OCR Settles Eight HIPAA Resolution Agreements in September 2020
This month, the U.S Department of Health and Human Services, Office for Civil Rights (OCR) had their busiest month of HIPAA resolution agreements in a long time - reporting eight separate settlements in the last two weeks alone.
These fine amounts for these settlements ranged from $3,500 to $6.85 million, with the latter being the second highest HIPAA penalty ever recorded. The eight agreements ranged not only in price but also in organization type with both covered entities and business associates being included in the roundup this month.
Right of Access Initiative Settlements
The HIPAA Right of Access is an initiative by the OCR that is intended to promote an individual’s rights to gain access to their own protected health information (PHI) within a reasonable amount of time. Since this enforcement policy was announced in 2019, there have been 7 total enforcement efforts completed under this initiative, including these five that occurred in September 2020.
Patient access to their PHI has been a key area of concern and attention for the OCR over the past two years, so it is fitting that these settlements would reflect that. Each of these five resolution agreements came from patient complaints to the OCR when the individuals were not afforded access to their PHI as requested. These five HIPAA Right of Access violations were each settled for relatively small fine amounts but they do send a message that the OCR values compliance with the regulations of HIPAA, including a person’s right of access.
Right of Access Initiative Settlements were reached with the following organizations this month:
Housing Works Inc.
All Inclusive Medical Services Inc.
Beth Israel Lahey Health Behavioral Services
Wise Psychiatry, PC
Other Forms of NonCompliance
Clearly the majority of the OCR settlements this month were in relation to the Right of Access Initiative. However, there were three other resolution agreements that are important to touch on, particularly the second-largest fine ever issued by OCR. In all three of these instances, the OCR found the organizations to be in violation of the HIPAA rules and beyond the fines have implemented corrective action plans with two years of close monitoring for each of them.
Athens Orthopedic Clinic PA
A Georgia covered entity, the Athens Orthopedic Clinic PA, has agreed to pay $1.5 million to the OCR in addition to adopting a corrective action plan to settle their HIPAA violations following a breach. In June of 2016, Athens Orthopedic was contacted by a hacker who demanded money in return for the copy of the patient database that was stolen and accessed for over a month. Once this breach was investigated by the OCR following the report, they found that the clinic had long standing noncompliance with HIPAA, violating both the Privacy and Security Rules.
CHSPSC LLC is a Tennessee business associate who provides IT related management services to healthcare providers and other covered entities. This instance began in 2014 when the FBI observed a cyber hacking threat to the CHSPSC system. Even with this warning, precautions were not taken and hackers were able to access over 6 million individual’s information for the five months following the warning. During the OCR investigation of the situation, CHSPSC LLC was found to have systemic noncompliance specifically to the HIPAA Security Rule including not conducting regular risk analysis, insufficient access controls and more.
Premera Blue Cross
Potentially the most newsworthy OCR settlement for the month was that made with Premera Blue Cross (PBC) who violated both the HIPAA Privacy and Security Rule leading to a breach in PHI affecting over 10.4 million people. PBC is the second largest health plan in the PNW and will not pay the second largest fine in OCR history over $6.85 million. Beginning back in March 2015, PBC filed a breach report relating to a cybersecurity attack, through the form of a phishing email, that gave the hackers undetected access to their systems for almost nine months. Due to the number of individuals affected, failure to do a complete company risk analysis and improper risk mitigation plans, this settlement comes at a huge cost to the organization. The OCR Director mentioned that this situation reflects the importance of large organizations investing in their PHI security, because a vulnerability in their system can have widespread impact.
There are a few different key points we can take away from the OCR’s activity over the month of September 2020. With a higher number of settlements this month than usual, it is clear that the OCR is refocusing their efforts on enforcement for HIPAA violations. Although the first half of 2020 saw a lull in resolution agreements due to the COVID-19 health crisis, the OCR has made it clear that HIPAA compliance remains of utmost importance for healthcare providers and their business associates.