This year, the Department of Health and Human Services’ Office for Civil Rights (OCR) resolved 14 enforcement actions it had filed against healthcare providers, health plans, and clinical labs. OCR resolved all but one of these 13 through entering into a Settlement Agreement with the covered entity. In the remaining action, OCR imposed a civil monetary penalty on the provider. The lessons from 2021 HIPAA fines are three-fold:
- Healthcare providers should maintain effective and responsive right of access policies and procedures
- Conducting the Security Rule-mandated security risk assessment is as important as ever
- Cooperation with OCR can mitigate the severity of a penalty
These conclusions can be gleaned from the headlines: This year, OCR issued 12 right of access fines, as well as two fines for failure to adequately implement the Security Rule’s risk assessment requirement.
OCR issued one of the twelve right of access fines, a $100,000 fine imposed on a Long Island, New York cardiologist, in large part because the provider ignored its responsibility to cooperate with an OCR investigation. 2021’s HIPAA fines are examined in greater detail below.
Lesson #1 from 2021 HIPAA Fines: The Right of Access to Medical Records is Real
Before the HIPAA Privacy Rule was fully implemented in 2004, patients seeking access to the protected health information in their medical records had it tough. Many state laws either did not require providers to respond to records requests by a specific date. States that did have such laws were often reluctant or indifferent to enforcing them.
The HIPAA Enforcement Rule was implemented in 2006. Since then, OCR has had the power to impose civil monetary penalties upon providers who fail to comply with the HIPAA Privacy Rule right of access provision. Under this provision, patients are entitled to access, inspect, and obtain copies of their PHI.
For thirteen years, OCR did not impose civil monetary penalties, or enter into settlement agreements, with non-compliant entities.
And then came Bayfront Health. In September of 2019, OCR announced that it had settled a potential Bayfront Health right of access violation for $85,000. Bayfront incurred OCR’s wrath for having failed to provide a mother timely access to records about her unborn child.
What happened?
In early 2019, OCR publicly announced the start of a right of access enforcement initiative, thereby putting providers on notice that failure to comply with the right of access standard would no longer be tolerated. Since then, OCR has resolved 25 right of access complaints, by entering into a settlement agreement with 24 covered entities, and by imposing a civil monetary penalty on another. 2019 brought 2 right of access resolutions; 2020 brought 11; and 2021 brought 12.
The Twelve Right of Access Fines of 2021
Each right of access resolution agreement or civil monetary penalty issued in 2021 has several things in common. The first and perhaps most obvious commonality is that all were issued during a global pandemic, when HHS was busy issuing and enforcing COVID-related guidance, and when OCR was exercising other enforcement powers, including imposing penalties against healthcare entities engaging in discriminatory practices. The world and HHS are busy, but there is still time for fines. Indeed, five fines were announced on the same day – November 30, 2021, right around the same time the latest COVID-19 variant, Omicron, got added to HHS’ plate.
Who was dinged? Small practices, with a few exceptions that opened 2021. The practices that settled also all agreed to submit to a corrective action plan (CAP) – essentially to be monitored by HHS for one or two years to ensure no repeat incident. Let’s have a recap.
2021 HIPAA Right of Access Fines: #1 – Banner Health
Banner Health affiliated covered entities (Banner Health ACE) is a non-profit health system with 30 hospitals, and primary care, specialty care, and urgent care facilities, and is one of the largest health systems in the United States. On January 12, 2021, OCR announced that it had reached a settlement with Banner Health ACE (employee size: approximately 40,000) to settle potential HIPAA right of access violations. Several patients had requested their records and did not receive them in a timely fashion. The OCR settlement agreement requires Banner Health ACE to pay a $200,000 HIPAA fine and adopt a corrective action plan to ensure future compliance. In addition, as part of the OCR settlement agreement, Banner Health ACE is subject to two years of monitoring by OCR.
2021 HIPAA Right of Access Fines: #2 – Renown Health
In February of 2021, OCR announced that not-for-profit Nevada health system Renown Health, P.C. (approximate employee size: 6,500) had agreed to pay $75,000 to the Department of Health and Human Services’ (HHS) to settle a potential right of access violation. What happened? Renown failed to provide a patient with electronic copies of her PHI for approximately a year. As part of its settlement with HHS, Renown agreed to placement under a corrective action plan (CAP). The highlights of the plan:
Renown is required to take the following actions under the CAP:
- Renown must develop, maintain, and/or revise, as necessary, its written access policies and procedures to comply with the HIPAA Privacy Rule. The policies and procedures must address Renown’s failure to provide timely access to medical records, by describing Renown’s obligations under the right of access provision. The procedures must ensure comprehensive and timely responses to access requests to PHI. The policies and procedures must also outline protocols for training all workforce members involved in receiving or fulfilling access requests.
- Renown must provide the policies and procedures to HHS for approval.
- If HHS recommends any changes to the policies and procedures, Renown must make revisions within 30 days of the recommendations. The revision process will continue until HHS approves the policies and procedures in full.
Had Renown provided the access to begin with, it would not have incurred these obligations. Renown is not the only provider to have been CAP-slapped this year. All providers – all 11 – with whom OCR entered into a settlement agreement – are now CAP-monitored.
Lesson: For providers who violate the right of access rule and settle by paying a fine, the song may have ended, but the melody lingers on.
2021 HIPAA Right of Access Fines: #3 – Sharp HealthCare
In February of 2021, Sharp HealthCare (SRMC) forked over $70,000 to the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) to settle a potential violation of the right of access standard. In April of 2019, a Sharp patient made a request for electronic access to their medical records. On June 11, the patient, through a representative, filed a complaint with OCR, alleging that SRMC had failed to provide the requested access. OCR closed its resulting investigation two weeks later, by providing SRMC with technical assistance.
OCR provided the technical assistance to stress the importance of a timely response to a request for access. Despite having received the assistance, SRMC did not provide the patient with access to the requested records until mid-October, as a result of OCR’s second investigation. OCR proposed a civil monetary penalty. SRMC, to avoid a civil monetary penalty, settled the potential access violation for $70,000.
Lesson: “I’m from the government, and I’m here to help” is not always a punchline.
In many cases, OCR provides technical assistance to providers in lieu of fining them. Through this technical assistance, OCR walks providers through what they must do to comply with the right of access standard. Providers who take the help to heart thereby avoid fines in the future. Providers who ignore the advice do so at their peril.
2021 HIPAA Right of Access Fines: #4 – Arbour Hospital
The facts of the next settlement, this time with 146-bed Arbour Hospital, are a virtual rerun of the SRMC episode. An Arbour patient requested records, did not receive them, and filed a complaint. OCR reviewed the complaint, provided Arbour with technical assistance, and guess what? The patient still did not receive the records. After a second investigation, the patient received his records. Arbour settled the right of access skirmish with OCR for $65,000. Total time it took Arbour to provide the records to the patient: eight months.
2021 HIPAA Right of Access Fines: #5 – Village Plastic Surgery
Village Plastic Surgery (VPS) is a small provider (one-doctor shop) in Ridgewood, New Jersey. In August of 2019, a VPS patient requested what should have been a small lift: she asked for copies of her medical records. After she complained to OCR, OCR concluded that VPS may have violated the right of access standard. As a result of OCR’s investigation, VPS sent the patient her requested medical records.
(Mini Lesson, Obvious But Important All the Same: When a provider only sends a patient requested records after OCR investigates a right of access complaint, there is a good chance that the provider will be fined or enter into a settlement agreement with OCR.)
VPS, faced with a civil monetary penalty, settled the potential right of access violation for $30,000. This one-doctor shop, by agreeing to imposition of a CAP, must develop right of access policies and procedures for HHS approval; must provide HHS with training materials regarding the right of access to PHI; and must provide training to all workforce members on the right of access requirement.
A lot of work for a little office.
2021 HIPAA Right of Access Fines: #6 – Diabetes, Endocrinology & Lipidology Center
The Diabetes, Endocrinology & Lipidology Center, Inc. (DELC) is a Martinsburg, West Virginia-based healthcare provider specializing in treating endocrine disorders. In August 2019, OCR received a complaint that alleged DELC had failed to respond to a request for a copy of her minor child’s medical records in a timely manner. As was the case with the earlier-mentioned providers, here, it was only after an OCR investigation that this provider finally provided the child’s mother with a copy of the requested records. The mother who made the request had to wait almost two years to receive the records.
Lesson: The settlement in this case was small – only $5,000. The numbers, though, are not the real story. OCR itself has told us what the lesson is. Acting OCR Director Robinson Frohboese, in a press release announcing the settlement, stated, “It should not take a federal investigation before a HIPAA covered entity provides a parent with access to their child’s medical records.” Minor patients have the same rights as adult patients.
2021 HIPAA Right of Access Fines: #7 – Children’s Hospital and Medical Center
The failure of Children’s Hospital & Medical Center (CHMC) to provide a parent with their minor child’s medical records, after multiple requests, led to an OCR investigation, which in turn led to an $80,000.00 fine. During the investigation, OCR learned that CHMC had only partially complied with the parents’ requests by providing some of the records.
Lesson: The right of access is a whole right of access, not a partial one.
2021 HIPAA Right of Access Fines: #8 – Advanced Spine and Pain Management
Small shop Advanced Spine & Pain Management (ASPM), located in Cincinnati and Springboro, Ohio, is a provider of chronic pain management and treatment services. In November of 2019, an ASPM patient filed a complaint with OCR, alleging that ASPM had not provided him with timely access to his PHI. HHS then investigated. During the investigation, ASPM acknowledged that it received the patient’s request on the date the patient sent it. However, ASPM did not send the requested PHI until four months later. As a result, to avoid incurring a Privacy Rule right of access civil monetary penalty, ASPM entered into a resolution agreement with OCR. Under the terms of the agreement, ASPM agreed to pay OCR $32,150, and to submit to a two-year corrective action plan (CAP). This right of access settlement, along with four others, was announced on November 30, 2021.
Lesson: OCR is cutting down the amount of time between investigation to announcement of settlement – in this case, only a year.
2021 HIPAA Right of Access Fines: #9 – Denver Retina Center (DRC)
Denver Retina Center provides retinal ophthalmology services in Glendale, Colorado. A DRC patient filed a complaint with OCR in the summer of 2019, alleging that DRC ignored her December, 2018 request for access to her medical records. In her complaint, the patient noted that she previously filed a complaint, in March of 2018, alleging an earlier right of access violation. OCR closed out that complaint by providing technical assistance to DRC. In response to the July 2019 investigation, DRC admitted that it was late in responding to the complaint – by almost seven months. DRC appears to have turned a blind eye to fully cooperating with OCR, as it failed to simply confirm the date of the December, 2018 request. OCR, upon investigation, concluded that DRC failed to have sufficient written policies and procedures related to providing timely access to PHI under the right of access standard. To illuminate the importance of the right of access, OCR entered into a resolution agreement with DRC. Under the agreement, DRC must pay $30,000 to HHS and undergo a two-year corrective action plan.
Lesson: Eye doctors and other providers beware – multiple complaints followed by technical assistance followed by crickets chirping will force OCR’s hand.
2021 HIPAA Right of Access Fines: #10 – Rainrock Treatment Center
Rainrock Treatment Center, LLC, doing business as Monte Nido Rain Rock (“Monte Nido”), is a licensed provider of residential eating disorder treatment services headquartered in Eugene, Oregon. Monte Nido and its affiliates, through approximately 5,000 employees operating in 23 states, provides residential and intensive outpatient eating disorder and exercise addiction treatment programs. Between December of 2019 and February of 2020, OCR received three complaints from a Monte Nido patient. The complaints alleged that Monte Nido failed to provide the patient with her medical records after she requested these records in October and then again in November of 2019. Monte Nido finally forwarded the records in late May of 2020. HHS, as part of a resolution agreement settling the potential right of access violation, has agreed to accept a $160,000 resolution amount from Monte Nido, which has also agreed to comply with a one-year CAP.
Lesson: Larger entities can incur larger fines. Banner Health and Monte Nido are the largest providers who settled with OCR in 2021 – and they incurred the two largest monetary penalties.
2021 HIPAA Right of Access Fines: #11 – Wake Health Medical Group
Wake Health Medical Group (Wake) is a small practice in Raleigh, North Carolina. Wake offers primary care services. Wake also offers cosmetic full body skin exams, biopsy, massage, and laser treatment services. In late June of 2019, a Wake patient requested a copy of her medical records, for which Wake charged $25. OCR, upon the patient’s complaint alleging failure to provide the records, learned that Wake charges all of its patients a flat fee of $25 for a copy of their medical records. HHS’ investigation indicated that Wake failed to provide timely access to PHI – in this case, no access, even after receiving $25. HHS and Wake agreed to resolve the patient’s complaint. Under the Resolution Agreement, Wake has agreed to pay $10,000 to HHS, and to enter into a two-year CAP. Under the CAP, Wake must develop policies and procedures to address the Privacy Rule right of access standard. In these policies and procedures, on which Wake must train its employees, Wake must, per OCR instruction, identify its methods for calculating a reasonable-cost based fee for access to PHI. The charge of $25 is a stretch under HIPAA. Under the right of access standard, a flat, $25 fee untethered to the actual costs of labor for copying, supplies, postage, and preparation of any requested PHI explanation or summary, is impermissible (so is taking the money and not providing the records).
Lesson: The days of flat fees are over; OCR will enforce the reasonable fee provisions of the right of access standard – especially against providers who take the money and don’t provide the records.
Lesson #2 from 2021 HIPAA Fines: Don’t Be Insecure!
What about HIPAA Security Rule violations? Did OCR forget about them in 2021? No.
In January of 2021, OCR announced it had entered into a settlement with the Excellus Health Plan, under which Excellus has agreed to pay $5.1 million and to enter into a corrective action plan. The settlement was prompted by an OCR investigation that found widespread noncompliance with provisions of the HIPAA Security Rule. As a result of the noncompliance, a data breach occurred that exposed the PHI of over 9.3 million people. Details of the HIPAA data breach are discussed below.
Excellus is a big player in the vast expanse of New York outside of New York City. Its insecurity began in September of 2015, when Excellus filed a breach report with OCR, stating that cyberattackers had gained unauthorized access to its IT systems. In its report, Excellus noted that the breach began in December of 2013, and continued until May of 2015.
During this time, the hackers had free rein over Excellus’ systems, and installed malware allowing it to spy on ePHI. The cyberattackers’ activities ultimately resulted in the impermissible disclosure of the protected health information of more than 9.3 million individuals, including their names, addresses, dates of birth, email addresses, Social Security numbers, bank account information, health plan claims, and clinical treatment information.
In its investigation OCR found that Excellus failed to meet the following requirements:
- The requirement to conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all of its ePHI.
- The requirement to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level (in other words, risk management).
- The requirement to implement procedures to regularly review records of information systems activity.
- The requirement to implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights.
OCR settled with Excellus for $5.1 million. The incident might have been avoided altogether had Excellus done what the Security Rule requires of it – conduct a risk assessment, manage the resultant risks discovered, and develop policies and procedures to safeguard patient information and monitor suspicious activity.
Lesson: This one $5.1 million-dollar settlement is greater than the sum of all of this year’s right of access settlements combined. Old Security Rule settlements’ soldiers never die – they don’t even fade away.
On May 25, 2021, OCR announced that Peachstate Health Management, LLC d/b/a AEON Clinical Laboratories (Peachstate) agreed to pay $25,000, enter into a Resolution Agreement, and adopt a corrective action plan (CAP) to settle potential violations of the Security Rule. Peachstate, located in (surprise!) Gainesville, Georgia, provides diagnostic and laboratory-developed tests, including clinical and genetic testing services. OCR began its investigation through review of the Peachstate clinical laboratories to assess their compliance with the HIPAA Privacy and Security Rules.
The OCR investigation concluded that Peachstate failed to conduct an enterprise-wide risk analysis and did not implement risk management and audit controls. Additionally, the investigation disclosed systemic noncompliance with the HIPAA Security Rule, and Peachstate failed to maintain documentation of HIPAA Security Rule policies and procedures.
Here again, the number isn’t quite the whole story. In addition to the monetary settlement, Peachstate entered into a CAP that includes three (3) years of monitoring by HHS and a requirement to do each of the following:
- Conduct an enterprise-wide risk analysis of the security threats and vulnerabilities of all PHI created, received, maintained or transmitted, including all electronic media, workstations, and information systems owned, controlled or leased by Peachstate;
- Develop and implement a risk management plan to address and mitigate any security threats and vulnerabilities discovered during the risk analysis;
- Review and revise Peachstate’s written policies and procedures, subject to HHS review and approval;
- Distribute the policies and procedures to all current members of the workforce, and to new members of the workforce within fifteen days of the beginning of service;
- Train all workforce members who have access to PHI on the revised policies and procedures within thirty days of adopting such policies and procedures; and
- Promptly investigate reports of potential violations of the revised policies and procedures and, if a violation occurred, report such events to HHS.
Sounds onerous. But it’s child’s play compared to the next requirement:
Peachstate must designate an individual or entity, to be a monitor and to review compliance with the CAP. This individual must monitor Peachstate’s Security Rule compliance, and make sure Peachtree’s systems are up to snuff. This remedy of a designated monitor has been imposed by OCR less than ten times in the history of HIPAA resolution agreements. OCR, in this case, decided that its own monitoring was not enough, and brought in an outsider to help it out.
Lesson #3 from 2021 HIPAA Fines: Silence Isn’t Golden (a/k/a Right of Access Fine #12)
2021 right of access fine #12 is a $100,000 civil monetary penalty, imposed on Dr. Robert Glaser, who owns and operates a cardiology practice in New Hyde Park, New York, on the north shore of Long Island.
The facts of this case are, one can hope, extraordinary. As stated by OCR, “Dr. Robert Glaser, a cardiovascular disease and internal medicine doctor in New Hyde Park, NY, did not cooperate with OCR’s investigation or respond to OCR’s data requests after failing to provide a patient with a copy of their medical record. Dr. Glaser waived his right to a hearing and did not contest the findings of OCR’s Notice of Proposed Determination. Accordingly, OCR closed this case by issuing a civil money penalty of $100,000.” A former Dr. Glaser patient filed a complaint in 2017 over Dr. Glaser’s failure to respond to his verbal and written requests for access to his medical records from 2013 to 2014. OCR then closed out the complaint, reminding Dr. Glaser to provide access to the requests that met the requirements of the right of access standard.
(The obligations of a patient under the right of access standard are not exactly exacting. The patient must request records. The provider may require that the request be in writing, as long as the provider lets the individual know of any such requirement in advance.)
Dr. Glaser did not provide the records. By the end of December of 2018, OCR had contacted Dr. Glaser’s office once by fax, twice in writing, and three times by phone, to remind him of his obligations both to comply with the right of access standard and to respond to OCR’s unanswered inquiries about that compliance.
In April of 2019, OCR requested that Dr. Glaser provide a written response to the complaint; a copy of his office policies and procedures on the right of access standard; a copy of his Notice of Privacy Practice; and documentary assurance that workforce members were provided with training on these policies and procedures. OCR also requested a copy of Dr. Glaser’s most recent quarterly balance sheet, income statement, and cash flows, as well as a copy of the most recent full-year audited financial statements, and copy of his most recent tax returns. Dr. Glaser ignored the communication. He also ignored a subsequent September, 2019 proposed resolution agreement and CAP. OCR gave Dr. Glaser’s office one more chance to voluntarily resolve the matter by signing the proposed resolution agreement and corrective action plan, and by paying the resolution amount of $100,000. Dr. Glaser did not respond.
Because Dr. Glaser also failed to respond to OCR’s November 2019 Letter of Opportunity that gave him the option to submit written evidence of mitigating factors to the noncompliance, OCR, with the U.S. Attorney General’s authorization, imposed the $100,000 civil monetary penalty in May of 2021. OCR issued the penalty for Dr. Glaser’s willful neglect of his HIPAA obligations. OCR found that this neglect continued from February 13, 2018, through the end of 2020. The Notice of Final Determination – the May, 2021 letter imposing the penalty – makes no mention of Dr. Glaser ever having provided the record.
When OCR sat down to determine the amount of the penalty to assess, the daily penalty amount for a willful neglect violation was a little over $59,522 per day. An ongoing violation continuing for over 800 days might have merited a hefty fine, all other things being equal. However, HIPAA regulations authorize HHS to take an entity’s financial condition into account when imposing a CMP. Under the same regulations, OCR may, in its discretion, impose less than the maximum fine if OCR finds that the maximum fine would likely impact the ability of a provider to continue to operate. Through public information and public record, OCR learned that Dr. Glaser was a solo practitioner. OCR, when imposing the CMP, exercised its discretion to limit the fine to $100,000.
Lesson: When OCR comes a’knockin, answer the door. Dr. Glaser was given multiple upon multiple opportunities to explain his actions, defend his actions, cooperate with OCR, and to advocate for himself for a lesser penalty. He took none of these opportunities. OCR concluded that Dr. Glaser’s complete radio silence hindered its investigation, and fined him accordingly.
