What are some of the actual HIPAA fines?

Resolution Agreements and Civil Money Penalties

A resolution agreement is a settlement agreement signed by the Department of Health and Human Services (HHS) and a covered entity or business associate in which the covered entity or business associate agrees to perform certain obligations and make reports to HHS, generally for a period of three years. During the period, HHS monitors the covered entity’s compliance with its obligations. A resolution agreement may include the payment of a resolution amount. If HHS cannot reach a satisfactory resolution through the covered entity’s demonstrated compliance or corrective action through other informal means, including a resolution agreement, civil money penalties (CMPs) may be imposed for noncompliance against a covered entity.

Some examples of obligations that must be done are:

The covered entity agrees to pay the Resolution Amount within 30 days of the Effective Date of the Agreement by automated clearing house transaction pursuant to written instructions to be provided by HHS.
Within thirty (30) calendar days of the Effective Date, the covered entity shall review, and to the extent necessary, revise its policies and procedures related to access to protected health information that includes methods of calculating the costs for access to PHI.
Within sixty (60) calendar days of the Effective Date, the covered entity shall provide training materials regarding the individual’s right of access to PHI.
Within ninety (90) calendar days of receipt of HHS’s approval of the policies and procedures and every ninety (90) days thereafter while under the Term of this CAP, the covered entity shall submit to HHS a list of requests for access to PHI received by the covered entity, including the date request received, date request completed, format requested, format provided, number of pages (if provided in paper format), and cost, excluding postage.
Within one hundred twenty (120) calendar days after the receipt of HHS’s approval of the policies and procedures the covered entity shall submit a written report to HHS summarizing the status of its implementation of the requirements of the corrective action plan.
The one (1) year period after the Effective Date and each subsequent one (1) year period during the course of the Compliance Term shall be known as a “Reporting Period.” Within sixty (60) calendar days after the close of each corresponding Reporting Period, the covered entity shall submit a report to HHS regarding the covered entity’s compliance with the CAP for each corresponding Reporting Period (“Annual Report”).

A State Attorney General can also impose fines for privacy violations. For example: The Consumer Protection Division of the Office of the Attorney General in Florida is the civil enforcement authority for violations of the Florida Deceptive and Unfair Trade Practices Act. Since 2011, the Division has generated more than $10 billion in recoveries. Approximately $9.8 billion of that total has been or will soon be returned for the benefit of Floridians.

Keep in mind, the Department of Justice (DOJ), the Office of Inspector General (OIG), and the Federal Trade Commission (FTC) can also impose fines based on fraud or misleading information.

Here are some links for more information:

https://www.justice.gov/criminal-fraud/health-care-fraud-unit

https://oig.hhs.gov/fraud/enforcement/

https://www.ftc.gov/industry/health-care

June 28, 2023 A Business Associate has paid the OCR $75K for a data breach affecting 267 individuals

iHealth Solutions, LLC (doing business as Advantum Health), is a Kentucky-based business associate that provides coding, billing, and onsite information technology services to health care providers. A network server containing the protected health information of 267 individuals was left unsecure on the internet. Under the terms of the settlement agreement, iHealth Solutions will be monitored by OCR for two years to ensure compliance with the HIPAA Security Rule.

June 15, 2023 Snooping in Medical Records by Hospital Security Guards Leads to $240,000 HIPAA Settlement

Yakima Valley Memorial Hospital, is a not-for-profit community hospital located in Yakima, Washington. The OCR investigated allegations that several security guards from Yakima Valley Memorial Hospital impermissibly accessed the medical records of 419 individuals. Yakima Valley Memorial Hospital agreed to pay $240,000 and implement a plan to update its policies and procedures to safeguard protected health information and train its workforce members to prevent this type of snooping behavior in the future.

“Data breaches caused by current and former workforce members impermissibly accessing patient records are a recurring issue across the healthcare industry. Health care organizations must ensure that workforce members can only access the patient information needed to do their jobs,” said OCR Director Melanie Fontes Rainer. “HIPAA covered entities must have robust policies and procedures in place to ensure patient health information is protected from identify theft and fraud.”

Yakima Valley Memorial Hospital has agreed to take the following steps to bring their organization into compliance with the HIPAA Rules:

Conduct an accurate and thorough risk analysis to determine risks and vulnerabilities to electronic protected health information.
Develop and implement a risk management plan to address and mitigate identified security risks and vulnerabilities identified in the risk analysis.
Develop, maintain, and revise, as necessary, its written HIPAA policies and procedures.
Enhance its existing HIPAA and Security Training Program to provide workforce training on the updated HIPAA policies and procedures.
Review all relationships with vendors and third-party service providers to identify business associates and obtain business associate agreements with business associates if not already in place.

June 05, 2023 Health Care Provider in New Jersey fined $30K for Disclosing Patient Information in Response to Negative Online Reviews

Manasa Health Center, LLC, is a health care provider in New Jersey that provides adult and child psychiatric services. Manasa Health Center impermissibly disclosed the protected health information of a patient when the entity posted a response to the patient’s negative online review.

“OCR continues to receive complaints about health care providers disclosing their patients’ protected health information on social media or on the internet in response to negative reviews. Simply put, this is not allowed,” said OCR Director Melanie Fontes Rainer. “The HIPAA Privacy Rule expressly protects patients from this type of activity, which is a clear violation of both patient trust and the law. OCR will investigate and take action when we learn of such impermissible disclosures, no matter how large or small the organization.”

In addition to the monetary settlement, Manasa Health Center will undertake a corrective action plan that will be monitored for two years by OCR to ensure compliance with the HIPAA Privacy Rule. The corrective action plan includes the following steps:

Develop, maintain, and revise its written policies and procedures to comply with the HIPAA Privacy Rule.
Train all members of Manasa Health Center’s workforce, including owners and managers, on the organization’s policies and procedures to comply with the HIPAA Privacy and Security Rules.
Within 30 calendar days of the agreement, Manasa Health Center shall issue breach notices to all individuals, or their personal representatives, whose protected health information is disclosed on any internet platform without a valid authorization.
Within 30 calendar days of the agreement, Manasa Health Center shall submit a breach report to HHS concerning individuals whose protected health information is disclosed on any internet platform without a valid authorization.

February 02, 2023 OCR Fines Arizona Hospital System $1.25M after a Cybersecurity Hacking

Banner Health, a nonprofit health system headquartered in Phoenix, Arizona, discovered a threat actor gained unauthorized access to the electronic protected health information (ePHI) in July 2016. The total number of individuals involved was determined to be 2.81 million.

HHS’s investigation indicated potential violations of the following provisions:

The requirement to conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all ePHI held by Banner (see 45 C.F.R. § 164.308(a)(1)(ii)(A)).
The requirement to implement sufficient procedures to regularly review records of information system activity (see 45 C.F.R. § 164.308(a)(1)(ii)(D)).
The requirement to implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed (see 45 CFR § 164.312(d)).
The requirement to implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network. (see 45 C.F.R. 164.312(e)(1)).

As a result, Banner Health paid $1,250,000 to OCR and agreed to implement a corrective action plan, which identifies steps Banner Health will take to resolve these potential violations of the HIPAA Security Rule and protect the security of electronic patient health information.

May 16, 2023 Arkansas Business Associate fined $350K for Unlawful Disclosure of Protected Health Information on an Unsecured

MedEvolve, Inc., is a business associate that provides practice management, revenue cycle management, and practice analytics software services to covered health care entities. The settlement concludes OCR’s investigation of a data breach, where a server containing the protected health information of 230,572 individuals was left unsecure and accessible on the internet. MedEvolve has paid a $350,000 monetary settlement to OCR and agreed to implement a corrective action plan which identifies steps they will take to resolve potential violations and protect the security of electronic patient health information.

The OCR investigates every report they receive of breaches of unsecured protected health information affecting 500 or more people. Hacking/IT incidents was the most frequent (79%) type of large breach that was reported in 2022. Network servers are the largest category by location for breaches involving 500 or more individuals. It is critical that HIPAA covered entities and their business associates improve their efforts to identify, deter, protect against, detect, and respond to cybersecurity threats and malicious actors.

MedEvolve has agreed to take the following steps:

Conduct an accurate and thorough risk analysis to determine risks and vulnerabilities to electronic patient/system data across the organization;
Develop and implement a risk management plan to address and mitigate identified security risks and vulnerabilities identified in the risk analysis;
Develop, maintain, and revise, as necessary, its written policies and procedures to comply with the HIPAA Privacy and Security Rules;
Augment its existing HIPAA and Security Training Program for all MedEvolve workforce members who have access to protected health information; and
Report to HHS within sixty (60) days when workforce members fail to comply with MedEvolve’s written policies and procedures to comply with the HIPAA Privacy and Security Rules.

May 10, 2023 Office for Civil Rights Settles Complaint with Florida Health Center that Failed to Provide Effective Communication for a Patient’s Caregiver

MCR Health, Inc. has entered into a Voluntary Resolution Agreement to resolve a disability discrimination complaint based on Section 504 of the Rehabilitation Act of 1973 and Section 1557 of the Patient Protection and Affordable Care Act. The resolution resolves a complaint filed by an individual who is deaf and hard of hearing, alleging that MCR Health failed to provide her with auxiliary aids and services when she requested an interpreter be present for her while she attended her husband’s post-surgical medical appointment, as his companion. The OCR enforces Section 504 of the Rehabilitation Act and Section 1557 of the Affordable Care Act, two federal civil rights laws prohibiting discrimination on the basis of disability in programs receiving Federal financial assistance. Collectively, Section 504 and Section 1557 prohibits any entity that receives Federal financial assistance from discriminating against qualified individuals with disabilities and requires an entity to take steps to ensure communication with individuals with disabilities is as effective as communication with others through the use of appropriate auxiliary aids and services.

May 08, 2023 OCR settles a $15,000 Settlement under the Right of Access Initiative

David Mente, MA, LPC (“Mente”), a licensed counselor providing psychotherapy services in Pittsburgh, Pennsylvania, has agreed to pay $15K on the effective date of the resolution agreement to the Office for Civil Rights. This investigation marks the 44th case to be resolved under OCR’s HIPAA Right of Access Initiative, designed to improve compliance by regulated entities with the law. “Under HIPAA, parents, as the personal representatives of their minor children, generally have a right to access their children’s medical records,” said OCR Director Melanie Fontes Rainer. “It should not take an individual or their parent representative nearly six years and multiple complaints to gain access to patient records.

January 3, 2023 Lab Pays $16,500 Settlement to HHS over Medical Records Request

This investigation marks the 43rd case to be resolved under OCR’s HIPAA Right of Access Initiative, designed to improve compliance by regulated entities with the law.

Life Hope Labs, a full-service diagnostic laboratory in Sandy Springs, Georgia, did not provide a personal representative with a copy of her deceased father’s medical records when requested on July 7, 2021. The Office for Civil Rights was notified in August 2021 and the personal representative did not receive them until February 16, 2022.

Life Hope Labs agrees to pay the Resolution Amount of $16,500 on the Effective Date of the Agreement. In addition to the monetary settlement, Life Hope Labs also agreed to implement a corrective action plan that includes two years of monitoring by OCR.

December 15, 2022 OCR resolves a HIPAA Right of Access with a $20,000 settlement

This investigation marks the 42nd case to be resolved under OCR’s HIPAA Right of Access Initiative, designed to improve compliance by regulated entities with the law.

Health Specialists of Central Florida Inc., a provider in Florida that provides primary care, concerning a potential violation of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule’s right of access provision. On November 22, 2019, OCR received a complaint against the Covered Entity. The Complainant made a written access request for her deceased father’s medical records, which the Covered Entity received on August 29, 2019. On August 29, 2019, the Complainant submitted an Authorization for Release of Medical Record Information form, and a copy of the original Letters of Administration. On January 27, 2020, the Covered Entity sent the requested medical records to the Complainant. The HIPAA rule requires that patients be able to access their health information in a timely manner. Health Specialists of Central Florida Inc. paid $20,000 to OCR and agreed to implement a corrective action plan (CAP).

December 14, 2022 OCR settles with Dental Practice over disclosures of PHI in social media

B. Brandon Au, DDS, Inc., d/b/a New Vision Dental (New Vision Dental), in California, has been fined over the impermissible disclosure of patient protected health information (PHI) in response to online reviews, and other potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. The violation involves the provider’s inappropriate use of social media to respond to patient reviews, disclosing protected health information. This practice is illegal under HIPAA. New Vision Dental paid $23,000 to OCR within five business days of the Effective Date of the Agreement and agreed to implement a corrective action plan (CAP).

September 20, 2022 OCR settles three cases with Dental Practices for Patient Right of Access

https://www.hhs.gov/about/news/2022/09/20/ocr-settles-three-cases-dental-practices-patient-right-access-under-hipaa.html

These cases are part of a collective effort, bringing the total 41 cases, to drive compliance on right of access under the law. “These three right of access actions send an important message to dental practices of all sizes that are covered by the HIPAA Rules to ensure they are following the law,” said OCR Director Melanie Fontes Rainer. “Patients have a fundamental right under HIPAA to receive their requested medical records, in most cases, within 30 days.

Family Dental Care, P.C. is a dental practice located in Chicago, Illinois. OCR received a complaint on August 8, 2020, alleging that FDC failed to provide a former patient with timely access to her complete medical records known as the designated record set. The former patient requested her entire medical records in May 2020 but received only portions. The former patient filed a complaint with OCR, and during OCR’s investigation, FDC provided her with the remainder of her records in October 2020. OCR’s investigation determined that failure to provide timely access was a potential violation of the HIPAA right of access provision. FDC agreed to pay $30,000 within 30 days of the resolution agreement date and implement a corrective action plan.
Great Expressions Dental Center of Georgia, P.C. is a dental and orthodontics provider with multiple locations throughout the state of Georgia. In November 2020, OCR received a complaint alleging that GEDC-GA would not provide an individual with copies of her medical records because she would not pay a $170 copying fee. The individual first requested her records in November 2019 but did not receive them until February 2021. OCR’s investigation determined that failure to provide timely access to the requested medical records, and its practice of assessing copying fees that were not reasonable and cost-based, were potential violations of the HIPAA right of access provision. GEDC-GA agreed to pay $80,000 on the effective date of the resolution agreement and implement a corrective action plan.
B. Steven L. Hardy, D.D.S., LTD, doing business as Paradise Family Dental (“Paradise”) is a dental practice in Las Vegas, Nevada. On October 26, 2020, OCR received a complaint alleging that Paradise had failed to provide a mother with copies of her and her minor child’s protected health information. The mother submitted multiple record requests between April 11, 2020, and December 4, 2020, but Paradise did not send the records until December 31, 2020. OCR’s investigation determined that Paradise’s failure to provide timely access to the requested medical records was a potential violation of the HIPAA right of access provision. Paradise agreed to pay $25,000 and implement a corrective action plan.

August 23, 2022 OCR settles case concerning improper disposal of Protected Health Information and practice fined $300,640

New England Dermatology P.C., d/b/a a New England Dermatology and Laser Center (“NDELC”), has been fined over the improper disposal of protected health information, a potential violation of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule.

On May 11, 2021, NEDLC filed a breach notification report with OCR stating empty specimen containers that were labeled with protected health information (PHI) were placed in a dumpster located in NEDLC’s parking lot. On March 31, 2021, one specimen container bearing a label containing PHI was found in the parking lot by a security guard. The PHI on the specimen label included patient names, dates of birth, dates of sample collection, and name of the provider who took the specimen.

NEDLC stated that it regularly discarded specimen containers with an attached label that contained PHI as regular waste, bagged, and placed in an exterior dumpster accessible via the parking lot, without alteration to the PHI containing label. This practice was in effect from February 4, 2011 until March 31, 2021. HHS has agreed to accept, and NEDLC has agreed to pay HHS, the amount of $300,640 on the Effective Date of this Agreement.

July 15, 2022 Eleven enforcement actions uphold patients’ rights under HIPAA

https://www.hhs.gov/about/news/2022/07/15/eleven-enforcement-actions-uphold-patients-rights-under-hipaa.html

HIPAA gives people the right to see and get copies of their health information from their healthcare providers and health plans. After receiving a request, an entity has, absent an extension, 30 days to provide an individual or their representative with their records in a timely manner. There is a new rule possibly in the making to reduce this to 15 days. But for now, it is 30 days, with one 30-day extension if the entity states within the original 30-day request, a date that the patient shall receive their records. The Office for Civil Rights (OCR) has taken the following enforcement actions and ensured that complainants received copies of their records:

ACPM Podiatry, with offices in Peoria and Canton, Illinois, failed to provide a former patient with his requested medical records. In response to an initial complaint, OCR provided ACPM with written technical assistance regarding the Privacy Rule’s right of access standard and closed the matter. OCR received a second complaint from the same individual, alleging that ACPM still had not provided the medical records, after numerous requests. ACPM did not respond to multiple data requests from OCR, nor to OCR’s Letter of Opportunity and Notice of Proposed Determination. OCR issued a Notice of Final Determination and imposed a civil money penalty of $100,000.
Associated Retina Specialists, of New York, failed to provide a patient with a copy of her medical records until three days after OCR initiated its investigation, and nearly five months after the complainant’s first written request. Associated Retina has agreed to take corrective actions and paid $22,500 to settle a potential violation of the HIPAA Privacy Rule right of access standard.
Lawrence Bell, Jr., D.D.S., a dental practice located in Baltimore, MD, failed to provide timely access to a patient’s medical record. The dental practice has agreed to take corrective actions and has paid $5,000 to settle a potential violation of the HIPAA Privacy Rule’s right of access standard. July 15, 2022
Coastal Ear, Nose, and Throat (ENT), located in Ormond Beach, Florida, failed to provide timely access to medical records after multiple requests for such records from a patient. Coastal ENT has agreed to take corrective actions and has paid $20,000 to settle a potential violation of the HIPAA Privacy Rule’s right of access standard.
Danbury Psychiatric Consultants (DPC), located in Massachusetts, failed to respond timely to a complainant’s access request. DPC also withheld the complainant’s access on the basis that the complainant had an outstanding balance and required a signed request or authorization request. DPC has agreed to take corrective actions and has paid $3,500 to settle a potential violation of the HIPAA Privacy Rule’s right of access standard.
Erie County Medical Center Corporation, a public benefit corporation that operates a hospital, Erie County Medical Center (ECMC), located in Buffalo, New York, failed to timely provide an individual with a complete copy of his medical records. ECMC has agreed to take corrective actions and has paid $50,000 to settle a potential violation of the HIPAA Privacy Rule’s right of access standard.
Fallbrook Family Health Center, located in Nebraska, failed to provide timely access to medical records. Fallbrook Family Health Center has agreed to take corrective actions and has paid $30,000 to settle a potential violation of the HIPAA Privacy Rule’s right of access standard.
Hillcrest Nursing and Rehabilitation, located in Massachusetts, failed to provide an individual’s personal representative with timely access to her son’s medical records. Hillcrest has agreed to take corrective actions and has paid $55,000 to settle a potential violation of the HIPAA Privacy Rule’s right of access standard.
MelroseWakefield Healthcare (MWH), a provider in Massachusetts, did not provide a personal representative with timely access to medical records on the mistaken basis that the durable power of attorney in this instance did not allow for the provision of such medical records. MWH has agreed to take corrective actions and has paid $55,000 to settle a potential violation of the HIPAA Privacy Rule’s right of access standard.
Memorial Hermann Health System, a not-for-profit health system in Southeast Texas, consisting of 17 hospitals, including Memorial Hermann Katy Hospital, failed to respond timely to a complainant’s access request. Memorial Hermann has agreed to corrective actions and has paid $240,000 to settle a potential violation of the HIPAA Privacy Rule’s right of access standard.
Southwest Surgical Associates (SWSA) is a group practice with nine locations in the Greater Houston, TX area that failed to provide an individual timely access to their health information. SWSA has agreed to corrective actions and has paid $65,000 to settle a potential violation of the HIPAA Privacy Rule’s right of access standard.

July 14, 2022 Oklahoma State University – Center for Health Services Pays $875,000 to Settle Hacking Breach

Oklahoma State University – Center for Health Sciences (OSU-CHS) has paid $875,000 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) and agreed to implement a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules. On January 5, 2018, OSU-CHS filed a breach report stating that an unauthorized third party gained access to a web server that contained electronic protected health information (ePHI). The hacker installed malware that resulted in the disclosure of the ePHI of 279,865 individuals, including their names, Medicaid numbers, healthcare provider names, dates of service, dates of birth, addresses, and treatment information. OSU-CHS initially reported that the breach occurred on November 7, 2017, but later reported that the ePHI was first impermissibly disclosed on March 9, 2016. OCR’s investigation found potential violations of the HIPAA Rules including impermissible uses and disclosures of PHI; failure to conduct an accurate and thorough risk analysis; failure to perform an evaluation, failures to implement audit controls, security incident response and reporting, and failure to provide timely breach notification to affected individuals and HHS.

March 28, 2022 Four HIPAA enforcement actions hold healthcare providers accountable with compliance

https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/march-2022-hipaa-enforcement/index.html

Dr. Donald Brockley, D.D.M., a solo dental practitioner in Butler, Pennsylvania was fined $30K in the HIPAA Right of Access Initiative.
Dr. U. Phillip Igbinadolor, D.M.D. & Associates, P.A. (UPI), a dental practice with offices in Charlotte and Monroe, North Carolina was fined $50K for impermissibly disclosed a patient’s PHI on a webpage.
Northcutt Dental-Fairhope, LLC (Northcutt Dental), a dental practice in Fairhope, Alabama was fined $62,500 for impermissibly disclosed its patients’ PHI to a campaign manager and a third-party marketing company.
Jacob and Associates, a psychiatric medical services provider with two office locations in California was fined $28K for potential privacy violations including provisions in the HIPAA Right of Access Initiative.

November 30, 2021 Five enforcement actions hold healthcare providers accountable for HIPAA Right of Access

https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/2021-right-of-access-initiative/index.html

Advanced Spine & Pain Management (ASPM) HHS’s investigation found that on November 25, 2019, the complainant submitted to ASPM, in person, a written request seeking access to his PHI. ASPM acknowledged it received complainant’s request on the same date. ASPM did not send complainant a copy of his PHI until March 19, 2020 and was fined $32,150.
Denver Retina Center DRC admitted it was late in responding to the complainant’s request for her medical records, but DRC never confirmed the date of the request. In addition, after reviewing DRC’s policies and procedures, HHS concluded that it did not have compliant Access policies and procedures under the Privacy Rule. DRC was fined $30K.
Dr. Robert Glaser A solo practitioner specializing in cardiovascular disease and internal medicine was fined $100K. A complainant had requested medical records several times and Dr. Glaser ignored the OCR’s request for information.
Rainrock Treatment Center, LLC dba Monte Nido Rainrock (“Monte Nido”) On December 4, 2019, January 28, 2020, and February 20, 2020, OCR received complaints from a patient (“Complainant”). The complaints alleged that Monte Nido failed to provide the Complainant with a copy of her medical records in response to the Complainant’s October 1, 2019, and November 21, 2019 access requests. The Covered Entity did not send the requested records until May 22, 2020 and was fined $160K.
Wake Health Medical Group Wake Health Medical Group is a small practice, which offers primary care services, cosmetic full body skin exams, biopsy, massage and laser treatments located in Raleigh, North Carolina. On December 19, 2020, OCR received a complaint alleging that Wake Health Medical Group had not provided the complainant with a copy of her medical records despite making a request in person on June 27, 2019, and paying a fee of $25 for the records. During the course of the investigation, OCR learned via a phone call on April 15, 2021, with the Receptionist at Wake Health Medical Group that Wake Health Medical Group charges its patients a flat fee of $25 for a copy of their medical records. To date, Wake Health Medical Group has failed to provide the complainant with a copy of her medical records. The practice was fined $10K.

September 10, 2021 OCR Resolves Twentieth Investigation in HIPAA Right of Access Initiative with $80,000 Settlement

Children’s Hospital & Medical Center (CHMC) was fined $80K because CHMC failed to provide the complainant with timely access to her deceased daughter’s protected health information for which she is her late minor daughter’s personal representative. HHS’s investigation found that on January 3, 2020, the complainant submitted a written request to CHMC for access to her late minor daughter’s medical records. At the time of the request, CHMC provided the complainant with a portion of the requested records. The remainder needed to be collected from another CHMC division. The complainant received the remaining records on June 20, 2020 and July 16, 2020. HHS has required CHMC shall review, and to the extent necessary, revise its policies and procedures related to the right of access.

June 2, 2021 OCR Settles Nineteenth Investigation in HIPAA Right of Access Initiative

The Diabetes, Endocrinology & Lipidology Center, Inc. (“DELC”) DELC is a healthcare provider located in Martinsburg, West Virginia, operated by Dr. Philip J.A. Ryan, and specializing in endocrinology. In early August 2019, a complaint was filed with OCR alleging that DELC failed to take timely action in response to a parent’s records access request made in July 2019, for a copy of her minor child’s protected health information. OCR initiated an investigation and determined that DELC’s failure to provide timely access to the requested medical records was a potential violation of the HIPAA right of access standard. DELC has agreed to take corrective actions and pay $5,000 within 30 days of the Resolution Agreement to settle a potential violation of the HIPAA Privacy Rule’s right of access standard.

May 25, 2021 Clinical Laboratory Pays $25,000 to Settle Potential HIPAA Security Rule Violations

Peachstate Health Management, LLC, doing business as AEON Clinical Laboratories (Peachstate), has agreed to pay $25,000 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) and to implement a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. In December 2017, OCR initiated a compliance review of Peachstate to determine its compliance with the HIPAA Privacy and Security Rules. OCR’s investigation found systemic noncompliance with the HIPAA Security Rule, including failures to conduct an enterprise-wide risk analysis, implement risk management and audit controls, and maintain documentation of HIPAA Security Rule policies and procedures.

March 26, 2021 OCR Settles Eighteenth Investigation in HIPAA Right of Access Initiative

Village Plastic Surgery (“VPS”) has agreed to take corrective actions and pay $30,000 to settle a potential violation of the HIPAA Privacy Rule’s right of access standard. VPS is located in New Jersey and provides cosmetic plastic surgery services. OCR initiated an investigation and determined that VPS’s failure to provide timely access to the requested medical records was a potential violation of the HIPAA right of access standard, which requires a covered entity to take action on an access request within 30 days of receipt (or within 60 days if an extension is applicable). As a result of OCR’s investigation, VPS sent the patient their requested records.

March 24, 2021 OCR Settles Seventeenth Investigation in HIPAA Right of Access Initiative

The Arbour, Inc., doing business as Arbour Hospital (“Arbour”), has agreed to take corrective actions and pay $65,000 to settle a potential violation of the HIPAA Privacy Rule’s right of access standard. Arbour is located in Massachusetts and provides behavioral health services. In July 2019, a complaint was filed with OCR alleging that Arbour failed to take timely action in response to a patient’s records access request made in May 2019. OCR provided Arbour with technical assistance on the HIPAA Right of Access requirements. Later, in July 2019, OCR received a second complaint alleging that Arbour still had not responded to the same patient’s records access request. OCR initiated an investigation and determined that Arbour’s failure to provide timely access to the requested medical records was a potential violation of the HIPAA right of access standard. As a result of OCR’s investigation, Arbour provided the patient with a copy of their requested records in November 2019, more than 5 months after the patient’s request.

February 12, 2021 OCR Settles Sixteenth Investigation in HIPAA Right of Access Initiative

Sharp HealthCare, doing business as Sharp Rees-Stealy Medical Centers (“SRMC”), has agreed to take corrective actions and pay $70,000 to settle a potential violation of the HIPAA Privacy Rule’s right of access standard. In June 2019, a complaint was filed with OCR alleging that SRMC failed to take timely action in response to a patient’s records access request directing that an electronic copy of protected health information in an electronic health record be sent to a third party. OCR provided SRMC with technical assistance on the HIPAA Right of Access requirements. In August 2019, OCR received a second complaint alleging that SRMC still had not responded to the patient’s records access request. OCR initiated an investigation and determined that SRMC’s failure to provide timely access to the requested medical records was a potential violation of the HIPAA right of access standard. As a result of OCR’s investigation, SRMC provided access to the requested records.

February 10, 2021 OCR Settles Fifteenth Investigation in HIPAA Right of Access Initiative

Renown Health, P.C., a private, not-for-profit health system in Nevada, has agreed to take corrective actions and pay $75,000 to settle a potential violation of the HIPAA Privacy Rule’s right of access standard. In February 2019, OCR received a complaint alleging that Renown Health failed to timely respond to a patient’s request that an electronic copy of her protected health information, including billing records, be sent to a third party. OCR’s investigation determined that Renown Health’s failure to provide timely access to the requested records was a potential violation of the HIPAA right of access standard. As a result of OCR’s investigation, Renown Health provided access to all of the requested records.

January 15, 2021 Health Insurer Pays $5.1 Million to Settle Data Breach Affecting Over 9.3 Million People

Excellus Health Plan, Inc. has agreed to pay $5.1 million to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) and to implement a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules related to a breach affecting over 9.3 million people. Excellus Health Plan is a New York health services corporation that provides health insurance coverage to over 1.5 million people in Upstate and Western New York. OCR’s investigation found potential violations of the HIPAA Rules including failure to conduct an enterprise-wide risk analysis, and failures to implement risk management, information system activity review, and access controls.

January 12, 2021 OCR Settles Fourteenth Investigation in HIPAA Right of Access Initiative

Banner Health, on behalf of the Banner Health affiliated covered entities (Banner Health ACE), has agreed to take corrective actions and pay $200,000 to settle potential violations of the HIPAA Privacy Rule’s right of access standard. Banner Health is a non-profit health system based in Phoenix, Arizona. OCR received two complaints filed against Banner Health ACE entities alleging violations of the HIPAA Right of Access standard.

December 22, 2020 OCR Settles Thirteenth Investigation in HIPAA Right of Access Initiative

Peter Wrobel, M.D., P.C., dba Elite Primary Care (“Elite”), has agreed to take corrective actions and pay $36,000 to settle a potential violation of the HIPAA Privacy Rule’s right of access standard. Elite provides primary care health services in Georgia.

November 19, 2020 OCR Settles Twelfth Investigation in HIPAA Right of Access Initiative

The University of Cincinnati Medical Center, LLC (UCMC), which is an academic medical center providing healthcare services to the Greater Cincinnati community, has agreed to take corrective actions and pay $65,000 to settle a potential violation of the HIPAA Privacy Rule’s right of access standard.

November 12, 2020 OCR Settles Eleventh Investigation in HIPAA Right of Access Initiative

Dr. Rajendra Bhayani, who is a private practitioner specializing in otolaryngology in Regal Park, New York, has agreed to take corrective actions and pay $15,000 to settle a potential violation of the HIPAA Privacy Rule’s right of access standard.

November 6, 2020 OCR Settles Tenth Investigation in HIPAA Right of Access Initiative

Riverside Psychiatric Medical Group (“RPMG”) has agreed to take corrective actions and pay $25,000 to settle a potential violation of the HIPAA Privacy Rule’s right of access standard. RPMG, based in Riverside, California, is a group practice specializing in child and adolescent psychiatry, geriatric psychiatry, neuropsychiatry, psychology, and substance use disorders.

October 30, 2020 City Health Department failed to terminate former employee’s access to protected health information

The City of New Haven, Connecticut (New Haven) has agreed to pay $202,400 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) and to implement a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. The New Haven Health Department, among other things, operates a public health clinic that provides preventative medical services, including adult and pediatric immunizations.

October 28, 2020 Aetna Pays $1,000,000 to Settle Three HIPAA Breaches

Aetna Life Insurance Company and affiliated covered entity (Aetna) has agreed to pay $1,000,000 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) and to adopt a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. Aetna failed to perform a periodic technical and nontechnical evaluation in response to environmental or operational changes affecting the security of protected health information (PHI). Aetna failed to implement procedures to verify that a person or entity seeking access to PHI is the one claimed. Aetna failed to limit the PHI disclosed to the amount reasonably necessary to accomplish the purpose of the use or disclosure. Aetna failed to have in place appropriate administrative, technical, and physical safeguards to protect the privacy of PHI.

October 9, 2020 OCR Settles Ninth Investigation in HIPAA Right of Access Initiative

NY Spine Medicine (NY Spine) has agreed to take corrective actions and pay $100,000 to settle a potential violation of the HIPAA Privacy Rule’s right of access provision. NY Spine is a private medical practice specializing in neurology and pain management with offices in New York, NY, and Miami Beach, FL.

October 7, 2020 OCR Settles Eighth Investigation in HIPAA Right of Access Initiative

Dignity Health, dba St. Joseph’s Hospital and Medical Center (“SJHMC”), has agreed to take corrective actions and pay $160,000 to settle a potential violation of the HIPAA Privacy Rule’s right of access provision. SJHMC, based in Phoenix, Arizona, is a large, acute care hospital with several hospital-based clinics that provide a wide range of health, social, and support services.

September 25, 2020 Health Insurer Pays $6.85 Million to Settle Data Breach Affecting Over 10.4 Million People

Premera Blue Cross (PBC) has agreed to pay $6.85 million to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) and to implement a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules related to a breach affecting over 10.4 million people. HHS’s investigation indicated potential violations for failure to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by PBC. Failure to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level. Until March 8, 2015, the requirement to implement sufficient hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI. Failure to prevent unauthorized access to the ePHI of 10,466,692 individuals whose information was maintained in PBC’s network.

September 23, 2020 HIPAA Business Associate Pays $2.3 Million to Settle Breach Affecting Protected Health Information of Over 6 million Individuals

CHSPSC LLC, (“CHSPSC”) has agreed to pay $2,300,000 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) and to adopt a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules related to a breach affecting over six million people. CHSPSC provides a variety of business associate services, including IT and health information management, to hospitals and physician clinics indirectly owned by Community Health Systems, Inc., in Franklin, Tennessee. CHSPSC was unaware of the intrusion until notified by the Federal Bureau of Investigation (FBI) on April 18, 2014. HHS’s investigation indicated potential violations that included failure to prevent unauthorized access to the ePHI of 6,121,158 individuals whose information was maintained in CHSPSC’s network. From April 18, 2014 to June 18, 2014, the requirement to respond to a known security incident; mitigate, to the extent practicable, harmful effects of the security incident; and document the security incident and its outcome. Failure to implement technical policies and procedures to allow access only to those persons or software programs that have been granted access rights to information systems maintained by CHSPSC. Failure to implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. Failure to conduct accurate and thorough assessments of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by CHSPSC

September 21, 2020 Orthopedic Clinic Pays $1.5 Million to Settle Systemic Noncompliance with HIPAA Rules

Athens Orthopedic Clinic PA (“Athens Orthopedic”) has agreed to pay $1,500,000 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) and to adopt a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. Athens Orthopedic is located in Georgia. On June 28, 2016, a hacker group known as “The Dark Overlord” contacted AOC by email and demanded money in return for a complete copy of the database it stole without sale or further disclosure. It was determined, through computer forensic analysis, that the Dark Overlord had obtained a vendor’s credentials to AOC’s system and used them to gain access on June 14, 2016. While AOC terminated the compromised credentials on June 27, 2016, the Dark Overlord’s continued intrusion was not effectively blocked until July 16, 2016. OCR’s investigation indicated potential violations that included failure to prevent unauthorized access to the ePHI of 208,557 individuals whose information was maintained in AOC’s information systems. Failure until August 2016 to maintain copies of AOC’s HIPAA policies and procedures. Failure from September 30, 2015 to December 15, 2016 to implement sufficient hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI. Failure until August 7, 2017, to enter into business associate agreements with three of its business associates, Quest Records LLC, Total Technology Solutions, and SRS Software LLC. Failure until January 15, 2018, to provide its entire workforce with HIPAA training. Failure to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by AOC. Failure to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.

September 15, 2020 OCR Settles Five Investigations in HIPAA Right of Access Initiative

Housing Works Inc. is the parent company of Housing Works Health Services, III (d/b/a) Housing Works Community Healthcare (HWCH) has agreed to pay HHS, the amount of $38,000. Housing Works, Inc. is a New York City based non-profit organization fighting AIDS and homelessness. Housing Works Inc. also provide health care, advocacy, job training, reentry services, and legal aid support. On August 13, 2019, OCR received a complaint from the complainant alleging that HWCH, the covered entity, has not provided him with a copy of his medical records. The investigation established that HWCH failed to timely provide the complainant with a copy of his medical records.
All Inclusive Medical Services Inc. (“AIMS”) has agreed to pay HHS, the amount of $15,000. AIMS is a health care provider and is located in Carmichael, California. On April 25, 2018, OCR received a complaint alleging that AIMS refused to give the complainant access to her medical records when it failed to provide her with a copy and refused her request to inspect her records.
Northeast Behavioral Health Corporation, dba Beth Israel Lahey Health Behavioral Services (“BILHBS”) f/k/a Lahey Heath Behavioral Services has agreed to pay HHS, the amount of $70,000. On April 26, 2019, HHS received a complaint against BILHBS from an individual who had been appointed as the personal representative of her father’s estate by a court of competent jurisdiction (“Complainant”). The Complainant alleged that she requested protected health information about her father from BILHBS and had not yet received all of the requested information. HHS’ investigation revealed that, on February 12, 2019, the Complainant made an access request for her father’s protected health information; BILHBS failed to provide access to all the requested documents until October 28, 2019.
Patricia King MD & Associates has agreed to pay HHS, the amount of $3,500. The office is located in Chesapeake, Virginia. On October 18, 2018, OCR received a complaint alleging Patricia King MD & Associates is not in compliance with the Privacy Rule. The complaint alleged Patricia King MD & Associates refused to provide an individual with access to her protected health information. On November 30, 2018, OCR provided Patricia King MD & Associates with technical assistance regarding the individual’s right of access to protected health information and closed the complaint. On February 13, 2019, OCR received a second complaint concerning Patricia King MD & Associates’ continued noncompliance with the requirements of the Privacy Rule concerning access. On April 30, 2019, HHS notified Patricia King MD & Associates of its investigation of Patricia King MD & Associates’ compliance with the HIPAA Rules promulgated by HHS pursuant to the administrative simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
Wise Psychiatry, PC (Wise Psychiatry) has agreed to pay HHS, the amount of $10,000. Complainant alleged that Wise Psychiatry failed to provide him with timely access to his minor son’s protected health information (“PHI”). Complainant is his minor son’s personal representative. HHS’ investigation verified that on November 26, 2017, Complainant submitted to Wise Psychiatry, via certified mail, a written request for access, which included photocopies of his son’s birth certificate and Complainant’s driver’s license. Complainant’s access request included Complainant’s full contact information and return address. A certified mail receipt, indicating that Complainant’s request had been delivered to Wise Psychiatry, was signed on December 4, 2017. As a result of OCR’s investigation, Wise Psychiatry sent Complainant a copy of his son’s PHI via certified mail on May 30, 2019.

July 27, 2020 Lifespan Pays $1,040,000 to OCR to Settle Unencrypted Stolen Laptop Breach

Lifespan Health System Affiliated Covered Entity (Lifespan ACE), a non-profit health system based in Rhode Island, has agreed to pay $1,040,000 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) and to implement a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules related to the theft of an unencrypted laptop. Lifespan includes three academic teaching hospitals: Rhode Island Hospital and its Hasbro Children’s Hospital; The Miriam Hospital; and Bradley Hospital. It also includes Newport Hospital and Gateway Healthcare. On Saturday, February 25, 2017, a Rhode Island Hospital employee’s car was broken into while it was parked in a public lot. One of the items stolen was a Mac Book laptop used by the employee for work purposes. The laptop was never recovered. Lifespan ascertained that the employee’s work emails may have been cached in a file on the device’s hard drive. The analysis revealed that the thieves had access to: patient names, medical record numbers, demographic information, including partial address information, and the name of one or more medications that were prescribed or administered to patients. The protected health information on the stolen laptop may have included information for patients across various affiliated provider facilities and belongs to Rhode Island Hospital, Lifespan Pharmacy LLC, retail pharmacies and affiliated hospitals of Lifespan. HHS’ investigation indicated failure to implement policies and procedures to encrypt all devices used for work purposes. Lifespan did not implement policies and procedures to track or inventory all devices that access the network or which contain ePHI. Lifespan did not have the proper business associate agreements in place between Lifespan Corporation and the Lifespan healthcare provider affiliates that are members of the Lifespan ACE. Lifespan impermissibly disclosed the PHI of 20,431 individuals.

July 23, 2020 Small Health Care Provider Fails to Implement Multiple HIPAA Security Rule Requirements

Metropolitan Community Health Services (Metro), dba Agape Health Services, has agreed to pay $25,000 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) and to adopt a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. Metro is a Federally Qualified Health Center that provides a variety of discounted medical services to the underserved population in rural North Carolina and these facts were taken into account in reaching this agreement. MCHS is a nonprofit Federally Qualified Health Center. Since 1999, MCHS provides a wide range of healthcare services including on-site pharmacy, dental, behavioral health, gynecology, as well as primarily and pediatric care to individuals in North Carolina. It employs approximately 43 people and serves approximately 3,100 patients annually. On June 9, 2011, OCR received a Breach Report from MCHS. During its investigation, OCR learned that MCHS has widespread compliance issues. OCR conducted a compliance review of MCHS to determine its compliance status and found that MCHS is not in compliance with the HIPAA rules. MCHS failed to implement HIPAA Security Rule policies and procedures. Until June 30, 2016, MCHS failed to provide its workforce with HIPAA Security Awareness and Training. MCHS failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by it.

March 3, 2020 Health Care Provider Pays $100,000 Settlement to OCR for Failing to Implement HIPAA Security Rule Requirements

Steven A. Porter, M.D., has agreed to pay $100,000 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) and to adopt a corrective action plan to settle a potential violation of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. Dr. Porter’s medical practice provides gastroenterological services to over 3,000 patients per year in Ogden, Utah. OCR initiated a compliance review of the practice following the receipt of the Practice’s breach report on November 21, 2013. The Practice’s breach report claimed that Elevation43, a business associate of Dr. Porter’s electronic health record (EHR) company, was impermissibly using the Practice’s patients’ electronic protected health information (“ePHI”) by blocking the Practice’s access to such ePHI until Dr. Porter paid Elevation43 $50,000. OCR’s investigation of the Practice revealed that the Practice demonstrated significant noncompliance with the HIPAA Rules. The Practice failed to implement policies and procedures to prevent, detect, contain, and correct security violations. Specifically, the Practice has failed to conduct an accurate and thorough risk analysis of potential risks and vulnerabilities to the confidentiality, integrity, and availability of all its ePHI. Further, the Practice failed to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level. The Practice permitted Dr. Porter’s EHR company to create, receive, maintain, or transmit ePHI on the Practice’s behalf at least since 2013 without obtaining satisfactory assurances that the EHR company will appropriately safeguard the ePHI.

Click here to learn more how we can work together and get HIPAA compliant

Request a Free Trial

Schedule a Demo