiated its investigation based on a complaint from the mother.  As a result, Bayfront directly provided the individual with the requested health information more than nine months after the initial request. HIPAA generally requires covered health care providers to provide medical records within 30 days of the request and providers can only charge a reasonable cost-based fee.  This right to patient records extends to parents who seek medical information about their minor children, and in this case, a mother who sought prenatal health records about her child.
Summary
The actions taken by the OCR involved violations in the areas listed below, and provide a reminder to all health information professionals about the topics the OCR investigates.

 Access and Audit Controls                 Implementation of access and audit controls on information systems and applications, including regularly reviewing information system activity records, and restricting authorization of workforce members' access to patient ePHI to the minimum necessary to accomplish their job duties.
Breach Reporting                                 Reported accurately and timely. 

Business Associate Agreement           Agreements in place with entities that perform business associate services.

Notice of Privacy Practices                  Meet requirements as specified in the HIPAA Privacy Rule.

Right of Access                                    Timely provision of medical records (generally within 30 days), in electronic format (if requested), and charge at most only what is allowable under HIPAA. 
Risk Analysis                                       Conducting an enterprise-wide risk analysis, providing a security awareness and training program, implementing HIPAA Security Rule policies and procedures, and managing identified risks to a reasonable and appropriate level. 
Security Measures                               Implementing security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level; utilizing device and media controls; and employing a mechanism to encrypt and decrypt electronic protected health information (ePHI) when it is reasonable and appropriate to do so.
Social Media                                        Policy and procedure regarding disclosures of PHI to ensure social media interactions protect patient PHI.

Additional Information
All HHS press releases, fact sheets and other news materials are available at https://www.hhs.gov/news.


No comments:

Post a Comment