The OCR seems to be on a fines spree, with a record number of fines issued in September. There were eight September OCR fines issued, amounting to $10,736,500. More details on September OCR fines are discussed below.
September OCR Fines: Violating HIPAA Right of Access
The HIPAA Right of Access gives patients the right to request copies of their medical records from their healthcare provider. Requested records must be provided to patients, or their personal representative, within thirty days of the request. The records must also be provided in the format in which the patient requests (i.e. paper records, electronic medical records, etc.). The HIPAA Right of Access also imposes a limit for how much providers are allowed to charge patients for their records. In addition, Under the HIPAA Privacy Rule Right of Access, medical record copy fees must be reasonable and cost-based.
On September 15, the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) announced that it had settled with five healthcare organizations for failing to comply with the HIPAA Right of Access. “Patients can’t take charge of their health care decisions, without timely access to their own medical information. Today’s announcement is about empowering patients and holding health care providers accountable for failing to take their HIPAA obligations seriously enough,” OCR Director Roger Severino.
Housing Works, Inc. $38,000 Fine
Housing Works, Inc. was fined $38,000 after an investigation concluded that they had violated the Right of Access. So what happened? In June 2019, a patient requested a copy of his medical records. When he hadn’t yet received his records in July, he filed a complaint with OCR. After conducting an investigation, OCR provided Housing Works with technical assistance. The patient then filed a second complaint in August. He finally received his records in November.
All Inclusive Medical Services, Inc. $15,000 Fine
All Inclusive Medical Services, Inc. (AIMS) was fined $15,000 after an investigation concluded that they refused to grant access to a patient’s medical records. In April 2018, a patient filed a complaint with OCR after AIMS refused her request to access her medical records. After an investigation concluded in August 2020, the patient was finally granted access to her records.
Beth Israel Lahey Health Behavioral Services $70,000 Fine
Beth Israel Lahey Health Behavioral Services (BILHBS) was fined $70,000 for failing to provide timely access of medical records to a patient’s personal representative. In April 2019, two months after the patient’s personal representative had not yet received her father’s medical records, she filed a complaint with OCR. After the investigation concluded in October 2019, she was given access to the records.
King MD $3,500 Fine
King MD was fined $3,500 for failing to provide a patient with timely access to her medical records. She filed two complaints with OCR after she had not received access to her records. After the first complaint, in October 2018, OCR provided King MD with technical assistance. However, she issued a second complaint in February 2019 after she still did not receive her records. In July 2020, she finally received her records.
Wise Psychiatry, PC $10,000 Fine
Wise Psychiatry, PC was fined $10,000 after they failed to meet a request for medical records. The patient’s personal representative, the father of the minor patient, first requested his son’s records in November 2017. In February 2018, when he hadn’t received access to the records, he filed a complaint with OCR. OCR then provided technical assistance to Wise, but in October 2018, he filed a second complaint when he still hadn’t received his son’s records. In May 2019, he finally received his son’s records.
September OCR Fines: HIPAA Privacy and Security Rule Violations
There were two organizations fined in September for violating both the HIPAA Privacy and Security Rules. Details of what led to the fines are discussed below.
Athens Orthopedic Clinic PA $1.5 Million Fine
Athens Orthopedic Clinic PA was fined $1.5 million for widespread Privacy Rule and Security Rule noncompliance. The OCR conducted an investigation into the healthcare organization after a database of 208,557 patients’ protected health information was found for sale online. OCR’s investigation found that Athens Orthopedic failed to conduct a risk analysis; implement risk management and audit controls; maintain policies and procedures; have signed business associate agreements with several business associates; and provide HIPAA training to their workforce.
“Hacking is the number one source of large health care data breaches. Health care providers that fail to follow the HIPAA Security Rule make their patients’ health data a tempting target for hackers,” stated OCR Director Roger Severino.
Click here to read the OCR press release.
Premera Blue Cross $6.8 Million Fine
Premera Blue Cross was fined $6.8 million for violating the HIPAA Privacy and Security Rules. Premera filed a breach report with OCR after discovering that they had been the victim of an ongoing cyberattack. It took Premera nine months to discover the cyberattack, and 10.4 million patients’ protected health information was exposed in the incident. After conducting an investigation into the incident, OCR found that Premera failed to conduct an enterprise-wide risk analysis; implement risk management; and audit controls.
“If large health insurance entities don’t invest the time and effort to identify their security vulnerabilities, be they technical or human, hackers surely will. This case vividly demonstrates the damage that results when hackers are allowed to roam undetected in a computer system for nearly nine months,” said Roger Severino, OCR Director.
September OCR Fines: HIPAA Security Rule Violations
One of the September OCR fines was issued for widespread HIPAA Security Rule violations. The details of why they were fined are discussed below.
CHSPSC, LLC Fined $2.3 Million Fine
CHSPSC, LLC was fined $2.3 million for violating the HIPAA Security Rule. The healthcare provider was the victim of a hack lasting for four months, even though the FBI alerted CHSPSC of the attack just eight days after it began. As a result 6.1 million patients were exposed by the hack, and a class action lawsuit was filed against CHSPSC; they settled for $3.1 million. In addition, upon investigation by OCR, it was found that CHSPSC failed to conduct a risk analysis; implement information system activity review and security incident procedures; and implement access controls.
“The health care industry is a known target for hackers and cyberthieves. The failure to implement the security protections required by the HIPAA Rules, especially after being notified by the FBI of a potential breach, is inexcusable,” said OCR Director Roger Severino.
