What are some of the actual HIPAA fines?

What are some of the actual HIPAA fines?

Resolution Agreements and Civil Money Penalties

A resolution agreement is a settlement agreement signed by the Department of Health and Human Services (HHS) and a covered entity or business associate in which the covered entity or business associate agrees to perform certain obligations and make reports to HHS, generally for a period of three years. During the period, HHS monitors the covered entity’s compliance with its obligations. A resolution agreement may include the payment of a resolution amount. If HHS cannot reach a satisfactory resolution through the covered entity’s demonstrated compliance or corrective action through other informal means, including a resolution agreement, civil money penalties (CMPs) may be imposed for noncompliance against a covered entity.

Some examples of obligations that must be done are:

  • The covered entity agrees to pay the Resolution Amount within 30 days of the Effective Date of the Agreement by automated clearing house transaction pursuant to written instructions to be provided by HHS. 
  • Within thirty (30) calendar days of the Effective Date, the covered entity shall review, and to the extent necessary, revise its policies and procedures related to access to protected health information that includes methods of calculating the costs for access to PHI. 
  • Within sixty (60) calendar days of the Effective Date, the covered entity shall provide training materials regarding the individual’s right of access to PHI. 
  • Within ninety (90) calendar days of receipt of HHS’s approval of the policies and procedures and every ninety (90) days thereafter while under the Term of this CAP, the covered entity shall submit to HHS a list of requests for access to PHI received by the covered entity, including the date request received, date request completed, format requested, format provided, number of pages (if provided in paper format), and cost, excluding postage.
  • Within one hundred twenty (120) calendar days after the receipt of HHS’s approval of the policies and procedures the covered entity shall submit a written report to HHS summarizing the status of its implementation of the requirements of the corrective action plan.
  • The one (1) year period after the Effective Date and each subsequent one (1) year period during the course of the Compliance Term shall be known as a “Reporting Period.” Within sixty (60) calendar days after the close of each corresponding Reporting Period, the covered entity shall submit a report to HHS regarding the covered entity’s compliance with the CAP for each corresponding Reporting Period (“Annual Report”).

State’s Attorney General can also impose fines for privacy violations. For example: The Consumer Protection Division of the Office of the Attorney General in Florida is the civil enforcement authority for violations of the Florida Deceptive and Unfair Trade Practices Act. Since 2011, the Division has generated more than $10 billion in recoveries. Approximately $9.8 billion of that total has been or will soon be returned for the benefit of Floridians.

Keep in mind, the Department of Justice (DOJ), the Office of Inspector General (OIG), and the Federal Trade Commission (FTC) can also impose fines based on fraud or misleading information.

July 15, 2022 Eleven enforcement actions uphold patients’ rights under HIPAA 

https://www.hhs.gov/about/news/2022/07/15/eleven-enforcement-actions-uphold-patients-rights-under-hipaa.html

HIPAA gives people the right to see and get copies of their health information from their healthcare providers and health plans. After receiving a request, an entity has, absent an extension, 30 days to provide an individual or their representative with their records in a timely manner. There is a new rule possibly in the making to reduce this to 15 days. But for now, it is 30 days, with one 30-day extension if the entity states within the original 30-day request, a date that the patient shall receive their records. The Office for Civil Rights (OCR) has taken the following enforcement actions and ensured that complainants received copies of their records:

  • ACPM Podiatry, with offices in Peoria and Canton, Illinois, failed to provide a former patient with his requested medical records.  In response to an initial complaint, OCR provided ACPM with written technical assistance regarding the Privacy Rule’s right of access standard and closed the matter. OCR received a second complaint from the same individual, alleging that ACPM still had not provided the medical records, after numerous requests. ACPM did not respond to multiple data requests from OCR, nor to OCR’s Letter of Opportunity and Notice of Proposed Determination.  OCR issued a Notice of Final Determination and imposed a civil money penalty of $100,000. 
  • Associated Retina Specialists, of New York, failed to provide a patient with a copy of her medical records until three days after OCR initiated its investigation, and nearly five months after the complainant’s first written request. Associated Retina has agreed to take corrective actions and paid $22,500 to settle a potential violation of the HIPAA Privacy Rule right of access standard. 
  • Lawrence Bell, Jr., D.D.S., a dental practice located in Baltimore, MD, failed to provide timely access to a patient’s medical record.  The dental practice has agreed to take corrective actions and has paid $5,000 to settle a potential violation of the HIPAA Privacy Rule’s right of access standard. July 15, 2022
  • Coastal Ear, Nose, and Throat (ENT), located in Ormond Beach, Florida, failed to provide timely access to medical records after multiple requests for such records from a patient. Coastal ENT has agreed to take corrective actions and has paid $20,000 to settle a potential violation of the HIPAA Privacy Rule’s right of access standard. 
  • Danbury Psychiatric Consultants (DPC), located in Massachusetts, failed to respond timely to a complainant’s access request.  DPC also withheld the complainant’s access on the basis that the complainant had an outstanding balance and required a signed request or authorization request. DPC has agreed to take corrective actions and has paid $3,500 to settle a potential violation of the HIPAA Privacy Rule’s right of access standard. 
  • Erie County Medical Center Corporation, a public benefit corporation that operates a hospital, Erie County Medical Center (ECMC), located in Buffalo, New York, failed to timely provide an individual with a complete copy of his medical records. ECMC has agreed to take corrective actions and has paid $50,000 to settle a potential violation of the HIPAA Privacy Rule’s right of access standard. 
  • Fallbrook Family Health Center, located in Nebraska, failed to provide timely access to medical records.  Fallbrook Family Health Center has agreed to take corrective actions and has paid $30,000 to settle a potential violation of the HIPAA Privacy Rule’s right of access standard. 
  • Hillcrest Nursing and Rehabilitation, located in Massachusetts, failed to provide an individual’s personal representative with timely access to her son’s medical records. Hillcrest has agreed to take corrective actions and has paid $55,000 to settle a potential violation of the HIPAA Privacy Rule’s right of access standard. 
  • MelroseWakefield Healthcare (MWH), a provider in Massachusetts, did not provide a personal representative with timely access to medical records on the mistaken basis that the durable power of attorney in this instance did not allow for the provision of such medical records. MWH has agreed to take corrective actions and has paid $55,000 to settle a potential violation of the HIPAA Privacy Rule’s right of access standard. 
  • Memorial Hermann Health System, a not-for-profit health system in Southeast Texas, consisting of 17 hospitals, including Memorial Hermann Katy Hospital, failed to respond timely to a complainant’s access request.  Memorial Hermann has agreed to corrective actions and has paid $240,000 to settle a potential violation of the HIPAA Privacy Rule’s right of access standard. 
  • Southwest Surgical Associates (SWSA) is a group practice with nine locations in the Greater Houston, TX area that failed to provide an individual timely access to their health information. SWSA has agreed to corrective actions and has paid $65,000 to settle a potential violation of the HIPAA Privacy Rule’s right of access standard. 

July 14, 2022 Oklahoma State University – Center for Health Services Pays $875,000 to Settle Hacking Breach

  • Oklahoma State University – Center for Health Sciences (OSU-CHS) has paid $875,000 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) and agreed to implement a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules. On January 5, 2018, OSU-CHS filed a breach report stating that an unauthorized third party gained access to a web server that contained electronic protected health information (ePHI).  The hacker installed malware that resulted in the disclosure of the ePHI of 279,865 individuals, including their names, Medicaid numbers, healthcare provider names, dates of service, dates of birth, addresses, and treatment information.  OSU-CHS initially reported that the breach occurred on November 7, 2017, but later reported that the ePHI was first impermissibly disclosed on March 9, 2016. OCR’s investigation found potential violations of the HIPAA Rules including impermissible uses and disclosures of PHI; failure to conduct an accurate and thorough risk analysis; failure to perform an evaluation, failures to implement audit controls, security incident response and reporting, and failure to provide timely breach notification to affected individuals and HHS.

March 28, 2022 Four HIPAA enforcement actions hold healthcare providers accountable with compliance 

https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/march-2022-hipaa-enforcement/index.html

November 30, 2021 Five enforcement actions hold healthcare providers accountable for HIPAA Right of Access

https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/2021-right-of-access-initiative/index.html

  • Advanced Spine & Pain Management (ASPM) HHS’s investigation found that on November 25, 2019, the complainant submitted to ASPM, in person, a written request seeking access to his PHI.  ASPM acknowledged it received complainant’s request on the same date. ASPM did not send complainant a copy of his PHI until March 19, 2020 and was fined $32,150. 
  • Denver Retina Center DRC admitted it was late in responding to the complainant’s request for her medical records, but DRC never confirmed the date of the request. In addition, after reviewing DRC’s policies and procedures, HHS concluded that it did not have compliant Access policies and procedures under the Privacy Rule. DRC was fined $30K. 
  • Dr. Robert Glaser A solo practitioner specializing in cardiovascular disease  and internal medicine was fined $100K. A complainant had requested medical records several times and Dr. Glaser ignored the OCR’s request for information. 
  • Rainrock Treatment Center, LLC dba Monte Nido Rainrock (“Monte Nido”) On December 4, 2019, January 28, 2020, and February 20, 2020, OCR received complaints from a patient (“Complainant”). The complaints alleged that Monte Nido failed to provide the Complainant with a copy of her medical records in response to the Complainant’s October 1, 2019, and November 21, 2019 access requests. The Covered Entity did not send the requested records until May 22, 2020 and was fined $160K. 
  • Wake Health Medical Group Wake Health Medical Group is a small practice, which offers primary care services, cosmetic full body skin exams, biopsy, massage and laser treatments located in Raleigh, North Carolina. On December 19, 2020, OCR received a complaint alleging that Wake Health Medical Group had not provided the complainant with a copy of her medical records despite making a request in person on June 27, 2019, and paying a fee of $25 for the records. During the course of the investigation, OCR learned via a phone call on April 15, 2021, with the Receptionist at Wake Health Medical Group that Wake Health Medical Group charges its patients a flat fee of $25 for a copy of their medical records. To date, Wake Health Medical Group has failed to provide the complainant with a copy of her medical records. The practice was fined $10K. 

September 10, 2021 OCR Resolves Twentieth Investigation in HIPAA Right of Access Initiative with $80,000 Settlement  

  • Children’s Hospital & Medical Center (CHMC) was fined $80K because CHMC failed to provide the complainant with timely access to her deceased daughter’s protected health information for which she is her late minor daughter’s personal representative. HHS’s investigation found that on January 3, 2020, the complainant submitted a written request to CHMC for access to her late minor daughter’s medical records. At the time of the request, CHMC provided the complainant with a portion of the requested records. The remainder needed to be collected from another CHMC division. The complainant received the remaining records on June 20, 2020 and July 16, 2020. HHS has required CHMC shall review, and to the extent necessary, revise its policies and procedures related to the right of access. 

June 2, 2021 OCR Settles Nineteenth Investigation in HIPAA Right of Access Initiative  

  • The Diabetes, Endocrinology & Lipidology Center, Inc. (“DELC”) DELC is a healthcare provider located in Martinsburg, West Virginia, operated by Dr. Philip J.A. Ryan, and specializing in endocrinology. In early August 2019, a complaint was filed with OCR alleging that DELC failed to take timely action in response to a parent’s records access request made in July 2019, for a copy of her minor child’s protected health information. OCR initiated an investigation and determined that DELC’s failure to provide timely access to the requested medical records was a potential violation of the HIPAA right of access standard. DELC has agreed to take corrective actions and pay $5,000 within 30 days of the Resolution Agreement to settle a potential violation of the HIPAA Privacy Rule’s right of access standard. 

May 25, 2021 Clinical Laboratory Pays $25,000 to Settle Potential HIPAA Security Rule Violations 

  • Peachstate Health Management, LLC, doing business as AEON Clinical Laboratories (Peachstate), has agreed to pay $25,000 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) and to implement a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. In December 2017, OCR initiated a compliance review of Peachstate to determine its compliance with the HIPAA Privacy and Security Rules.  OCR’s investigation found systemic noncompliance with the HIPAA Security Rule, including failures to conduct an enterprise-wide risk analysis, implement risk management and audit controls, and maintain documentation of HIPAA Security Rule policies and procedures.

March 26, 2021 OCR Settles Eighteenth Investigation in HIPAA Right of Access Initiative 

  • Village Plastic Surgery (“VPS”) has agreed to take corrective actions and pay $30,000 to settle a potential violation of the HIPAA Privacy Rule’s right of access standard. VPS is located in New Jersey and provides cosmetic plastic surgery services. OCR initiated an investigation and determined that VPS’s failure to provide timely access to the requested medical records was a potential violation of the HIPAA right of access standard, which requires a covered entity to take action on an access request within 30 days of receipt (or within 60 days if an extension is applicable). As a result of OCR’s investigation, VPS sent the patient their requested records.

March 24, 2021 OCR Settles Seventeenth Investigation in HIPAA Right of Access Initiative 

  • The Arbour, Inc., doing business as Arbour Hospital (“Arbour”), has agreed to take corrective actions and pay $65,000 to settle a potential violation of the HIPAA Privacy Rule’s right of access standard. Arbour is located in Massachusetts and provides behavioral health services. In July 2019, a complaint was filed with OCR alleging that Arbour failed to take timely action in response to a patient’s records access request made in May 2019. OCR provided Arbour with technical assistance on the HIPAA Right of Access requirements. Later, in July 2019, OCR received a second complaint alleging that Arbour still had not responded to the same patient’s records access request. OCR initiated an investigation and determined that Arbour’s failure to provide timely access to the requested medical records was a potential violation of the HIPAA right of access standard. As a result of OCR’s investigation, Arbour provided the patient with a copy of their requested records in November 2019, more than 5 months after the patient’s request. 

February 12, 2021 OCR Settles Sixteenth Investigation in HIPAA Right of Access Initiative 

  • Sharp HealthCare, doing business as Sharp Rees-Stealy Medical Centers (“SRMC”), has agreed to take corrective actions and pay $70,000 to settle a potential violation of the HIPAA Privacy Rule’s right of access standard. In June 2019, a complaint was filed with OCR alleging that SRMC failed to take timely action in response to a patient’s records access request directing that an electronic copy of protected health information in an electronic health record be sent to a third party. OCR provided SRMC with technical assistance on the HIPAA Right of Access requirements. In August 2019, OCR received a second complaint alleging that SRMC still had not responded to the patient’s records access request. OCR initiated an investigation and determined that SRMC’s failure to provide timely access to the requested medical records was a potential violation of the HIPAA right of access standard.  As a result of OCR’s investigation, SRMC provided access to the requested records. 

February 10, 2021 OCR Settles Fifteenth Investigation in HIPAA Right of Access Initiative 

  • Renown Health, P.C., a private, not-for-profit health system in Nevada, has agreed to take corrective actions and pay $75,000 to settle a potential violation of the HIPAA Privacy Rule’s right of access standard. In February 2019, OCR received a complaint alleging that Renown Health failed to timely respond to a patient’s request that an electronic copy of her protected health information, including billing records, be sent to a third party.  OCR’s investigation determined that Renown Health’s failure to provide timely access to the requested records was a potential violation of the HIPAA right of access standard. As a result of OCR’s investigation, Renown Health provided access to all of the requested records.

January 15, 2021 Health Insurer Pays $5.1 Million to Settle Data Breach Affecting Over 9.3 Million People  

  • Excellus Health Plan, Inc. has agreed to pay $5.1 million to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) and to implement a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules related to a breach affecting over 9.3 million people.  Excellus Health Plan is a New York health services corporation that provides health insurance coverage to over 1.5 million people in Upstate and Western New York. OCR’s investigation found potential violations of the HIPAA Rules including failure to conduct an enterprise-wide risk analysis, and failures to implement risk management, information system activity review, and access controls.

January 12, 2021 OCR Settles Fourteenth Investigation in HIPAA Right of Access Initiative 

December 22, 2020 OCR Settles Thirteenth Investigation in HIPAA Right of Access Initiative 

November 19, 2020 OCR Settles Twelfth Investigation in HIPAA Right of Access Initiative 

  • The University of Cincinnati Medical Center, LLC (UCMC), which is an academic medical center providing healthcare services to the Greater Cincinnati community, has agreed to take corrective actions and pay $65,000 to settle a potential violation of the HIPAA Privacy Rule’s right of access standard.

November 12, 2020 OCR Settles Eleventh Investigation in HIPAA Right of Access Initiative 

  • Dr. Rajendra Bhayani, who is a private practitioner specializing in otolaryngology in Regal Park, New York, has agreed to take corrective actions and pay $15,000 to settle a potential violation of the HIPAA Privacy Rule’s right of access standard.

November 6, 2020 OCR Settles Tenth Investigation in HIPAA Right of Access Initiative 

  • Riverside Psychiatric Medical Group (“RPMG”) has agreed to take corrective actions and pay $25,000 to settle a potential violation of the HIPAA Privacy Rule’s right of access standard. RPMG, based in Riverside, California, is a group practice specializing in child and adolescent psychiatry, geriatric psychiatry, neuropsychiatry, psychology, and substance use disorders.

October 30, 2020 City Health Department failed to terminate former employee’s access to protected health information  

  • The City of New Haven, Connecticut (New Haven) has agreed to pay $202,400 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) and to implement a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules.  The New Haven Health Department, among other things, operates a public health clinic that provides preventative medical services, including adult and pediatric immunizations.

October 28, 2020 Aetna Pays $1,000,000 to Settle Three HIPAA Breaches 

  • Aetna Life Insurance Company and affiliated covered entity (Aetna) has agreed to pay $1,000,000 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) and to adopt a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. Aetna failed to perform a periodic technical and nontechnical evaluation in response to environmental or operational changes affecting the security of protected health information (PHI). Aetna failed to implement procedures to verify that a person or entity seeking access to PHI is the one claimed. Aetna failed to limit the PHI disclosed to the amount reasonably necessary to accomplish the purpose of the use or disclosure. Aetna failed to have in place appropriate administrative, technical, and physical safeguards to protect the privacy of PHI.

October 9, 2020 OCR Settles Ninth Investigation in HIPAA Right of Access Initiative  

  • NY Spine Medicine (NY Spine) has agreed to take corrective actions and pay $100,000 to settle a potential violation of the HIPAA Privacy Rule’s right of access provision. NY Spine is a private medical practice specializing in neurology and pain management with offices in New York, NY, and Miami Beach, FL. 

October 7, 2020 OCR Settles Eighth Investigation in HIPAA Right of Access Initiative

  • Dignity Health, dba St. Joseph’s Hospital and Medical Center (“SJHMC”), has agreed to take corrective actions and pay $160,000 to settle a potential violation of the HIPAA Privacy Rule’s right of access provision. SJHMC, based in Phoenix, Arizona, is a large, acute care hospital with several hospital-based clinics that provide a wide range of health, social, and support services.

September 25, 2020 Health Insurer Pays $6.85 Million to Settle Data Breach Affecting Over 10.4 Million People  

  • Premera Blue Cross (PBC) has agreed to pay $6.85 million to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) and to implement a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules related to a breach affecting over 10.4 million people. HHS’s investigation indicated potential violations for failure to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by PBC. Failure to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level. Until March 8, 2015, the requirement to implement sufficient hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI. Failure to prevent unauthorized access to the ePHI of 10,466,692 individuals whose information was maintained in PBC’s network.

September 23, 2020 HIPAA Business Associate Pays $2.3 Million to Settle Breach Affecting Protected Health Information of Over 6 million Individuals 

  • CHSPSC LLC, (“CHSPSC”) has agreed to pay $2,300,000 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) and to adopt a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules related to a breach affecting over six million people. CHSPSC provides a variety of business associate services, including IT and health information management, to hospitals and physician clinics indirectly owned by Community Health Systems, Inc., in Franklin, Tennessee. CHSPSC was unaware of the intrusion until notified by the Federal Bureau of Investigation (FBI) on April 18, 2014. HHS’s investigation indicated potential violations that included failure to prevent unauthorized access to the ePHI of 6,121,158 individuals whose information was maintained in CHSPSC’s network. From April 18, 2014 to June 18, 2014, the requirement to respond to a known security incident; mitigate, to the extent practicable, harmful effects of the security incident; and document the security incident and its outcome. Failure to implement technical policies and procedures to allow access only to those persons or software programs that have been granted access rights to information systems maintained by CHSPSC. Failure to implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. Failure to conduct accurate and thorough assessments of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by CHSPSC

September 21, 2020 Orthopedic Clinic Pays $1.5 Million to Settle Systemic Noncompliance with HIPAA Rules 

  • Athens Orthopedic Clinic PA (“Athens Orthopedic”) has agreed to pay $1,500,000 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) and to adopt a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. Athens Orthopedic is located in Georgia. On June 28, 2016, a hacker group known as “The Dark Overlord” contacted AOC by email and demanded money in return for a complete copy of the database it stole without sale or further disclosure. It was determined, through computer forensic analysis, that the Dark Overlord had obtained a vendor’s credentials to AOC’s system and used them to gain access on June 14, 2016. While AOC terminated the compromised credentials on June 27, 2016, the Dark Overlord’s continued intrusion was not effectively blocked until July 16, 2016. OCR’s investigation indicated potential violations that included failure to prevent unauthorized access to the ePHI of 208,557 individuals whose information was maintained in AOC’s information systems. Failure until August 2016 to maintain copies of AOC’s HIPAA policies and procedures. Failure from September 30, 2015 to December 15, 2016 to implement sufficient hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI. Failure until August 7, 2017, to enter into business associate agreements with three of its business associates, Quest Records LLC, Total Technology Solutions, and SRS Software LLC. Failure until January 15, 2018, to provide its entire workforce with HIPAA training. Failure to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by AOC. Failure to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.

September 15, 2020 OCR Settles Five Investigations in HIPAA Right of Access Initiative  

  • Housing Works Inc. is the parent company of Housing Works Health Services, III (d/b/a) Housing Works Community Healthcare (HWCH) has agreed to pay HHS, the amount of $38,000. Housing Works, Inc. is a New York City based non-profit organization fighting AIDS and homelessness. Housing Works Inc. also provide health care, advocacy, job training, reentry services, and legal aid support. On August 13, 2019, OCR received a complaint from the complainant alleging that HWCH, the covered entity, has not provided him with a copy of his medical records. The investigation established that HWCH failed to timely provide the complainant with a copy of his medical records. 
  • All Inclusive Medical Services Inc. (“AIMS”) has agreed to pay HHS, the amount of $15,000. AIMS is a health care provider and is located in Carmichael, California. On April 25, 2018, OCR received a complaint alleging that AIMS refused to give the complainant access to her medical records when it failed to provide her with a copy and refused her request to inspect her records.
  • Northeast Behavioral Health Corporation, dba Beth Israel Lahey Health Behavioral Services (“BILHBS”) f/k/a Lahey Heath Behavioral Services has agreed to pay HHS, the amount of $70,000.  On April 26, 2019, HHS received a complaint against BILHBS from an individual who had been appointed as the personal representative of her father’s estate by a court of competent jurisdiction (“Complainant”). The Complainant alleged that she requested protected health information about her father from BILHBS and had not yet received all of the requested information. HHS’ investigation revealed that, on February 12, 2019, the Complainant made an access request for her father’s protected health information; BILHBS failed to provide access to all the requested documents until October 28, 2019.
  • Patricia King MD & Associates has agreed to pay HHS, the amount of $3,500. The office is located in Chesapeake, Virginia. On October 18, 2018, OCR received a complaint alleging Patricia King MD & Associates is not in compliance with the Privacy Rule. The complaint alleged Patricia King MD & Associates refused to provide an individual with access to her protected health information. On November 30, 2018, OCR provided Patricia King MD & Associates with technical assistance regarding the individual’s right of access to protected health information and closed the complaint. On February 13, 2019, OCR received a second complaint concerning Patricia King MD & Associates’ continued noncompliance with the requirements of the Privacy Rule concerning access. On April 30, 2019, HHS notified Patricia King MD & Associates of its investigation of Patricia King MD & Associates’ compliance with the HIPAA Rules promulgated by HHS pursuant to the administrative simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
  • Wise Psychiatry, PC (Wise Psychiatry) has agreed to pay HHS, the amount of $10,000. Complainant alleged that Wise Psychiatry failed to provide him with timely access to his minor son’s protected health information (“PHI”). Complainant is his minor son’s personal representative. HHS’ investigation verified that on November 26, 2017, Complainant submitted to Wise Psychiatry, via certified mail, a written request for access, which included photocopies of his son’s birth certificate and Complainant’s driver’s license. Complainant’s access request included Complainant’s full contact information and return address. A certified mail receipt, indicating that Complainant’s request had been delivered to Wise Psychiatry, was signed on December 4, 2017. As a result of OCR’s investigation, Wise Psychiatry sent Complainant a copy of his son’s PHI via certified mail on May 30, 2019.

July 27, 2020 Lifespan Pays $1,040,000 to OCR to Settle Unencrypted Stolen Laptop Breach  

  • Lifespan Health System Affiliated Covered Entity (Lifespan ACE), a non-profit health system based in Rhode Island, has agreed to pay $1,040,000 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) and to implement a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules related to the theft of an unencrypted laptop. Lifespan includes three academic teaching hospitals: Rhode Island Hospital and its Hasbro Children’s Hospital; The Miriam Hospital; and Bradley Hospital. It also includes Newport Hospital and Gateway Healthcare. On Saturday, February 25, 2017, a Rhode Island Hospital employee’s car was broken into while it was parked in a public lot. One of the items stolen was a Mac Book laptop used by the employee for work purposes. The laptop was never recovered. Lifespan ascertained that the employee’s work emails may have been cached in a file on the device’s hard drive. The analysis revealed that the thieves had access to: patient names, medical record numbers, demographic information, including partial address information, and the name of one or more medications that were prescribed or administered to patients. The protected health information on the stolen laptop may have included information for patients across various affiliated provider facilities and belongs to Rhode Island Hospital, Lifespan Pharmacy LLC, retail pharmacies and affiliated hospitals of Lifespan. HHS’ investigation indicated failure to implement policies and procedures to encrypt all devices used for work purposes. Lifespan did not implement policies and procedures to track or inventory all devices that access the network or which contain ePHI. Lifespan did not have the proper business associate agreements in place between Lifespan Corporation and the Lifespan healthcare provider affiliates that are members of the Lifespan ACE. Lifespan impermissibly disclosed the PHI of 20,431 individuals.

July 23, 2020 Small Health Care Provider Fails to Implement Multiple HIPAA Security Rule Requirements

  • Metropolitan Community Health Services (Metro), dba Agape Health Services, has agreed to pay $25,000 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) and to adopt a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. Metro is a Federally Qualified Health Center that provides a variety of discounted medical services to the underserved population in rural North Carolina and these facts were taken into account in reaching this agreement. MCHS is a nonprofit Federally Qualified Health Center. Since 1999, MCHS provides a wide range of healthcare services including on-site pharmacy, dental, behavioral health, gynecology, as well as primarily and pediatric care to individuals in North Carolina. It employs approximately 43 people and serves approximately 3,100 patients annually. On June 9, 2011, OCR received a Breach Report from MCHS. During its investigation, OCR learned that MCHS has widespread compliance issues. OCR conducted a compliance review of MCHS to determine its compliance status and found that MCHS is not in compliance with the HIPAA rules. MCHS failed to implement HIPAA Security Rule policies and procedures. Until June 30, 2016, MCHS failed to provide its workforce with HIPAA Security Awareness and Training. MCHS failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by it.

March 3, 2020 Health Care Provider Pays $100,000 Settlement to OCR for Failing to Implement HIPAA Security Rule Requirements 

  • Steven A. Porter, M.D., has agreed to pay $100,000 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) and to adopt a corrective action plan to settle a potential violation of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. Dr. Porter’s medical practice provides gastroenterological services to over 3,000 patients per year in Ogden, Utah. OCR initiated a compliance review of the practice following the receipt of the Practice’s breach report on November 21, 2013. The Practice’s breach report claimed that Elevation43, a business associate of Dr. Porter’s electronic health record (EHR) company, was impermissibly using the Practice’s patients’ electronic protected health information (“ePHI”) by blocking the Practice’s access to such ePHI until Dr. Porter paid Elevation43 $50,000. OCR’s investigation of the Practice revealed that the Practice demonstrated significant noncompliance with the HIPAA Rules. The Practice failed to implement policies and procedures to prevent, detect, contain, and correct security violations. Specifically, the Practice has failed to conduct an accurate and thorough risk analysis of potential risks and vulnerabilities to the confidentiality, integrity, and availability of all its ePHI. Further, the Practice failed to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level. The Practice permitted Dr. Porter’s EHR company to create, receive, maintain, or transmit ePHI on the Practice’s behalf at least since 2013 without obtaining satisfactory assurances that the EHR company will appropriately safeguard the ePHI.

Click here to learn more how we can work together and get HIPAA compliant

©2022 Aris Medical Solutions – HIPAA Risk Management | HIPAA Compliance Consultants | All Rights Reserved | Terms and Conditions | Privacy Policy
The content and images on this website is owned by Aris Medical Solutions and their owners. Do not copy any content or images without our consent.
Powered by Bandwise LLC
error: Content is protected !!