2019 was a busy year for the Department of Health and Human Services’ (HHS) Office for Civil Rights. In 2019, OCR HIPAA enforcement efforts were a product of both existing key HIPAA compliance activities, as well as shifting priorities.
In October, the Director of OCR, Roger Severino, was a featured speaker at the “Safeguarding Health Information: Building Assurance Through HIPAA Security” conference co-hosted on October 16 and 17 by the National Institute of Standards and Technology (NIST) and the Office for Civil Rights (OCR) in the Department of Health and Human Services (HHS).
At the conference, Severino recounted important aspects of HIPAA 2019 enforcement.
HIPAA 2019: What Enforcement Trends Should Covered Entities be Aware of?
As made clear by Severino, as well as by the specific enforcement actions taken in 2019 by OCR, the key takeaways from HIPAA 2019 enforcement efforts are:
HIPAA 2019: Covered Entities Must Focus on the Right to Access
In 2019, OCR announced its “Right to Access Initiative,” under which OCR promised to robustly enforce patient rights to receive copies of their medical records. Under the initiative, OCR also promised to clamp down on providers that charge patients excessive fees for their medical records. (Earlier this year, the White House also issued an Executive Order on Improving Price and Quality Transparency in Healthcare – another measure designed to enhance patient rights.)
The HIPAA Privacy Rule generally provides individuals with a legal, enforceable right to see and receive copies, upon request, of the protected health information (PHI) in their medical and other health records maintained by their health care providers and health plans. This right is known as the HIPAA Right of Access.
Under the HIPAA Privacy Rule Right of Access, medical record copy fees must be reasonable and cost-based.
This means that providers may only charge for the following:
- Labor for copying the PHI requested by the individual, whether in paper or electronic form.
- Labor for copying includes only labor for creating and delivering the electronic or paper copy in the form and format requested or agreed upon by the individual, once the PHI that is responsive to the request has been identified, retrieved or collected, compiled and/or collated, and is ready to be copied.
- Labor for copying does not include:
- Costs associated with reviewing the request for access;
- Searching for and retrieving the PHI, which includes locating and reviewing the PHI in the medical or other record,
- Segregating or otherwise preparing the PHI that is responsive to the request for copying.
- Supplies for creating the paper copy (e.g., paper, toner) or electronic media (e.g., CD or USB drive) if the individual requests that the electronic copy be provided on portable media.
OCR settled its first right of access case under the 2019 Right of Access Initiative in September, with Bayfront Health St. Petersburg. Under the terms of the settlement, Bayfront had to pay an $85,000.00 fine and implement a corrective action plan (CAP).
On August 14, 2018, OCR received a complaint against Bayfront from a patient (“Complainant”). Complainant alleged that she requested her fetal heart monitor records from Bayfront starting in October 2017 and had not received them by the date of her complaint. HHS’ investigation revealed that Complainant submitted a written request on October 18, 2017 for the fetal heart monitor records; Bayfront replied that the records were not found. On January 2, 2018 and February 12, 2018, Complainant’s counsel requested the records. Bayfront provided a complete response to Complainant’s counsel on August 23, 2018, after providing an incomplete set of the records in March 2018. Complainant’s counsel shared the records with her and, as a result of OCR’s investigation, on February 7, 2019 – finally – Bayfront provided Complainant with the fetal heart monitor records directly.
Upon investigation of the matter, OCR found that Bayfront took an unacceptably long amount of time to provide the records.
OCR settled its second right of access case under the 2019 Right of Access Initiative in December. OCR settled with Korunda Medical, LLC. Korunda, a Florida healthcare provider that provides primary care and pain management treatment, agreed to pay $85,000 to settle a potential right of access violation. In addition, under the settlement, Korunda must abide by the terms of a corrective action plan (CAP).
In March, OCR received a complaint concerning a Korunda patient alleging that, despite repeatedly asking, Korunda failed to forward a patient’s medical records in electronic format to a third party.
Not only did Korunda fail to timely provide the records to the third party, but Korunda also failed to provide them in the requested electronic format.
In addition, Korunda charged more than the reasonable, cost-based fee. OCR, after receiving the complaint, provided technical assistance to Korunda on how to remedy these issues, and then closed out the complaint.
The technical assistance apparently fell on deaf ears, since, despite OCR assistance, continued to fail to provide the requested records, this triggering another OCR complaint. Upon receiving the second complaint, OCR intervened again. Only after the second intervention did Korunda provide the records – in May of 2019 – for free and in the format requested.
HIPAA 2019: Covered Entities Must Distinguish Between Right of Access Requests and Authorizations
At the October, 2019 conference, Severino also emphasized that covered entities had failed to distinguish between the timeline associated with the right of access request, and the timeline associated with authorizations.
The timeline associated with the right of access request is 30 days: covered entities must respond to a request for medical records within 30 days.
The “timeline” associated with HIPAA authorizations is the authorization expiration date. Under HIPAA, a patient authorization form (the form authorizing use or disclosure of protected health information) must contain either an expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure.
Notably, HIPAA does not impose any specific time limit on authorizations. For example, an authorization may state that it is good for 90 days, or even for 3 years. An authorization may also provide that it expires when the client reaches a certain age, or that expires once the patient has received a specific course of treatment.
HIPAA 2019: Covered Entities Should Take Caution When Making Social Media Disclosures
Frequently, patients take to social media, such as Facebook and Twitter, to post complaints about providers. In doing so, patients make certain information – such as their names and information about their health status – public. Such information can be protected health information. While patients, who are not covered entities or business associates, may disclose their own PHI online, healthcare providers, bound by the HIPAA Privacy Rule, may not respond in kind by disclosing or confirming PHI when responding to online patient complaints.
Healthcare providers face a challenge when patients post complaints or make other statements on social media. Just because a patient has made certain information public does not mean that the provider can also post protected health information to respond to something the patient says.
HHS made this principle clear on October 2 when it entered into a $10,000.00 settlement with Elite Dental Associates. OCR investigation of Elite Dental Associates began in June of 2016, when OCR received a patient complaint. The patient alleged that dental practice had responded to the patient’s Yelp social media posting by disclosing the patient’s last name and information about the patient’s health on Yelp.
OCR’s investigation determined that the dental practice did not have a policy or procedure to address compliance with HIPAA when using social media. OCR also found that Elite lacked a HIPAA-compliant Notice of Privacy Practices.
The parties entered into a resolution agreement that (in addition to the monetary fine) required Elite to abide by a two-year corrective action plan (CAP). Notably, the resolution agreement stated that the practice had responded to other social media reviews using PHI as well.
OCR decided to accept a reduced settlement in light of the fact that Elite cooperated with OCR during the investigation. The fine value was also reduced in light of the practice’s size, and financial circumstances.
The company agreed to a corrective action plan (CAP), which will last for two years. Among other things, the CAP requires development of certain policies and procedures, distributing them to all workforce members, and obtaining from each workforce member a signed compliance certification indicating that the workforce members have read, understand and will comply with them. The policies and procedures must be assessed at least annually and revised as needed.
HIPAA 2019 Key Takeaway 1: Cases are Chosen Based on Import and Message
This case underscores an important point noted by Severino: OCR, Severino stated, chooses cases based on their import and potential message, with OCR’s Director stating that “we go for big cases and small cases.” Severino stated that OCR has no monetary targets for its investigations and settlements.
In other words, this case had an import beyond its (small) “dollar value”; OCR used this case to “send a message” that covered entities must observe the HIPAA Privacy Rule when they use social media.
HIPAA 2019 Key Takeaway 2: Cooperation Matters
Covered entities are required by law to cooperate with OCR during the investigation. Timely cooperation is one factor OCR may take into account when determining a settlement penalty figure.
The cooperation requirement cuts both ways: Entities that fail to cooperate with OCR subject themselves to higher fines, as illustrated by a 2011 Civil Monetary Penalty assessed against Cignet Health in the amount of $4.3 million.
During OCR’s investigations of Cignet, Cignet refused to respond to OCR’s repeated demands to produce patient medical records. Additionally, Cignet failed to cooperate with OCR’s investigations of patient right of access complaints, including failure to produce the records in response to OCR’s subpoena.
OCR filed a petition to enforce its subpoena in United States District Court and obtained a default judgment (a judgment against a party who fails to answer the allegations made against it) against Cignet on March 30, 2010. On April 7, 2010, only after a lawsuit was filed against it, Cignet produced the medical records to OCR, but otherwise made no efforts to resolve the complaints through informal means.
OCR found that Cignet’s failure to cooperate with OCR’s investigations was due to willful neglect, resulting in the hefty monetary penalty.
HIPAA 2019 Key Takeaway 3: Financial Circumstances and Size are Considered
The reduced monetary penalty in the Elite Dental Associates matter was assessed, in part, due to OCR’s taking into account the size of the practice, as well as its financial circumstances. The HIPAA regulations specifically provide that HHS takes into account covered entity size and financial circumstances in determining monetary penalties.
HIPAA 2019: Government Entities Can be Fined, Too
In October, OCR imposed a $1.6 Million Civil Money Penalty against the Texas Health and Human Services Commission, a Texas state agency, for multiple HIPAA violations committed between 2013 and 2017.
The Texas Health and Human Services Commission (TX HHSC) is a Texas government state agency. Its charge is to improve the health, safety and well-being of Texans with good stewardship of public resources. TX HHSC, which is part of the broader Texas Health and Human Services system, which:
- Operates state-supported living centers;
- Provides mental health and substance abuse services;
- Regulates child care and nursing facilities; and
- Administers programs for Texas who need assistance, including supplemental nutrition benefits and Medicaid.
TX HHSC’ predecessor agency was the Department of Aging and Disability Services (DADS). DADS was reorganized into TX HHSC in September of 2017.
In October of 2015, DADS filed a breach report with OCR. In its report, DADS informed OCR that the electronic protected health information (ePHI) of almost 7,000 individuals was viewable over the Internet. The ePHI consisted of (among other things) names, addresses, social security numbers, and treatment information.
The breach occurred innocently, when an internal application was moved to a public server from a private, secure one. A flaw in the software code allowed ePHI to be viewed without access credentials.
In its investigation, OCR determined that DADS had violated the HIPAA Security Rule by:
Because DADS’ audit controls were inadequate, DADS could not determine how many authorized persons accessed individuals’ ePHI.
TX HHSC did not dispute OCR’s Notice of Proposed Determination, which proposed to fine TX HHSC in the sum of $1.6 million. OCR then issued a Notice of Final Determination, imposing a fine of $1.6 million.
The story of TX HHSC drives home several points. The first of these points is that entities that do not implement access controls, perform risk analysis, or implement audit controls, are committing HIPAA Security Rule violations, and, as such, are subject to fines. The second point is that OCR can fine not only private entities, but state government agencies as well, if these state government agencies are themselves covered entities or business associates.
HIPAA 2019: Entities Must Take Cybersecurity Seriously
At the conference, Severino recommended that organizations “really consider” testing employees about phishing, describing such training as “almost becoming standard,” and that organizations “really consider two-factor authentication.” He also emphasized the importance of appropriate access controls, including that “shared passwords are a huge no-no.” Severino also has noted that “Neglecting to have a comprehensive, enterprise-wide risk analysis……as illustrated by this case, is a recipe for failure.”
Severino’s concerns about cybersecurity are well-founded. During the first three quarters of 2019, hacking/IT breaches comprised over 60% of reported breaches involving 500 or more affected individuals. In the previous decade, hacking/IT breaches compromised only 28% of such reports. 65% of breaches in 2019 were directed at network servers and email – a record-high sum. These higher figures can be attributed to increasingly well-targeted and sophisticated hacking techniques, including phishing techniques.
Failure to train, to implement appropriate access controls, and/or conduct risk analyses, resulted in phishing and other cyberattacks in 2019 – and resultant OCR fines – as shown by the following examples:
HIPAA 2019 Example One: Touchstone Medical Imaging
In 2019, Touchstone Medical Imaging (“Touchstone”), a multistate diagnostic imaging provider, agreed to pay $3,000,000 to OCR and to adopt a corrective action plan for potential violations of the HIPAA Security and Breach Notification Rules. the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS), and to adopt a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Security and Breach Notification Rules.
The breach occurred as a result of a server’s allowing uncontrolled access to PHI. This access permitted search engines to index patient PHI, thereby allowing the PHI to remain invisible on the Internet even after the affected server was taken offline.
OCR’s investigation found that Touchstone failed to:
HIPAA 2019 Example Two: Medical Informatics Engineering, Inc.
In 2019, Medical Informatics Engineering, Inc. (MIE), an Indiana company that provides software and electronic medical record services to healthcare providers, agreed to pay $100,000 to OCR and to implement a corrective action plan, to settle potential violations of the Privacy and Security Rules.
The breach occurred as a result of hackers’ using a compromised user ID and password to access the ePHI of approximately 3.5 million patients. OCR, after investigation, determined that MIE failed to conduct to conduct a comprehensive risk analysis prior to the breach.
As Severino noted in a press release announcing the settlement, “Entities entrusted with medical records must be on guard against hackers,” said OCR Director Roger Severino. “The failure to identify potential risks and vulnerabilities to ePHI opens the door to breaches and violates HIPAA.”
MIE agreed to undertake a corrective action plan that required, among other measures, completion of a full, enterprise-wide risk analysis.
HIPAA 2019 Example 3: Cottage Health
In February of 2019, OCR announced it had, in December of 2018, entered into a resolution agreement with Cottage Health, a California healthcare provider. Cottage Health agreed to pay $3 million and to adopt a substantial corrective action plan to settle potential HIPAA violations.
OCR received two notifications from Cottage Health regarding breaches of unsecured electronic protected health information (ePHI) affecting over 62,500 individuals, one in December 2013 and another in December 2015.
The first breach arose when ePHI on a Cottage Health server was accessible from the internet. OCR’s investigation determined that security configuration settings of the Windows operating system permitted access to files containing ePHI without requiring a username and password. As a result, patient names, addresses, dates of birth, diagnoses, conditions, lab results and other treatment information were available to anyone with access to Cottage Health’s server.
The second breach occurred when a server was misconfigured following an IT response to a troubleshooting ticket, exposing unsecured ePHI over the internet. This ePHI included patient names, addresses, dates of birth, social security numbers, diagnoses, conditions, and other treatment information.