HIPAA fines are issued for various reasons and are usually the result of a settlement to end an Office for Civil Rights (OCR) investigation. OCR investigates organizations when breaches occur, or there is a complaint by a patient or employee. In 2023, OCR settled thirteen cases with healthcare organizations for potential HIPAA violations. This article covers HIPAA enforcement trends for 2023 and offers advice on how the settlements could have been prevented.
HIPAA Privacy Rule 2023: It’s Still the Right of Access
The HIPAA Right of Access includes the right to inspect or obtain a copy of protected health information (PHI), and to direct the covered entity to transmit a copy to a designated person or entity of the individual’s choice.
2023 marked 4 right of access enforcement actions, bringing the total number of such actions to 46.
Life Hope Labs
The personal representative (daughter) of a deceased Life Hope Labs patient requested access to her father’s medical records in July of 2021. Life Hope Labs did not provide access until February 2022. OCR’s investigation of the representative’s complaint determined that Life Hope Labs’ failure to provide timely access to the requested medical records was a potential violation of the HIPAA right of access provision. Not wishing to be given the negative finding of a civil monetary penalty, Life Hope Labs agreed to settle with OCR for $16,500 and submit to a two-year corrective action plan (CAP).
David Mente, MA, LPC
The small office of David Mente, MA, LPC in Pittsburgh, Pennsylvania, offers psychological care. In December 2017, a personal representative (father) filed a complaint against the practice after Dr. Mente failed to provide him with the records of his three minor children. OCR took action on the complaint by providing technical assistance to Dr. Mente – educating Dr. Mente on the right of access rule and what it requires. After providing the assistance, OCR closed out the complaint.
The OCR education did not modify the practice’s behavior. In April 2018, the father still had not received the requested records, so he filed a second complaint. OCR, in its subsequent investigation, determined that Dr. Mente potentially violated the right of access rule. OCR then brought an enforcement action, which was resolved through settlement. OCR and Dr. Mente settled for $15,000. As part of the settlement, Dr. Mente agreed to implement a corrective action plan. Lesson here: To OCR, size does not matter; OCR is taking right of access action against even the smallest organizations.
United Healthcare
In March 2021, OCR received a complaint alleging that UnitedHealthcare Insurance Company (UHIC) did not respond to an individual’s request for a copy of their medical record. The individual first requested a copy of their records on January 7, 2021, but did not receive them until July 2021, after OCR initiated its investigation. This was the third complaint OCR received from the complainant against UHIC, alleging failures to respond to his right of access. OCR’s investigation determined that UHIC’s failure to ensure timely access to the requested medical records was a potential HIPAA violation. UHIC agreed to an $80,000 settlement and corrective action plan to resolve the investigation.
Optum Medical Care
Optum Medical Care, a New Jersey and Connecticut multi-specialty physician group, was the subject of multiple (six) complaints filed with OCR concerning potential violations of the right of access provision. In the fall of 2021, OCR received six complaints alleging that Optum failed to provide copies of records requested by an adult patient, or by the parents of minor patients. The complaints disclosed that patients received their requested records between 84 and 231 days after their respective requests were submitted – well outside of the 30-day period a HIPAA-covered entity has to respond to a right of access request. Optum, not wishing to risk the imposition of up to six civil monetary penalties, settled with OCR in 2023 for $160,000, also agreeing to implement a corrective action plan requiring workforce training, reporting records requests to OCR, and reviewing and revising as necessary its right of access policies and procedures to provide timely responses to requests.
How to Protect Your Practice from OCR Investigation for a Right of Access Violation
Providers seeking to avoid joining the company of the practice above can take a series of sensible measures to ensure compliance with the right of access provision. These measures include:
- Training staff on the practice’s Right of Access policies and procedures.
- Honoring the 30-day deadline. If a practice needs more time, it must inform patients in writing of the reason for the delay and when the patient may receive their records. This beats being the subject of yet another complaint over the same failure.
- If you are given technical assistance, OCR expects that you follow it. If you don’t follow it, you are subject to additional enforcement action if you continue to fail to adhere to the right of access rule.
HIPAA Privacy Rule 2023: Access Denied
In 2023, OCR also continued to enforce other aspects of the Privacy Rule.
Manasa Health
OCR settled with Manasa Health Center, LLC, for $30,000 over a 2020 complaint filed with OCR. The complainant alleged that Manasa, which provides adult and child psychiatric services, impermissibly disclosed the protected health information of a patient when Manasa posted a response to the patient’s negative online review.
Upon investigating the case, OCR found potential Privacy Rule violations, including impermissible disclosures of patients’ protected health information in response to negative online reviews and failure to implement policies and procedures with respect to protected health information. As part of the settlement, Manasa agreed to implement a two-year corrective action plan.
St. Joseph’s Medical Center
During the height of the COVID-19 pandemic, St. Joseph’s Medical Center disclosed three patients’ protected health information to the Associated Press without obtaining written authorization, potentially violating the HIPAA Privacy Rule. The Associated Press published this PHI in an article discussing St. Joseph’s response to the COVID-19 pandemic. Included in the publication were on-site photographs, which contained protected health information (PHI), such as patients’ COVID-19 diagnoses, current medical statuses and prognoses, vital signs, and treatment plans.
In response to patient complaints, St. Joseph’s settled with OCR over a potential Privacy Rule “impermissible disclosure” violation for $80,000. Under the CAP that St. Joseph’s agreed to, St. Joseph’s must amend its policies and procedures, and retrain its workforce on the new policies and procedures.
Key Takeaway:
The St. Joseph’s incident is not the first time a healthcare organization has come under fire for allowing the media to document patients without consent. Providers must be cognizant of when patient authorization is required to prevent a similar incident from occurring in their organization.
How to Protect Your Practice Form Privacy Violations in 2024
To avoid investigation over a Privacy Rule “impermissible disclosure” violation, covered entities should enforce their policies and procedures, covering how to respond to online reviews and when PHI disclosures to media outlets are acceptable.
HIPAA Security 2023: Ransomware, Phishing, and SRAs
2023 saw vigorous OCR enforcement of the Security Rule. 2023 was also a year of Security Rule enforcement firsts – the first settlement over a ransomware breach and the first settlement over a phishing breach.
First Ransomware Breach Settlement
In October 2023, OCR announced a $100,000 settlement (and three-year corrective action plan) with Doctors’ Management Services (DMS), a Massachusetts medical management company. DMS was the victim of a ransomware attack that affected the ePHI of approximately 200,000 individuals. In April 2019, as required by the HIPAA Breach Notification Rule, DMS filed a breach report with OCR, indicating that these individuals were affected when DMS’ network server was infected with GandCrab (where do they come up with these names?) ransomware.
The initial unauthorized access to the network occurred on April 1, 2017; however, Doctors’ Management Services did not detect the intrusion until December 24, 2018, after ransomware was used to encrypt their files. In April 2019, upon viewing the breach report, OCR began its investigation into the breach.
OCR’s investigation found evidence of potential failures by Doctors’ Management Services to have in place a risk analysis to determine the potential risks and vulnerabilities to electronic protected health information across the organization. Other findings included:
- Insufficient monitoring of DMS health information systems activity to protect against a cyberattack.
- A lack of policies and procedures in place to implement the requirements of the HIPAA Security Rule to protect the confidentiality, integrity, and availability of electronic protected health information.
No risk analysis, no monitoring, and no policies and procedures is a whistle to (maybe more a foghorn) potential attackers to come in, have a seat, rearrange the furniture, and redecorate.
The CAP requires DMS to take a series of measures to resolve potential HIPAA violations. These measures require DMS to:
- Review and update its risk analysis to identify the potential risks and vulnerabilities to DMS data to protect the confidentiality, integrity, and availability of electronic protected health information.
- Update its enterprise-wide Risk Management Plan (strategy to protect the confidentiality, integrity, and availability of ePHI) to address and mitigate any security risks and vulnerabilities found in the updated Risk Analysis.
- Review and revise, if necessary, its written policies and procedures to comply with the Privacy and Security Rules.
- Provide workforce training on HIPAA policies and procedures.
The lesson here is that HIPAA-covered entities should follow OCR best practices to mitigate or prevent cyber threats. These best practices include:
- Review all vendor and contractor relationships to ensure business associate agreements are in place as appropriate and address breach/security incident obligations.
- Incorporate risk analysis and management into business processes, and conduct risk analysis and management regularly and when new technologies and business operations are planned.
- Ensure audit controls are in place to record and examine information system activity.
- Implement regular review of information system activity.
- Utilize multi-factor authentication to ensure only authorized users are accessing ePHI.
- Encrypt ePHI to guard against unauthorized access to ePHI.
- Incorporate lessons learned from incidents into the overall security management process.
- Regularly provide training specific to organizations and job responsibilities; reinforce workforce members’ critical role in protecting privacy and security.
The First Phishing Breach Settlement: Quite a Catch
In March 2021, a hacker accessed Lafourche Medical Group’s systems through an employee email account. As a result of this phishing attack, the PHI of approximately 34,862 patients was potentially exposed. Lafourche promptly reported the breach to OCR. OCR’s investigation determined that Lafourche had insufficient security measures in place. OCR specifically noted that Lafourche failed to conduct a security risk assessment (SRA), and lacked policies and procedures to regularly review information system activity – both potential HIPAA violations.
To settle the investigation, Lafourche agreed to pay $480,000 to OCR and to implement a two-year corrective action plan.
Key Takeaway:
HIPAA-covered entities should avail themselves of the numerous resources HHS has published on phishing attacks and how to prevent them. Awareness and training are key contributors to creating and maintaining a culture of compliance.
The HHS resources include:
- Health Sector Cybersecurity Coordination Center White Paper on AI-Augmented Phishing and the Threat to the Health Sector – PDF.
- HHS 405d Health Industry Cybersecurity Practices on Email Phishing Attacks – PDF.
- Videos on “How the HIPAA Security Rule Can Help Defend Against Cyber-Attacks” in English and Spanish.
- OCR’s newsletter on Defending Against Common Cyber-Attacks.
Other Security Rule Settlements Resulting from Failure to Conduct a Security Risk Analysis
Banner Health
OCR began an investigation of Banner Health, an Arizona-based non-profit health system, following a breach report stating that an unauthorized party accessed the PHI of millions of Banner patients in 2016. OCR’s investigation revealed multiple potential violations of the HIPAA Security Rule, including:
- The requirement to conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all ePHI held by Banner.
- The requirement to implement sufficient procedures to regularly review records of information system activity.
- The requirement to implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.
- The requirement to implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.
Faced with these findings, Banner agreed to settle with OCR for $1.25 million, and agreed to a two-year corrective action plan.
MedEvolve
In 2023, OCR entered into a $350,000 settlement agreement with MedEvolve, Inc. over a potential HIPAA violation. MedEvolve, Inc. is a business associate that provides practice management, revenue cycle management, and practice analytics software services to healthcare providers.
The settlement concludes OCR’s investigation of a data breach, during which OCR found that a server containing the protected health information of 230,572 individuals was left unsecured and accessible on the internet.
OCR, in a press release announcing the settlement, noted: “The potential HIPAA violations in this case include the lack of an analysis to determine risks and vulnerabilities to electronic protected health information across the organization, and the failure to enter into a business associate agreement with a subcontractor.”
Yakima Valley Memorial Hospital
In June 2023, OCR settled with Yakima Valley Memorial Hospital for $240,000. As part of the settlement, Yakima agreed to submit to a two-year corrective action plan. OCR initiated its investigation into Yakima in May 2018 after receiving a breach notification report that 23 security guards used their login credentials to access patient electronic protected health information (ePHI). The security guards allegedly accessed files containing names, dates of birth, medical record numbers, addresses, treatment notes, and insurance information of 419 patients.
HHS’ investigation concluded that there was a potential violation by Yakima of the requirement to implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of the Security Rule.
To resolve the matter with OCR, Yakima agreed to pay a $240,000 HIPAA fine, adopt a corrective action plan, and is subject to OCR monitoring for two years.
To prevent similar incidents from occurring in the future, Yakima must, under the CAP:
- Conduct an accurate and thorough security risk assessment.
- Develop and implement a risk management plan.
- Develop, maintain, and revise, as necessary, its written HIPAA policies and procedures.
- Enhance its existing HIPAA and Security Training Program to provide workforce training on the updated HIPAA policies and procedures.
- Review all relationships with vendors and third-party service providers to identify business associates and obtain business associate agreements with business associates if not already in place.
iHealth
In 2023, OCR announced a $75,000 settlement of potential violations of the HIPAA Privacy and Security Rules with iHealth Solutions, LLC (doing business as Advantum Health), a Kentucky-based business associate that provides coding, billing, and onsite information technology services to healthcare providers. The settlement was prompted by an OCR investigation. During the investigation, OCR discovered that a data breach occurred when a network server containing the protected health information of 267 individuals was left unsecure on the internet.
OCR’s investigation found evidence of the potential failure by iHealth Solutions to have in place an analysis to determine risks and vulnerabilities to electronic protected health information across the organization. The English phrase for this term is “risk analysis.”
LA Care Health Plan
In September 2023, OCR announced a $1.3 million settlement with L.A. Care Health Plan (LA Care) over potential HIPAA violations. LA Care is the nation’s largest publicly operated health plan, providing healthcare benefits and coverage through state, federal, and commercial programs. A large breach report filed by LA Care with OCR, and a media article regarding a separate incident, resulted in an OCR investigation of LA Care’s security practices. The investigation concluded with a finding of the following potential HIPAA violations:
- Failure to conduct an accurate and thorough risk analysis to determine risks and vulnerabilities to ePHI across the organization
- Failure to implement security measures sufficient to reduce risks and vulnerabilities to ePHI to a reasonable and appropriate level
- Failure to implement sufficient procedures to regularly review records of information system activity
- Failure to perform a periodic technical and nontechnical evaluation in response to environmental or operational changes affecting the security of ePHI
- Failure to implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI
Key Takeaways:
The Banner, MedEvolve, Yakima, iHealth, and LA Care Health Plan share one prominent thing in common: in each investigation, OCR found either a potential violation of the rule requiring performance of a risk assessment, or a potential violation of the rule requiring policies and procedures covering how to perform the assessment.