This is a new feature of the OHIMA blog feature entitled "HIPAA NEWS" - watch for these articles quarterly over the next year!
The Office for Civil Rights (OCR) at the U.S.
Department of Health and Human Services continued to be very active in 2019,
after a record year in 2018.
In 2019, OCR settled 10 cases totaling $12,274,000 from
enforcement actions and civil monetary penalties.
Here is a summary of actions related to the HIPAA
Privacy and Security Rules, from the last half of 2019. There have been no actions announced yet in
2020.
Ambulance Company Pays $65,000 to Settle Allegations of
Longstanding HIPAA Noncompliance
On December 30, 2019, OCR announced West Georgia
Ambulance, Inc. (West Georgia) agreed to pay $65,000 to OCR and to adopt a
corrective action plan to settle potential violations of the HIPAA Security
Rule. West Georgia provides emergency and non-emergency ambulance services.
OCR began its investigation after West Georgia filed a breach report in 2013 concerning the loss of an unencrypted laptop containing the protected health information (PHI) of 500 individuals. OCR’s investigation uncovered long-standing noncompliance with the HIPAA Rules, including failures to conduct a risk analysis, provide a security awareness and training program, and implement HIPAA Security Rule policies and procedures.
OCR Settles Second Case in HIPAA Right of Access Initiative
On December 21, 2019, OCR announced its second
enforcement action and settlement under its HIPAA Right of Access Initiative.
OCR announced this initiative earlier in 2019 promising to vigorously enforce
the rights of patients to get access to their medical records promptly, without
being overcharged, and in the readily producible format of their choice.
Korunda Medical, LLC agreed to take corrective actions and pay $85,000 to
settle a potential violation of HIPAA's right of access provision. Korunda is a
Florida-based company that provides pain management.
In March of 2019, OCR
received a complaint concerning a Korunda patient alleging that, despite
repeatedly asking, Korunda failed to forward a patient's medical records in
electronic format to a third party. Korunda failed to timely provide the
records to the third party, failed to provide them in the requested electronic
format, and charged more than allowed under HIPAA. OCR provided Korunda with technical assistance
on how to correct these matters and closed the complaint. Despite OCR's
assistance, Korunda continued to fail to provide the requested records,
resulting in another complaint to OCR. As a result of OCR's second intervention,
the requested records were provided for free in May 2019, and in the format
requested.
OCR Secures $2.175 Million HIPAA Settlement after
Hospitals Failed to Properly Notify HHS of a Breach of Unsecured Protected
Health Information
In an agreement with the
OCR announced November 27, 2019, Sentara Hospitals agreed to take corrective
actions and pay $2.175 million to settle potential violations of the HIPAA Breach
Notification and Privacy Rules. Sentara is comprised of 12 acute care
hospitals with more than 300 sites of care throughout Virginia and North
Carolina.
In April of 2017, HHS received a complaint alleging that Sentara had sent a bill to an individual containing another patient’s PHI. OCR’s investigation determined that Sentara mailed 577 patients’ PHI to wrong addresses that included patient names, account numbers, and dates of services. Sentara reported this incident as a breach affecting 8 individuals, because Sentara concluded, incorrectly, that unless the disclosure included patient diagnosis, treatment information or other medical information, no reportable breach of PHI had occurred. Sentara persisted in its refusal to properly report the breach even after being explicitly advised of their duty to do so by OCR. OCR also determined that Sentara failed to have a business associate agreement in place with Sentara Healthcare, an entity that performed business associate services for Sentara.
OCR Imposes a $1.6 Million Civil Money Penalty against
Texas Health and Human Services Commission for HIPAA Violations
OCR announced November 7,2019 that it imposed a
$1,600,000 civil money penalty against the Texas Health and Human Services
Commission (TX HHSC), for violations of the HIPAA Privacy and Security Rules
between 2013 and 2017. TX HHSC is part of the Texas HHS system. The Department
of Aging and Disability Services (DADS) was reorganized into TX HHSC in
September 2017.
On June 11, 2015, DADS filed a breach report
with OCR stating that the electronic protected health information (ePHI) of
6,617 individuals was viewable over the internet, including names, addresses,
social security numbers, and treatment information. The breach occurred when an
internal application was moved from a private, secure server to a public server
and a flaw in the software code allowed access to ePHI without access
credentials. OCR's investigation determined that, in addition to the
impermissible disclosure, DADS failed to conduct an enterprise-wide risk
analysis, and implement access and audit controls on its information systems
and applications as required by the HIPAA Security Rule. Because of inadequate
audit controls, DADS was unable to determine how many unauthorized persons
accessed individuals' ePHI.
Failure to Encrypt Mobile Devices Leads to $3 Million HIPAA SettlementOn November 5, 2019, OCR announced The University of Rochester Medical Center (URMC) agreed to pay $3 million to the OCR and take substantial corrective action to settle potential HIPAA violations.
URMC filed breach reports with OCR in 2013 and 2017 following its discovery that protected health information (PHI) had been impermissibly disclosed through the loss of an unencrypted flash drive and theft of an unencrypted laptop, respectively. OCR's investigation revealed that URMC failed to conduct an enterprise-wide risk analysis; implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level; utilize device and media controls; and employ a mechanism to encrypt and decrypt electronic protected health information (ePHI) when it was reasonable and appropriate to do so. In 2010, OCR investigated URMC concerning a similar breach involving a lost unencrypted flash drive and provided technical assistance to URMC. Despite the previous OCR investigation, and URMC's own identification of a lack of encryption as a high risk to ePHI, URMC permitted the continued use of unencrypted mobile devices.
OCR Imposes a $2.15 Million Civil Money Penalty
against Jackson Health System for HIPAA Violations
OCR announced on October 23, 2019 it had imposed
a civil money penalty of $2,154,000 against Jackson Health System (JHS) for HIPAA
violations between 2013 and 2016. JHS is a nonprofit academic medical system
based in Miami, Florida.
On August 22, 2013, JHS submitted a breach
report to OCR stating that its Health Information Management Department had
lost paper records containing the PHI of 756 patients in January 2013. JHS's
internal investigation determined that an additional three boxes of patient
records were also lost in December 2012; however, JHS did not report the
additional loss or the increased number of individuals affected to 1,436, until
June 7, 2016.
In July 2015, OCR initiated an investigation
following a media report that disclosed the PHI of a JHS patient. A reporter
had shared a photograph of a JHS operating room screen containing the patient's
medical information on social media. JHS subsequently determined that two
employees had accessed this patient's electronic medical record without a
job-related purpose.
On February 19, 2016, JHS submitted a breach
report to OCR reporting that an employee had been selling patient PHI. The
employee had inappropriately accessed over 24,000 patients' records since 2011.
OCR's investigation concluded
that JHS failed to provide timely and accurate breach notification to the
Secretary of HHS, conduct enterprise-wide risk analyses, manage identified
risks to a reasonable and appropriate level, regularly review information
system activity records, and restrict authorization of its workforce members'
access to patient ePHI to the minimum necessary to accomplish their job duties.
Dental Practice Pays $10,000 to Settle Social Media Disclosures of Patients’ Protected Health Information
Dental Practice Pays $10,000 to Settle Social Media Disclosures of Patients’ Protected Health Information
Elite Dental Associates, Dallas (“Elite”) agreed
to pay $10,000 to the OCR and to adopt a corrective action plan to settle
potential violations of the HIPAA Privacy Rule, the OCR announced on October 2,
2019. Elite is a privately-owned dental practice located in Dallas,
Texas.
On June 5, 2016, OCR received a complaint from
an Elite patient alleging that Elite had responded to a social media review by
disclosing the patient’s last name and details of the patient’s health
condition. OCR’s investigation found that Elite had impermissibly
disclosed the protected health information (PHI) of multiple patients in
response to patient reviews on the Elite Yelp review page. Additionally,
Elite did not have a policy and procedure regarding disclosures of PHI to
ensure that its social media interactions protect the PHI of its patients or a
Notice of Privacy Practices that complied with the HIPAA Privacy Rule.
OCR accepted a substantially reduced settlement amount in consideration of
Elite’s size, financial circumstances, and cooperation with OCR’s
investigation.
OCR
Settles First Case in HIPAA Right of Access Initiative
On September 9, 2019, OCR announced its first
enforcement action and settlement in its Right of Access Initiative.
Earlier in 2019, OCR announced this initiative promising to vigorously enforce
the rights of patients to receive copies of their medical records promptly and
without being overcharged.
Bayfront Health St. Petersburg (Bayfront) paid
$85,000 to OCR and has adopted a corrective action plan to settle a potential
violation of the right of access provision of the HIPAA Rules after Bayfront
failed to provide a mother timely access to records about her unborn child.
Bayfront, based in St. Petersburg, Florida, is a Level II trauma and
tertiary care center licensed as a 480-bed hospital.
OCR initiated its investigation based on a
complaint from the mother. As a result, Bayfront directly provided the
individual with the requested health information more than nine months after
the initial request. HIPAA generally requires covered health care providers to
provide medical records within 30 days of the request and providers can only
charge a reasonable cost-based fee. This right to patient records extends
to parents who seek medical information about their minor children, and in this
case, a mother who sought prenatal health records about her child.
Summary
The actions taken by the OCR involved violations in the areas
listed below, and provide a reminder to all health information professionals
about the topics the OCR investigates.
Access and Audit Controls Implementation of access and audit controls on information systems
and applications, including regularly reviewing information system activity
records, and restricting authorization of workforce members' access to patient
ePHI to the minimum necessary to accomplish their job duties.
Breach Reporting Reported accurately and timely.
Business Associate Agreement Agreements in place with entities that perform business associate
services.
Notice of Privacy Practices Meet requirements as specified in the HIPAA
Privacy Rule.
Right of Access Timely provision of medical records (generally
within 30 days), in electronic format (if requested), and charge at most only
what is allowable under HIPAA.
Risk Analysis Conducting
an enterprise-wide risk analysis, providing a security awareness and training
program, implementing HIPAA Security Rule policies and procedures, and managing
identified risks to a reasonable and appropriate level.
Security Measures Implementing security measures sufficient to
reduce risks and vulnerabilities to a reasonable and appropriate level;
utilizing device and media controls; and employing a mechanism to encrypt and
decrypt electronic protected health information (ePHI) when it is reasonable
and appropriate to do so.
Social Media Policy and procedure regarding disclosures of
PHI to ensure social media interactions protect patient PHI.
Additional Information
All HHS press releases, fact sheets and other news materials are
available at https://www.hhs.gov/news.
No comments:
Post a Comment