Round-up of Recent OCR Settlements
B. Brandon Au, DDS of New Vision Dental
On December 14, 2022, the Office of Civil Rights (OCR) within the Department of Health and Human Services announced a settlement that they reached with B. Brandon Au, DDS of New Vision Dental in California. This settlement followed the impermissible disclosure of PHI (Protected Health Information) by the office in response to online reviews.
In November 2017, the OCR received a complaint that New Vision Dental had disclosed PHI in their response to a patient’s review of the practice online. This violation contained the disclosure of patient names, treatments, and insurance information. The practice used social media in an unauthorized manner and shared PHI in the process, a practice that is prohibited by HIPAA.
As a result of the violation, B. Brandon AU DDS and New Vision Dental have agreed to pay $23,000 and implement a corrective action plan which includes 2 years of monitoring by OCR to ensure compliance.
This situation serves as a great reminder of how important it is to have strict, secure practices when utilizing social media as a HIPAA compliant organization. The OCR is showing us that they remain committed to enforcing HIPAA and PHI security, including on social media.
Health Specialists of Central Florida
On December 15, 2022, the OCR announced a second settlement with Health Specialists of Central Florida Inc regarding a potential violation of the HIPAA Right of Access Initiative. As a result of this agreement, Health Specialists of Central Florida has agreed to pay $20,000, implement a corrective action plan, and submit to 2 years of monitoring.
Health Specialists of Central Florida is a primary care provider in Florida. In August 2019, a complaint was filed against Health Specialists by a daughter, acting as a representative for her deceased father who had been a patient of the facility. The complaint stated that this individual had made multiple requests for her late father’s medical records, which the office had failed to fulfill.
This settlement marks the 42nd case to be resolved under the Right of Access Initiative and shows the department's continued dedication to enforcing this initiative.
Life Hope Labs LLC
On January 3rd, 2023, the Office of Civil Rights (OCR) started the year off strong by announcing a settlement with Life Hope Labs LLC, a Sandy Springs, Georgia based diagnostic laboratory. This settlement stems from a potential violation of the HIPAA Right of Access Initiative. Yet again, OCR maintains their position on enforcing this key initiative for patients rights.
In August 2021, the OCR received a complaint that alleged that Life Hope Labs had not given a patient’s personal representative a copy of her deceased father’s medical records upon request. Eventually this individual did receive the requested records, however it was over 7 months after the initial request.
Life Hope Labs LLC has agreed to pay $16,500, implement a corrective action plan, and submit to 2 years of OCR monitoring as a result of this potential violation.
Banner Health Affiliated Covered Entities (Banner Health)
On February 2nd, 2023, the OCR announced the second settlement of 2023 by reaching a massive settlement, of $1.25 million, with Banner Health Affiliated Covered Entities (Banner Health) stemming from a hacking incident. Banner Health, which is a nonprofit health system in Phoenix, Arizona experienced a hack which resulted in the disclosure of 2.81 million patient’s protected health information.
Banner Health is one of the nation's largest nonprofit health system with over 50,000 employees across 50 states. They are actually the largest single employer in Arizona, and one of the largest in Northern Colorado.
In late 2016, the OCR began an investigation into Banner Health after receiving a breach report which stated that a “threat actor” gained unauthorized access to the ePHI of millions within their system. This hacker accessed PHI including patient names, physician names, dates of birth, addresses, Social Security numbers, clinical details, dates of service, claims information, lab results, medications, diagnoses and conditions, and health insurance information. The OCR’s investigation found long term, continual noncompliance with the HIPAA Security Rule, which caused great concern due to the organization’s size.
The potential violations that the OCR found against Banner Health include:
- Lack of an analysis to determine risks and vulnerabilities to electronic protected health information across the organization
- Insufficient monitoring of its health information systems’ activity to protect against a cyberattack
- Failure to implement an authentication process to safeguard its electronic protected health information
- Failure to have security measures in place to protect electronic protected health information from unauthorized access when it was being transmitted electronically.
To settle this lot of potential violations, Banner Health has agreed to pay $1.25 million, submit to 2 years of OCR monitoring, and implement a corrective action plan.
In addition to those typical 3 aspects of the settlement, Banner Health has agreed to a few additional steps to rectify this. These include conducting a thorough and accurate HIPAA risk assessment in order to identify potential and existing risks and vulnerabilities to ePHI and other data across their organization. Next, they will develop and implement a risk management plan which will address the risk and vulnerabilities identified by the risk assessment. Banner Health has also agreed to develop, implement and distribute policies and procedures for ongoing risk assessments and risk management plans, regular reviews of activity within their information systems, an authentication process to provide safeguards to data and records, and security measures to protected ePHI from unauthorized access. Finally, they have agreed to report to HHS with 30 days when any member of their workforce fails to comply with any aspect of the Security Rule.
The HHS and OCR want this settlement to serve as a reminder of the threats that face health care organizations of all sizes. OCR Director Melanie Fontes Rainer said regarding this “It is imperative that hospitals and other covered entities and business associates be vigilant in taking robust steps to protect their systems, data, and records, and this begins with understanding their risks, and taking action to prevent, respond to and combat such cyberattacks.”