January OCR Settlements
In the first month of 2021, the OCR made it clear that they plan to continue to enforce the HIPAA Right of Access Initiative by carrying the momentum immediately into the new year. Patients can take solace in knowing that this year will further enforce that providers must provide individuals with their medical records upon request. One settlement took place in January 2021 and here are all the details about that violation and resolution down below.
A Phoenix, Arizona-based health system, Banner Health affiliated covered entities (ACE), was the fourteenth organization to reach a settlement with the OCR under the Right of Access Initiative. This $200,000 settlement was reached following a potential violation of HIPAA by Banner Health which is one of the largest health care systems in the country. Banner operates 30 hospitals and other care facilities, including urgent care, primary care, and specialty care.
This high dollar settlement follows two complaints made by individuals against Banner Health relating to potential violations of the right of access initiative. The first was submitted to the OCR in December of 2017 upon which an investigation was launched, and eventually, the requested records were received to the patient in May 2018. The second key complaint involves a patient who requested access to his electronic records in September of 2019 and then the records were not sent to him until February 2020.
The OCR investigated these two complaints and scenarios and eventually determined these two patients’ information was not provided to them in a timely manner. These situations were both potential violations of HIPAA and its right of access initiative. Banner Health will be required to pay this monetary settlement while also input a corrective action plan plus two years of monitoring. A complete version of the resolution agreement can be seen here.
Roger Severino, the outgoing OCR Direction said “This first resolution of the year signals that our Right of Access Initiative is still going strong and that providers of all sizes need to respect the right of patients to have timely access to their medical records." This is just a signal that the OCR will maintain its dedication to the right of access initiative throughout 2021. We’ll make sure to keep you updated on the details of each HIPAA settlement throughout the year!
Excellus Health Plan, Inc.
The second settlement that was reached in the month of January was not under the Right of Access Initiative but was one of the highest fine amounts in HIPAA history. Excellus Health Plan, a New York-based health service corporation, has agreed to pay $5.1million as a penalty for a large data breach dating back to 2013. This investigation follows a breach report that Excellus Health Plan filed with the OCR in September 2015.
This breach, which affected over 9.3 million individuals, came after cybercriminals were able to gain access to Excellus’ IT systems beginning on or before late December 2013. These hackers were able to install malware onto the server in order to gain unauthorized access to millions of individual’s information. Specifically, the cybercriminals were potentially able to take “names, addresses, date of birth, email addresses, Social Security numbers, bank account information, health plan claims, and clinical treatment information.”
This significant breach prompted an OCR investigation into Excellus’ operations and compliance with HIPAA’s requirements. Through the investigation, the OCR determined that Excellus did not complete the necessary organization-wide risk analysis, failed to implement proper risk management processes, or use the necessary access controls. All of this information and these findings led to a $5.1 million fine being levied onto the Excellus Health Plan for the breach that occurred from 2013 to 2015. In addition to this fine, Excellus will commit to a complete corrective action plan plus two years of close monitoring.
As we have seen, 2020 was a busy year of HIPAA settlements despite a pause in enforcement due to the COVID-19 public health crisis. After the last settlement-filled year, it will be interesting to see what momentum the OCR brings forward into 2021.