2020 was a year like no other in many ways. While the healthcare industry was arguably the most affected by the events of 2020, the Department of Health and Human Services (HHS) saw no need to slow down its enforcement efforts. This is evident by the fact that there were more HIPAA fines issued in 2020 than any year before. To provide healthcare organizations guidance on how to avoid fines, HIPAA fines 2020 are discussed.
HIPAA Fines 2020 and the Right of Access
The HHS, after determining that many healthcare organizations fail to comply with HIPAA right of access standards, announced that they would focus its enforcement efforts around right of access violations. As such, HIPAA fines 2020 were mostly issued to organizations failing to comply with this standard, with 11 of the 19 fines issued in 2020 due to right of access violations.
“OCR created the Right of Access Initiative to address the many instances where patients have not been given timely access to their medical records. Health care providers, large and small, must ensure that individuals get timely access to their health records, and for a reasonable cost-based fee,” said OCR Director Roger Severino.
What is the HIPAA right of access?
The HIPAA right of access requires organizations to provide patients, or their personal representative, with copies of their medical records within 30 days of the request. The records must be provided in the format requested (i.e. CD, paper copies, etc.) when it is reasonably appropriate for the organization to do so. When the records cannot be provided in the requested format, an alternative format is permitted. In addition, healthcare providers can only charge a reasonable cost-based fee for providing copies of medical records.
Five Fines Issued in One Day
On September 15, 2020, HHS’ OCR announced that it had fined five organizations for failing to comply with the HIPAA right of access standard. The fines were issued after the organizations failed to provide patients with timely access to their medical records.
- Housing Works, Inc. Fined $38,000
- All Inclusive Medical Services, Inc. Fined $15,000
- Beth Israel Lahey Health Behavioral Services $70,000
- King MD Fined $3,500
- Wise Psychiatry, PC Fined $10,000
St. Joseph’s Hospital and Medical Center Fined $160,000
On October 7, 2020, HHS’ OCR announced that it had fined St. Joseph’s Hospital and Medical Center $160,000. After receiving a complaint from the patient’s personal representative (in this case the mother of a minor patient), OCR conducted an investigation and determined that St. Joseph’s Hospital and Medical Center failed to provide timely access to patient medical records. The requested records were provided 22 months after her initial request.
NY Spine Medicine Fined $100,000
On October 9, 2020, HHS’ OCR announced that NY Spine Medicine was fined $100,000 for failing to provide a patient timely access to their medical records. NY Spine Medicine provided the patient with requested records 15 months after her initial request.
Riverside Psychiatric Medical Group Fined $25,000
On November 2, 2020, HHS’ OCR announced that it had fined Riverside Psychiatric Medical Group $25,000. OCR conducted an investigation into Riverside Psychiatric Medical Group after receiving a patient complaint. Riverside believed that they had not violated the right of access as the files requested contained psychotherapy notes, which are not required to be disclosed to patients. However, what Riverside failed to realize is that they were required to provide the patient with access to their other records.
Dr. Rajendra Bhayani Fined $15,000
On November 12, 2020, HHS’ OCR announced that it had fined Dr. Rajendra Bhayani $15,000. After a patient complained that Dr. Rajendra Bhayani failed to provide her access to her medical records, OCR launched an investigation. The patient received her records more than two years after her initial request.
University of Cincinnati Medical Center Fined $65,000
On November 19, 2020, HHS’ OCR announced that it had fined University of Cincinnati Medical Center $65,000. A patient issued a complaint after the organization failed to provide copies of requested medical records to her lawyers. University of Cincinnati Medical Center provided the requested records six months after the initial request.
Elite Primary Care Fined $36,000
On December 22, 2020, HHS’ OCR announced that it had fined Elite Primary Care $36,000. OCR began its investigation into Elite after a patient complained that he had not received a copy of his medical records. The patient received his requested records more than a year after his initial request.
HIPAA Fines 2020 and Risk Analyses
Several HIPAA fines 2020 were issued to organizations that failed to conduct a thorough and accurate security risk analysis (SRA). The HHS requires healthcare organizations to conduct SRAs annually to ensure that HIPAA safeguards are adequately securing PHI. Annual SRAs are more important than ever as healthcare breaches have grown exponentially over the last few years. When an organization fails to conduct annual audits, gaps in its security practices often go undetected, leaving the organization vulnerable to cybersecurity incidents.
“Entities entrusted with medical records must be on guard against hackers,” said OCR Director Roger Severino. “The failure to identify potential risks and vulnerabilities to ePHI opens the door to breaches and violates HIPAA.”
Steven A. Porter, M.D. Fined $100,000
On March 3, 2020, the HHS’ OCR announced that they had fined Steven A. Porter, M.D. $100,000 to settle potential HIPAA violations. The HHS cited failure to implement HIPAA Security Rule requirements; failure to conduct a thorough risk analysis; and failure to have a risk management plan, as the reasons the organization was fined.
HIPAA Fines 2020 and Widespread Noncompliance
There were several organizations fined due to their widespread noncompliance, failing to comply with several aspects of the HIPAA regulations.
“Hacking is the number one source of large health care data breaches. Health care providers that fail to follow the HIPAA Security Rule make their patients’ health data a tempting target for hackers,” stated OCR Director Roger Severino.
Metropolitan Community Health Services Fined $25,000
On July 23, 2020, the HHS’ OCR announced that it had fined Metropolitan Community Health Services $25,000. Metropolitan Community Health Services filed a breach report with HHS’ OCR in response to an incident that led to unauthorized disclosure of PHI to an unknown recipient. The organization was fined due to its failure to comply with the HIPAA Security and Privacy Rules, specifically failure to conduct risk analyses; failure to implement policies and procedures; and failure to provide workforce members with security awareness training.
Lifespan Affiliated Covered Entity Fined $1.04 Million
On July 27, 2020, the HHS’ OCR announced that it had fined Lifespan Affiliated Covered Entity $1.04 million for widespread noncompliance with HIPAA requirements. Lifespan filed a breach report after an unencrypted laptop containing PHI was stolen. After an investigation into the incident, OCR determined that Lifespan had potentially violated HIPAA. The organization was fined for its failure to encrypt ePHI on laptops when it was reasonable and appropriate to do so; failure to implement media and device controls; and failure to have a business associate agreement with Lifespan Corporation.
Athens Orthopedic Clinic PA Fined $1.5 Million
On September 21, 2020, the HHS’ OCR announced that it had fined Athens Orthopedic Clinic PA $1.5 million to settle potential HIPAA violations. Athens filed a breach report with OCR after its electronic medical record (EMR) platform was hacked. Upon investigation into the incident, OCR determined that Athens had violated several HIPAA requirements including failures to conduct a risk analysis; implement risk management and audit controls; maintain HIPAA policies and procedures; secure business associate agreements with multiple business associates; and provide HIPAA Privacy Rule training to workforce members.
CHSPSC, LLC Fined $2.3 Million
On September 23, 2020, the HHS’ OCR announced that it had fined CHSPSC, LLC $2.3 million for widespread noncompliance with HIPAA requirements. CHSPSC, LLC filed a breach report with OCR after its information system had been hacked. Upon investigation into the incident, it was determined that CHSPSC, LLC had failed to comply with several HIPAA standards. CHSPSC, LLC was fined for failure to conduct a security risk analysis; failure to implement information system activity review; failure to implement security incident procedures; and failure to implement access controls and audit logs.
Premera Blue Cross Fined $6.8 Million
On September 25, 2020, the HHS’ OCR announced that it had fined Premera Blue Cross $6.8 million. Premera filed a breach report with OCR after a nine-month long hack into its systems was discovered. Upon investigation into the incident, OCR determined that Premera failed to conduct an enterprise-wide risk analysis, implement risk management, and implement audit controls.
Aetna Life Insurance Company Fined $1 Million
On October 28, 2020, HHS’ OCR announced that it had fined Aetna Life Insurance Company $1 million. Aetna filed a breach report with OCR after three breaches compromised its patient’s protected health information. Upon investigation into the incidents, OCR determined that Aetna had violated several HIPAA requirements. Aetna was fined for failure to perform periodic technical and nontechnical evaluations of operational changes affecting the security of its electronic PHI (ePHI); implement procedures to verify the identity of persons or entities seeking access to ePHI; limit PHI disclosures to the minimum necessary to accomplish the purpose of the use or disclosure; and have in place appropriate administrative, technical, and physical safeguards to protect the privacy of PHI.
City of New Haven, Connecticut Fined $202,400
On October 30, 2020, HHS; OCR announced that it had fined the City of New Haven, Connecticut $202,400. The New Haven Health Department filed a breach report with OCR after a terminated employee accessed the PHI of 498 patients. Upon investigation into the incident OCR determined that New Haven failed to conduct an enterprise-wide risk analysis; implement termination procedures, access controls such as unique user identification, and HIPAA Privacy Rule policies and procedures.
