Blog

January OCR Settlements

News & PR
February 4, 2021
In January, the OCR announced two settlements for violations of the HIPAA Right of Access Initiative.

January OCR Settlements

In the first month of 2021, the OCR made it clear that they plan to continue to enforce the HIPAA Right of Access Initiative by carrying the momentum immediately into the new year. Patients can take solace in knowing that this year will further enforce that providers must provide individuals with their medical records upon request. One settlement took place in January 2021 and here are all the details about that violation and resolution down below. 

Banner Health 

A Phoenix, Arizona-based health system, Banner Health affiliated covered entities (ACE), was the fourteenth organization to reach a settlement with the OCR under the Right of Access Initiative. This $200,000 settlement was reached following a potential violation of HIPAA by Banner Health which is one of the largest health care systems in the country. Banner operates 30 hospitals and other care facilities, including urgent care, primary care, and specialty care. 

This high dollar settlement follows two complaints made by individuals against Banner Health relating to potential violations of the right of access initiative. The first was submitted to the OCR in December of 2017 upon which an investigation was launched, and eventually, the requested records were received to the patient in May 2018.  The second key complaint involves a patient who requested access to his electronic records in September of 2019 and then the records were not sent to him until February 2020. 

The OCR investigated these two complaints and scenarios and eventually determined these two patients’ information was not provided to them in a timely manner. These situations were both potential violations of HIPAA and its right of access initiative. Banner Health will be required to pay this monetary settlement while also input a corrective action plan plus two years of monitoring. A complete version of the resolution agreement can be seen here

Roger Severino, the outgoing OCR Direction said “This first resolution of the year signals that our Right of Access Initiative is still going strong and that providers of all sizes need to respect the right of patients to have timely access to their medical records." This is just a signal that the OCR will maintain its dedication to the right of access initiative throughout 2021. We’ll make sure to keep you updated on the details of each HIPAA settlement throughout the year!

Excellus Health Plan, Inc. 

The second settlement that was reached in the month of January was not under the Right of Access Initiative but was one of the highest fine amounts in HIPAA history. Excellus Health Plan, a New York-based health service corporation, has agreed to pay $5.1million as a penalty for a large data breach dating back to 2013. This investigation follows a breach report that Excellus Health Plan filed with the OCR in September 2015. 

This breach, which affected over 9.3 million individuals, came after cybercriminals were able to gain access to Excellus’ IT systems beginning on or before late December 2013. These hackers were able to install malware onto the server in order to gain unauthorized access to millions of individual’s information. Specifically, the cybercriminals were potentially able to take “names, addresses, date of birth, email addresses, Social Security numbers, bank account information, health plan claims, and clinical treatment information.” 

This significant breach prompted an OCR investigation into Excellus’ operations and compliance with HIPAA’s requirements. Through the investigation, the OCR determined that Excellus did not complete the necessary organization-wide risk analysis, failed to implement proper risk management processes, or use the necessary access controls. All of this information and these findings led to a $5.1 million fine being levied onto the Excellus Health Plan for the breach that occurred from 2013 to 2015. In addition to this fine, Excellus will commit to a complete corrective action plan plus two years of close monitoring.


As we have seen, 2020 was a busy year of HIPAA settlements despite a pause in enforcement due to the COVID-19 public health crisis. After the last settlement-filled year, it will be interesting to see what momentum the OCR brings forward into 2021. 

More from the Blog

GenixTec has achieved HIPAA Compliance with Accountable
Compliant Tools

GenixTec has achieved HIPAA Compliance with Accountable

HIPAA and Workforce Training
HIPAA

HIPAA and Workforce Training

Understanding HIPAA Certification
HIPAA

Understanding HIPAA Certification

Is Google Docs HIPAA Compliant?
Compliant Tools

Is Google Docs HIPAA Compliant?

Is Calendly HIPAA Compliant?
Compliant Tools

Is Calendly HIPAA Compliant?

Is Google Sheets HIPAA Compliant?

Is Google Sheets HIPAA Compliant?

Is iCloud HIPAA Compliant?
Compliant Tools

Is iCloud HIPAA Compliant?

President Biden Looks to Boost Cybersecurity at U.S. Ports
Data Security

President Biden Looks to Boost Cybersecurity at U.S. Ports

Get Started
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Ready to chat?

See how some of the fastest growing companies use Accountable to build trust through privacy and compliance.
Trusted by
Accountable Compliance Management Logo

We make it easy to get your own HIPAA Certification and build trust with your customers and patients.

Product
PlaybooksHow it worksProductPricingWatch DemoSeal of ComplianceGet Support
Solutions
HIPAAGDPR
Resources
BlogHIPAA TrainingHIPAA Risk AnalysisGDPR Risk Analysis
Company
AboutCareersSupportContact UsPrivacy CenterProduct Updates
Account
Sign InForgot Password

"Accountable allowed us to quickly establish Core Compliance with HIPAA as well as a firm foundation for our Security Program." - Michael H.

© 2024 Accountable HQ, Inc.
SitemapTerms of ServicePrivacy Policy