HIPAA Privacy Rule 2023: Access Denied
In 2023, OCR also continued to enforce other aspects of the Privacy Rule.
OCR settled with Manasa Health Center, LLC, for $30,000 over a 2020 complaint filed with OCR. The complainant alleged that Manasa, which provides adult and child psychiatric services, impermissibly disclosed the protected health information of a patient when Manasa posted a response to the patient’s negative online review.
Upon investigating the case, OCR found potential Privacy Rule violations, including impermissible disclosures of patients’ protected health information in response to negative online reviews and failure to implement policies and procedures with respect to protected health information. As part of the settlement, Manasa agreed to implement a two-year corrective action plan.
St. Joseph’s Medical Center
During the height of the COVID-19 pandemic, St. Joseph’s Medical Center disclosed three patients’ protected health information to the Associated Press without obtaining written authorization, potentially violating the HIPAA Privacy Rule. The Associated Press published this PHI in an article discussing St. Joseph’s response to the COVID-19 pandemic. Included in the publication were on-site photographs, which contained protected health information (PHI), such as patients’ COVID-19 diagnoses, current medical statuses and prognoses, vital signs, and treatment plans.
In response to patient complaints, St. Joseph’s settled with OCR over a potential Privacy Rule “impermissible disclosure” violation for $80,000. Under the CAP that St. Joseph’s agreed to, St. Joseph’s must amend its policies and procedures, and retrain its workforce on the new policies and procedures.
The St. Joseph’s incident is not the first time a healthcare organization has come under fire for allowing the media to document patients without consent. Providers must be cognizant of when patient authorization is required to prevent a similar incident from occurring in their organization.
How to Protect Your Practice Form Privacy Violations in 2024
To avoid investigation over a Privacy Rule “impermissible disclosure” violation, covered entities should enforce their policies and procedures, covering how to respond to online reviews and when PHI disclosures to media outlets are acceptable.
HIPAA Security 2023: Ransomware, Phishing, and SRAs
2023 saw vigorous OCR enforcement of the Security Rule. 2023 was also a year of Security Rule enforcement firsts – the first settlement over a ransomware breach and the first settlement over a phishing breach.
First Ransomware Breach Settlement
In October 2023, OCR announced a $100,000 settlement (and three-year corrective action plan) with Doctors’ Management Services (DMS), a Massachusetts medical management company. DMS was the victim of a ransomware attack that affected the ePHI of approximately 200,000 individuals. In April 2019, as required by the HIPAA Breach Notification Rule, DMS filed a breach report with OCR, indicating that these individuals were affected when DMS’ network server was infected with GandCrab (where do they come up with these names?) ransomware.
The initial unauthorized access to the network occurred on April 1, 2017; however, Doctors’ Management Services did not detect the intrusion until December 24, 2018, after ransomware was used to encrypt their files. In April 2019, upon viewing the breach report, OCR began its investigation into the breach.
OCR’s investigation found evidence of potential failures by Doctors’ Management Services to have in place a risk analysis to determine the potential risks and vulnerabilities to electronic protected health information across the organization. Other findings included:
No risk analysis, no monitoring, and no policies and procedures is a whistle to (maybe more a foghorn) potential attackers to come in, have a seat, rearrange the furniture, and redecorate.
The CAP requires DMS to take a series of measures to resolve potential HIPAA violations. These measures require DMS to:
- Review and update its risk analysis to identify the potential risks and vulnerabilities to DMS data to protect the confidentiality, integrity, and availability of electronic protected health information.
- Update its enterprise-wide Risk Management Plan (strategy to protect the confidentiality, integrity, and availability of ePHI) to address and mitigate any security risks and vulnerabilities found in the updated Risk Analysis.
- Review and revise, if necessary, its written policies and procedures to comply with the Privacy and Security Rules.
- Provide workforce training on HIPAA policies and procedures.
The lesson here is that HIPAA-covered entities should follow OCR best practices to mitigate or prevent cyber threats. These best practices include:
- Review all vendor and contractor relationships to ensure business associate agreements are in place as appropriate and address breach/security incident obligations.
- Incorporate risk analysis and management into business processes, and conduct risk analysis and management regularly and when new technologies and business operations are planned.
- Ensure audit controls are in place to record and examine information system activity.
- Implement regular review of information system activity.
- Utilize multi-factor authentication to ensure only authorized users are accessing ePHI.
- Encrypt ePHI to guard against unauthorized access to ePHI.
- Incorporate lessons learned from incidents into the overall security management process.
- Regularly provide training specific to organizations and job responsibilities; reinforce workforce members’ critical role in protecting privacy and security.
The First Phishing Breach Settlement: Quite a Catch
In March 2021, a hacker accessed Lafourche Medical Group’s systems through an employee email account. As a result of this phishing attack, the PHI of approximately 34,862 patients was potentially exposed. Lafourche promptly reported the breach to OCR. OCR’s investigation determined that Lafourche had insufficient security measures in place. OCR specifically noted that Lafourche failed to conduct a security risk assessment (SRA), and lacked policies and procedures to regularly review information system activity – both potential HIPAA violations.
To settle the investigation, Lafourche agreed to pay $480,000 to OCR and to implement a two-year corrective action plan.
HIPAA-covered entities should avail themselves of the numerous resources HHS has published on phishing attacks and how to prevent them. Awareness and training are key contributors to creating and maintaining a culture of compliance.
The HHS resources include:
Other Security Rule Settlements Resulting from Failure to Conduct a Security Risk Analysis
OCR began an investigation of Banner Health, an Arizona-based non-profit health system, following a breach report stating that an unauthorized party accessed the PHI of millions of Banner patients in 2016. OCR’s investigation revealed multiple potential violations of the HIPAA Security Rule, including:
- The requirement to conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all ePHI held by Banner.
- The requirement to implement sufficient procedures to regularly review records of information system activity.
- The requirement to implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.
- The requirement to implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.
Faced with these findings, Banner agreed to settle with OCR for $1.25 million, and agreed to a two-year corrective action plan.
In 2023, OCR entered into a $350,000 settlement agreement with MedEvolve, Inc. over a potential HIPAA violation. MedEvolve, Inc. is a business associate that provides practice management, revenue cycle management, and practice analytics software services to healthcare providers.
The settlement concludes OCR’s investigation of a data breach, during which OCR found that a server containing the protected health information of 230,572 individuals was left unsecured and accessible on the internet.
OCR, in a press release announcing the settlement, noted: “The potential HIPAA violations in this case include the lack of an analysis to determine risks and vulnerabilities to electronic protected health information across the organization, and the failure to enter into a business associate agreement with a subcontractor.”
Yakima Valley Memorial Hospital
In June 2023, OCR settled with Yakima Valley Memorial Hospital for $240,000. As part of the settlement, Yakima agreed to submit to a two-year corrective action plan. OCR initiated its investigation into Yakima in May 2018 after receiving a breach notification report that 23 security guards used their login credentials to access patient electronic protected health information (ePHI). The security guards allegedly accessed files containing names, dates of birth, medical record numbers, addresses, treatment notes, and insurance information of 419 patients.
HHS’ investigation concluded that there was a potential violation by Yakima of the requirement to implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of the Security Rule.
To resolve the matter with OCR, Yakima agreed to pay a $240,000 HIPAA fine, adopt a corrective action plan, and is subject to OCR monitoring for two years.
To prevent similar incidents from occurring in the future, Yakima must, under the CAP:
- Conduct an accurate and thorough security risk assessment.
- Develop and implement a risk management plan.
- Develop, maintain, and revise, as necessary, its written HIPAA policies and procedures.
- Enhance its existing HIPAA and Security Training Program to provide workforce training on the updated HIPAA policies and procedures.
- Review all relationships with vendors and third-party service providers to identify business associates and obtain business associate agreements with business associates if not already in place.
In 2023, OCR announced a $75,000 settlement of potential violations of the HIPAA Privacy and Security Rules with iHealth Solutions, LLC (doing business as Advantum Health), a Kentucky-based business associate that provides coding, billing, and onsite information technology services to healthcare providers. The settlement was prompted by an OCR investigation. During the investigation, OCR discovered that a data breach occurred when a network server containing the protected health information of 267 individuals was left unsecure on the internet.
OCR’s investigation found evidence of the potential failure by iHealth Solutions to have in place an analysis to determine risks and vulnerabilities to electronic protected health information across the organization. The English phrase for this term is “risk analysis.”
LA Care Health Plan
In September 2023, OCR announced a $1.3 million settlement with L.A. Care Health Plan (LA Care) over potential HIPAA violations. LA Care is the nation’s largest publicly operated health plan, providing healthcare benefits and coverage through state, federal, and commercial programs. A large breach report filed by LA Care with OCR, and a media article regarding a separate incident, resulted in an OCR investigation of LA Care’s security practices. The investigation concluded with a finding of the following potential HIPAA violations:
- Failure to conduct an accurate and thorough risk analysis to determine risks and vulnerabilities to ePHI across the organization
- Failure to implement security measures sufficient to reduce risks and vulnerabilities to ePHI to a reasonable and appropriate level
- Failure to implement sufficient procedures to regularly review records of information system activity
- Failure to perform a periodic technical and nontechnical evaluation in response to environmental or operational changes affecting the security of ePHI
- Failure to implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI
The Banner, MedEvolve, Yakima, iHealth, and LA Care Health Plan share one prominent thing in common: in each inv