Therapy Comply HIPAA Blog

HHS Office for Civil Rights Settles with Health Care Clearinghouse, Inmediata Health Group, Over HIPAA Impermissible Disclosure

Zachary Edgar — Tue, 10 Dec 2024 16:59:29 GMT

Today, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a settlement with Inmediata Health Group, LLC (Inmediata), a health care clearinghouse, concerning potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule, following OCR’s receipt of a complaint that HIPAA protected health information was accessible to search engines like Google, on the internet.

“Health care entities must ensure that they are not leaving patient health information accessible online to anyone with an internet connection,” said OCR Director Melanie Fontes Rainer. “Effective cybersecurity means being proactive and vigilant in searching for risks and vulnerabilities to health data and preventing unauthorized access to patient health information.”

OCR enforces the HIPAA Privacy, Security, and Breach Notification Rules, which sets forth the requirements that health plans, health care clearinghouses, and most health care providers, and their business associates must follow to protect the privacy and security of protected health information (PHI). The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. It also requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information (ePHI).

In 2018, OCR received a complaint concerning PHI left unsecured on the internet. Following the initiation of OCR’s investigation, Inmediata provided breach notification to HHS, and affected individuals. OCR’s investigation determined that from May 2016 through January 2019, the PHI of 1,565,338 individuals was made publicly available online. The PHI disclosed included patient names, dates of birth, home addresses, Social Security numbers, claims information, diagnosis/conditions and other treatment information. These impermissible disclosures of PHI were potential violations of the HIPAA Privacy Rule.

OCR’s investigation also identified multiple potential HIPAA Security Rule violations including: failures by Inmediata to conduct a compliant risk analysis to determine the potential risks and vulnerabilities to ePHI in its systems; and to monitor and review its health information systems’ activity. The settlement resolves OCR’s investigation concerning this HIPAA breach.

Under the terms of the settlement, Inmediata paid OCR $250,000. OCR determined that a corrective action plan was not necessary in this resolution as Inmediata had previously agreed to a settlement - PDF with 33 states that includes corrective actions that address OCR’s findings in this matter.

OCR recommends health care providers, health plans, clearinghouses, and business associates that are covered by HIPAA take the following steps to protect ePHI:

Review all vendor and contractor relationships to ensure business associate agreements are in place as appropriate and address breach/security incident obligations.
Integrate risk analysis and risk management into business processes; conducted regularly and when new technologies and business operations are planned.
Ensure audit controls are in place to record and examine information system activity.
Implement regular review of information system activity.
Utilize multi-factor authentication to ensure only authorized users are accessing ePHI.
Encrypt ePHI to guard against unauthorized access to ePHI.
Incorporate lessons learned from incidents into the overall security management process.
Provide training specific to organization and job responsibilities and on regular basis; reinforce workforce members’ critical role in protecting privacy and security.

The resolution agreement may be found at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/inmediata-health-group-ra-cap/index.html

Reference

HIPAA News Releases & Bulletins

HHS Office for Civil Rights Imposes a $1.19 Million Penalty Against Gulf Coast Pain Consultants for HIPAA Security Rule Violations

Zachary Edgar — Tue, 03 Dec 2024 16:58:51 GMT

Today, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a $1.19 million civil monetary penalty against Gulf Coast Pain Consultants, LLC d/b/a Clearway Pain Solutions Institute (Gulf Coast Pain Consultants) in Florida, concerning violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule, following receipt of a breach report that a former contractor for the company had impermissibly accessed their electronic record system. OCR enforces the HIPAA Privacy, Security, and Breach Notification Rules, which set forth the requirements that health plans, health care clearinghouses, and most health care providers, and their business associates must follow to protect the privacy and security of protected health information (PHI). The HIPAA Security Rule establishes national standards to protect and secure our health care system by requiring administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic PHI (ePHI).

“Current and former workforce can present threats to health care privacy and security—risking continuity of care and trust in our health care system,” said OCR Director Melanie Fontes Rainer. “Effective cybersecurity and compliance with the HIPAA Security Rule means being proactive in reviewing who has access to health information and responding quickly to suspected security incidents.”

OCR initiated an investigation following the receipt of a breach report filed by Gulf Coast Pain Consultants, which reported that a former contractor had impermissibly accessed Gulf Coast’s electronic medical record system to retrieve PHI for use in potential fraudulent Medicare claims. OCR’s investigation determined that the impermissible access occurred on three occasions, affecting approximately 34,310 individuals. The compromised PHI included patient names, addresses, phone numbers, email addresses, dates of birth, Social Security numbers, chart numbers, insurance information, and primary care information.

OCR found four violations by Gulf Coast Pain Consultant of the HIPAA Security Rule, including failures to:

conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to ePHI in its systems;
implement procedures to regularly review records of activity in information systems;
implement procedures to terminate former workforce members’ access to ePHI; and
implement procedures for establishing and modifying workforce members’ access to information systems.

In August 2024, OCR issued a Notice of Proposed Determination seeking to impose a civil money penalty. Gulf Coast waived its right to a hearing and did not contest OCR’s findings. Accordingly, OCR imposed a civil money penalty of $1,190,000.

The Notice of Proposed Determination may be found at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/gulf-coast-pain-consultants-npd/index.html

The Notice of Final Determination may be found at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/gulf-coast-pain-consultants-nfd/index.html

OCR recommends that health care providers, health plans, clearinghouses, and business associates that are covered by HIPAA take the following steps to mitigate or prevent cyber threats:

Integrate risk analysis and risk management into business processes.
Implement regular review of information system activity.
Implement procedures for terminating access to ePHI when the employment of, or other arrangement with, a workforce member ends.
Implement procedures for modifying a user’s right of access to a workstation, transaction, program or process, or an alternative equivalent measure.

OCR regularly provides guidance and information to the health care industry to support data privacy and security. Recent resources include:

Cybersecurity Newsletter on Social Engineering
Video on “How the HIPAA Security Rule Can Help Defend Against Cyber-Attacks” in English
OCR Webinar on The HIPAA Security Rule Risk Analysis Requirement
HIPAA Security Rule Guidance Materials

Reference

HIPAA News Releases & Bulletins

HHS Office for Civil Rights Settles with Holy Redeemer Family Medicine Over Disclosure of Patient’s Protected Health Information, Including Reproductive Health Information

Zachary Edgar — Tue, 26 Nov 2024 16:56:52 GMT

Today, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a settlement with Holy Redeemer Family Medicine (Holy Redeemer), a Pennsylvania hospital, concerning an alleged violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule due to an impermissible disclosure of a female patient’s protected health information, including information related to reproductive health care. OCR enforces the HIPAA Privacy, Security, and Breach Notification Rules, which set forth the requirements that covered entities (health plans, health care clearinghouses, and most health care providers) and business associates must follow relating to the privacy and security of protected health information. The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records, requires appropriate safeguards to protect the privacy of protected health information and sets limits and conditions on the uses and disclosures that may be made of such information without an individual’s authorization, (such as disclosures for health oversight activities or for law enforcement purposes), and gives individuals rights such as the ability to access their own medical records.

“It is imperative that health care providers take their duty to protect patient privacy seriously and follow the law,” said OCR Director Melanie Fontes Rainer. “Patients must be able to trust that sensitive, health information in their files is protected to preserve their trust in the patient-doctor relationship and ensure they get the care they need. This is particularly true for reproductive health privacy.”

In September of 2023, OCR received a complaint alleging that Holy Redeemer impermissibly disclosed a female patient’s protected health information to the patient’s prospective employer, including her surgical history, gynecological history, obstetric history, and other sensitive health information concerning reproductive health care. OCR’s investigation found that Holy Redeemer disclosed the patient’s full medical record, including protected health information concerning her reproductive health care, that it did not have the patient’s authorization for the broad disclosure of her protected health information, and that there otherwise was no applicable requirement or permission under the Privacy Rule for such a broad release of her medical records. The complainant stated that she had requested that Holy Redeemer send one specific test result, unrelated to her reproductive health, to a prospective employer.

Under the terms of the resolution agreement, Holy Redeemer paid $35,581 and agreed to implement a corrective action plan that identifies specific steps it will take to comply with the HIPAA Rules and protect patient privacy to prevent this from happening again. OCR will monitor the implementation of this corrective action plan for two years:

Submit a breach notification report to HHS regarding this incident;
Review, develop or revise its policies and procedures to ensure compliance with the Privacy Rule, and submit all such policies and procedures to HHS for approval;
Distribute all HHS-approved policies and procedures to its workforce and ensure that each member of the workforce certifies receipt and understanding of the policies and procedures;
Train all members of its workforce on its HHS-approved policies and procedures, including all workforce members of its affiliated entities;
Within 120 days after HHS approval of Holy Redeemers policies and procedures, Holy Redeemer must submit a written report to HHS detailing the status of its implementation of the corrective action plan;
Provide a report to OCR regarding any non-compliance with its policies and procedures by any members of its workforce;
Provide annual reports to OCR regarding Holy Redeemer’s compliance with the corrective action plan.

The resolution agreement and corrective action plan may be found at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/holy-redeemer-hospital-ra-cap/index.html.

OCR is committed to ensuring the privacy of lawful reproductive health care. Please see OCR’s 2024 final rule on HIPAA Privacy Rule to Support Reproductive Health Care Privacy for more information.

Reference

HIPAA News Releases & Bulletins

HHS Office for Civil Rights Imposes a $100,000 Penalty Against Mental Health Center for Failure to Provide Timely Access to Patient Records

Zachary Edgar — Tue, 19 Nov 2024 16:56:10 GMT

Today, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), announced a $100,000 civil monetary penalty against Rio Hondo Community Mental Health Center (“Rio Hondo”) in California. The penalty resolves an investigation into Rio Hondo over a failure to provide a patient with timely access to their medical records. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule’s right of access provisions require that individuals or their personal representatives have timely access to their health information (within 30 days, with the possibility of one 30-day extension) and for a reasonable, cost-based fee. OCR enforces the HIPAA Privacy Rule, which establishes national standards to protect individuals’ medical records; sets limits and conditions on the uses and disclosures of protected health information; and gives individuals certain rights, including the right to timely access and to obtain a copy of their health records.

“Patients should never be in the position of needing to request their own medical records over and over again before getting access to them,” said OCR Director Melanie Fontes Rainer. “Ensuring patients’ rights to timely access to medical information continues to be a HIPAA enforcement priority. Healthcare providers are legally obligated to provide patients with timely access to their medical records. If they fail to provide that access, OCR will not hesitate to do everything in its power, including imposing civil monetary penalties, to ensure compliance with the law.”

OCR launched an investigation after receiving a complaint from a patient that they were not given timely access to their medical records, despite multiple requests in writing and by telephone. OCR’s investigation found that it took nearly seven months from the time the patient first requested the records until Rio Hondo provided them. The patient made multiple telephone calls in July and August 2020, regarding the status of her request, but still did not receive the requested records. Based on the facts, OCR found that Rio Hondo failed to take timely action in response to the patient’s right of access in accordance with the HIPAA Privacy Rule. In July 2024, OCR issued a Notice of Proposed Determination to impose a $100,000 civil monetary penalty. Rio Hondo waived its right to a hearing and did not contest the findings of OCR’s Notice of Proposed Determination. As a result of OCR’s investigation, the patient received their records in 2020.

The Notice of Proposed Determination may be found at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/rio-hondo/notice-proposed-determination/index.html

The Notice of Final Determination may be found at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/rio-hondo/notice-final-determination/index.html

OCR’s guidance on the HIPAA right of access is available at: https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html.

Reference

HIPAA News Releases & Bulletins

HHS Office for Civil Rights Settles Ransomware Cybersecurity Investigation for $500,000

Zachary Edgar — Thu, 31 Oct 2024 16:55:20 GMT

Today, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), announced a settlement with Plastic Surgery Associates of South Dakota in Sioux Falls, for several potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule, following its investigation into a ransomware attack breach by OCR. Ransomware and hacking are the primary cyber-threats in health care.

Ransomware is a type of malware (malicious software) designed to deny access to a user’s data, usually by encrypting the data with a key known only to the hacker who deployed the malware, until a ransom is paid. There has been a 264% increase in large breaches reported to OCR involving ransomware attacks since 2018. October is Cybersecurity Awareness Month, and OCR has been working with health plans, health care clearinghouses, most health care providers and their business associates to raise awareness of the types of cyberattacks occurring and how to improve data security.

“Ransomware attacks often reveal a provider’s underlying failures to comply with the HIPAA Security Rule requirements such as conducting a risk analysis or managing identified risks and vulnerabilities to health information,” said OCR Director Melanie Fontes Rainer. “Such failures can make our doctors and hospitals attractive targets for cyberattacks and can lead to break downs in our health care system.”

OCR enforces the HIPAA Privacy, Security, and Breach Notification Rules, which set forth the requirements that covered entities (health plans, health care clearinghouses, and most health care providers), and business associates must follow to protect the privacy and security of protected health information. The HIPAA Security Rule establishes national standards to protect individuals' electronic protected health information (ePHI) that is created, received, used, or maintained by a covered entity. It also requires appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of ePHI. The settlement resolves OCR’s investigation concerning Plastic Surgery Associates of South Dakota and this ransomware attack.

OCR initiated an investigation following the receipt of a breach report filed by Plastic Surgery Associates of South Dakota in July 2017, which reported that it discovered that nine workstations and two servers were infected with ransomware, affecting the protected health information of 10,229 individuals. The credentials the hacker(s) used to access Plastic Surgery Associates of South Dakota’s network were obtained through a brute force attack (hacking method that uses trial and error to guess passwords, login information, encryption keys, etc.) to their remote desktop protocol. After discovering the breach, Plastic Surgery Associates of South Dakota was unable to restore the affected servers from backup.

OCR’s investigation revealed multiple potential violations of the HIPAA Security Rule, including failures to conduct a compliant risk analysis to determine the potential risks and vulnerabilities to ePHI in its systems; implement security measures sufficient to reduce the risks and vulnerabilities to ePHI to a reasonable and appropriate level; implement procedures to regularly review records of information system activity; and implement policies and procedures to address security incidents.

Under the terms of the settlement, Plastic Surgery Associates of South Dakota paid $500,000 to OCR and agreed to implement a corrective action plan that requires them to take steps to resolve potential violations of the HIPAA Security Rule and protect the security of electronic protected health information, including:

Conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its ePHI;
Implement a written risk management plan to address and mitigate security risks and vulnerabilities identified in the Risk Analysis;
Implement policies and procedures to address security incidents, including a process for: identifying and responding to known security incidents; mitigating, to the extent practicable, harmful effects of known security incidents; and documenting (in writing) security incidents and their outcomes;
Implement policies and procedures to establish methods to create and maintain retrievable exact copies of ePHI, including a process to: test the recoverability of backups on a regular basis to ensure that a retrievable exact copy will be available; create and maintain multiple copies of encrypted backups; and securely store backups in differing locations;
Implement policies and procedures to verify that a person or entity seeking access to ePHI is the one claimed;
Implement policies and procedures for electronic information systems that maintain ePHI to allow access only to those persons or software programs that have been granted access rights;
Revise its policies and procedures relating to the uses and disclosures of PHI to ensure that its workforce members understand: 1) the circumstances under which PHI may be used and disclosed; 2) how to identify situations that constitute impermissible uses and disclosures of PHI; and 3) how and when to report situations that might constitute impermissible uses and/or disclosures of PHI;
Revise its Breach Notification policies and procedures to ensure that its workforce members understand that, following a breach of unsecured PHI, affected individuals must be notified without unreasonable delay and in no case later than 60 (sixty) calendar days after the discovery of the breach, and that notification must be made to the HHS Secretary and, in certain circumstances, to the media; and
Provide training to its workforce on HIPAA policies and procedures.

OCR will monitor Plastic Surgery Associates of South Dakota for two years to ensure compliance with the law.

***

OCR recommends health care providers, health plans, clearinghouses, and business associates that are covered by HIPAA take the following steps to mitigate or prevent cyber-threats:

Review all vendor and contractor relationships to ensure business associate agreements are in place as appropriate and address breach/security incident obligations.
Integrate risk analysis and risk management into business processes; conducted regularly and when new technologies and business operations are planned.
Ensure audit controls are in place to record and examine information system activity.
Implement regular review of information system activity.
Utilize multi-factor authentication to ensure only authorized users are accessing ePHI.
Encrypt ePHI to guard against unauthorized access to ePHI.
Incorporate lessons learned from incidents into the overall security management process.
Provide training specific to organization and job responsibilities and on a regular basis; reinforce workforce members’ critical role in protecting privacy and security.

OCR regularly provides guidance and information to the health care industry to support data privacy and security. As part of this ongoing initiative, this past Fall, OCR provided the following resources:

The resolution agreement and corrective action plan may be found at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/psa-ra-cap/index.html

Reference

HIPAA News Releases & Bulletins

HHS Office for Civil Rights Imposes a $70,000 Civil Monetary Penalty Against Gums Dental Care for Failure to Provide Timely Access to Patient Records

Zachary Edgar — Thu, 17 Oct 2024 16:54:43 GMT

Today, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), announced a $70,000 civil monetary penalty against Gums Dental Care, LLC (Gums Dental Care), a solo dental practice in Maryland that provides family dental care, as a result of an investigation based on a complaint that Gums Dental had failed to provide a patient with timely access to their medical records. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule’s right of access provisions require that individuals or their personal representatives have timely access to their health information (within 30 days, with the possibility of one 30-day extension) and for a reasonable, cost-based fee.

“An essential hallmark of HIPAA is the right to patients’ timely access to their medical records. Patients should not have to make multiple requests and file complaints with HHS’ Office for Civil Rights to get their own medical records,” said OCR Director Melanie Fontes Rainer. “This investigation marks OCR’s 50th right of access enforcement action. Health care providers should get the message—loud and clear—when a patient seeks their medical information, you must provide it to them, period.”

OCR enforces the HIPAA Privacy, Security, and Breach Notification Rules, which set forth the requirements that covered entities (health plans, health care clearinghouses, and most health care providers) and business associates must follow relating to the privacy and security of protected health information. The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records, sets limits and conditions on the uses and disclosures of protected health information, and gives individuals certain rights, including the right to timely access and to obtain a copy of their health records. This is a critical part of HIPAA and patient’s empowerment with their data.

OCR first received a complaint alleging that Gums Dental Care had failed to provide the complainant access to her and her children’s medical records. OCR sent a technical assistance letter notifying Gums Dental Care of its obligation to respond to requests for medical records and closed the complaint. After the complainant filed a second complaint alleging Gums Dental Care had still not provided complainant with access to the requested records, OCR opened an investigation. OCR’s investigation found that Gums Dental Care failed to take timely action in response to the patient’s right of access request. Specifically, Complainant submitted written requests for the records in April 2019, and again in June 2019, but Gums Dental Care did not attempt to provide the records until May 2022. In March 2022, OCR issued a Notice of Proposed Determination seeking to impose a $70,000 civil monetary penalty. Gums Dental Care challenged OCR’s Notice of Proposed Determination and requested a hearing before an Administrative Law Judge (ALJ). On September 29, 2023, the ALJ imposed a $70,000 civil monetary penalty. Gums Dental Care appealed the decision, and on March 22, 2024, the Departmental Appeals Board affirmed the Decision. Accordingly, OCR imposed the $70,000 civil monetary penalty in a Notice of Final Determination.

The Notice of Proposed Determination may be found at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/gums-dental-care-npd/index.html.

OCR’s guidance on the HIPAA right of access is available at: https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html.

Reference

HIPAA News Releases & Bulletins

HHS Office for Civil Rights Imposes a $240,000 Civil Monetary Penalty Against Providence Medical Institute in HIPAA Ransomware Cybersecurity Investigation

Zachary Edgar — Thu, 03 Oct 2024 16:54:00 GMT

Today, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a $240,000 civil monetary penalty against Providence Medical Institute in Southern California, concerning potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule, following a ransomware attack breach report investigation by OCR. Ransomware and hacking are the primary cyber-threats in health care. There has been a 264% increase in large breaches reported to OCR involving ransomware attacks since 2018.

“Failures to fully implement all of the HIPAA Security Rule requirements leaves HIPAA covered entities and business associates vulnerable to cyberattacks at the expense of the privacy and security of patients’ health information,” said OCR Director Melanie Fontes Rainer. “The health care sector needs to get serious about cybersecurity and complying with HIPAA. OCR will continue to stand up for patient privacy and work to ensure the security of health information of every person. On behalf of OCR, I urge all health care entities to always stay alert and take every precaution and steps to keep their systems safe from cyberattacks.”

OCR enforces the HIPAA Privacy, Security, and Breach Notification Rules, which sets forth the requirements that covered entities (health plans, health care clearinghouses, and most health care providers), and business associates must follow to protect the privacy and security of protected health information. The HIPAA Security Rule establishes national standards to protect individuals' electronic personal health information that is created, received, used, or maintained by a covered entity. It also requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information. The Civil Money Penalty resolves OCR’s investigation concerning Providence Medical Institute’s compliance with the HIPAA Security Rule.

OCR initiated an investigation following the receipt of a breach report filed by Providence Medical Institute in April 2018, which reported that its systems were impacted by a series of ransomware attacks that affected the electronic protected health information (ePHI) of 85,000 individuals between February and March 2018. OCR’s investigation determined that servers containing ePHI were encrypted with ransomware three times. OCR found two potential violations of the HIPAA Security Rule, including failure to have a business associate agreement in place and failure to implement policies and procedures to allow only authorized persons or software programs access to ePHI.

In March 2024, OCR issued a Notice of Proposed Determination seeking to impose a civil money penalty. Providence Medical Institute waived its right to a hearing and did not contest OCR’s findings. Accordingly, OCR imposed a civil money penalty of $240,000.

The Notice of Proposed Determination may be found at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/pmi-npd/index.html

The Notice of Final Determination may be found at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/pmi-nfd/index.html

OCR recommends that health care providers, health plans, clearinghouses, and business associates that are covered by HIPAA take the following steps to mitigate or prevent cyber-threats:

Review all vendor and contractor relationships to ensure business associate agreements are in place as appropriate and address breach/security incident obligations.
Integrate risk analysis and risk management into business processes; conducted regularly and when new technologies and business operations are planned.
Ensure audit controls are in place to record and examine information system activity.
Implement regular review of information system activity.
Utilize multi-factor authentication to ensure only authorized users are accessing ePHI.
Encrypt ePHI to guard against unauthorized access to ePHI.
Incorporate lessons learned from incidents into the overall security management process.
Provide training specific to organization and job responsibilities and on regular basis; reinforce workforce members’ critical role in protecting privacy and security.

The HHS Breach Portal: Notice to the Secretary of HHS Breach of Unsecured Protected Health Information may be found at: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf

Reference

HIPAA News Releases & Bulletins

HHS Office for Civil Rights Settles Ransomware Cybersecurity Investigation under HIPAA Security Rule for $250,000

Zachary Edgar — Thu, 26 Sep 2024 16:52:10 GMT

Today, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a settlement with Cascade Eye and Skin Centers, P.C., a privately-owned health care provider in the state of Washington, concerning potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule, following a ransomware attack investigation by OCR. Ransomware and hacking are the primary cyber-threats in health care. Since 2018, there has been a 264% increase in large breaches reported to OCR involving ransomware attacks.

“Cybercriminals continue to target the heath care sector with ransomware attacks. Health care entities that do not thoroughly assess the risks to electronic protected health information and regularly review the activity within their electronic health record system leave themselves vulnerable to attack, and expose their patients to unnecessary risks of harm,” said OCR Director Melanie Fontes Rainer. “Ensuring the confidentiality of electronic protected health information is critical to protect health information privacy and integral to our national security in the health care sector. OCR urges all health care entities to take the essential precautions and stay vigilant to safeguard their systems from cyberattacks.”

OCR initiated an investigation following the receipt of a complaint alleging that Cascade Eye and Skin Centers experienced a ransomware attack. OCR’s investigation determined that approximately 291,000 files that contained electronic PHI (ePHI) were affected. OCR found multiple potential violations of the HIPAA Security Rule, including failures by Cascade Eye and Skin Centers to conduct a compliant risk analysis to determine the potential risks and vulnerabilities to ePHI in its systems, and to have sufficient monitoring of its health information systems’ activity to protect against a cyber-attack.

Under the terms of the settlement, Cascade Eye and Skin Centers has paid $250,000 to OCR and will implement a corrective action plan that requires Cascade Eye and Skin Centers to take steps toward protecting and securing the security of protected health information. OCR will monitor the corrective action plan for two years. These actions include:

Conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its ePHI;
Implement a risk management plan to address and mitigate security risks and vulnerabilities identified in their risk analysis;
Developing a written process to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports;
Developing policies and procedures for responding to an emergency or other occurrence that damages systems that contain ePHI;
Developing written procedures to assign a unique name and/or number for identifying and tracking user identity in its systems that contain ePHI;
Reviewing and revising, if necessary, written policies and procedures to comply with the HIPAA Privacy and Security Rules.

OCR recommends health care providers, health plans, clearinghouses, and business associates that are covered by HIPAA take the following steps to mitigate or prevent cyber-threats:

Review all vendor and contractor relationships to ensure business associate agreements are in place as appropriate and address breach/security incident obligations.
Integrate risk analysis and risk management into business processes; conducted regularly and when new technologies and business operations are planned.
Ensure audit controls are in place to record and examine information system activity.
Implement regular review of information system activity.
Utilize multi-factor authentication to ensure only authorized users are accessing ePHI.
Encrypt ePHI to guard against unauthorized access to ePHI.
Incorporate lessons learned from incidents into the overall security management process.
Provide training specific to organization and job responsibilities and on regular basis; reinforce workforce members’ critical role in protecting privacy and security.

The resolution agreement and corrective action plan may be found at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/cascade-eye-skin-centers-ra-cap/index.html

The HHS Breach Portal: Notice to the Secretary of HHS Breach of Unsecured Protected Health Information may be found at: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf

Reference

HIPAA News Releases & Bulletins

HHS Office for Civil Rights Imposes a Civil Monetary Penalty of $115,200 Against American Medical Response for Failure to Provide Timely Access to Patient Records

Zachary Edgar — Thu, 01 Aug 2024 16:51:35 GMT

Today, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a civil monetary penalty of $115,200 collected against American Medical Response (AMR), a provider of emergency medical services across the United States. The civil monetary penalty was the result of an investigation based on a complaint that AMR had failed to provide a patient with timely access to their medical records. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule’s right of access provisions require that individuals or their personal representatives have timely access to their health information (within 30 days, with the possibility of one 30-day extension) and for a reasonable, cost-based fee.

“HIPAA gives patients a right to timely access to their medical records,” said OCR Director Melanie Fontes Rainer. “OCR will continue to enforce this right through investigations, and when necessary, by imposing civil money penalties.”

OCR enforces the HIPAA Privacy, Security, and Breach Notification Rules, which set forth the requirements that covered entities (health plans, health care clearinghouses, and most health care providers) and business associates must follow relating to the privacy and security of protected health information. The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records, sets limits and conditions on the uses and disclosures of protected health information, and gives individuals certain rights, including the right to timely access and to obtain a copy of their health records.

OCR received a complaint alleging that AMR failed to provide a patient with timely access to their medical records after many failed attempts by the patient. OCR initiated an investigation and found that AMR failed to provide the patient with timely access to their medical records. In response to OCR’s investigation, AMR sent the patient a copy of their requested records and amended its internal procedures to streamline and better track right of access requests to follow the law. In October 2023, OCR issued a Notice of Proposed Determination seeking to impose a civil money penalty. AMR waived its right to a hearing and did not contest OCR’s findings. OCR finalized its determination and imposed the civil money penalty against AMR.

View the Notice of Proposed Determination and Notice of Final Determination - PDF.

Read about OCR’s guidance on the HIPAA right of access.

Reference

HIPAA News Releases & Bulletins

HHS Office for Civil Rights Settles HIPAA Security Rule Failures for $950,000

Zachary Edgar — Mon, 01 Jul 2024 16:50:21 GMT

Today, the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) announced a settlement with Heritage Valley Health System (Heritage Valley), which provides care in Pennsylvania, Ohio and West Virginia, concerning potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, following a ransomware attack. Ransomware and hacking are the primary cyber-threats in health care. Since 2018, there has been a 264% increase in large breaches reported to OCR involving ransomware attacks.

“Hacking and ransomware are the most common type of cyberattacks within the health care sector. Failure to implement the HIPAA Security Rule requirements leaves health care entities vulnerable and makes them attractive targets to cyber criminals,” said OCR Director Melanie Fontes Rainer. “Safeguarding patient protected health information protects privacy and ensures continuity of care, which is our top priority. We remind and urge health care entities to protect their records systems and patients from cyberattacks.”

OCR’s investigation revealed multiple potential violations of the HIPAA Security Rule, including failures by Heritage Valley to: conduct a compliant risk analysis to determine the potential risks and vulnerabilities to electronic protected health information in its systems; implement a contingency plan to respond to emergencies, like a ransomware attack, that damage systems that contain electronic protected health information; and implement policies and procedures to allow only authorized users access to electronic protected health information.

Under the terms of the resolution agreement, Heritage Valley agreed to pay $950,000 and implement a corrective action plan that will be monitored by OCR for three years.

Under the plan Heritage Valley will take a number of steps to resolve potential violations of the HIPAA Security Rule and protect the security of electronic protected health information, including:

Conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its electronic protected health information;
Implement a risk management plan to address and mitigate security risks and vulnerabilities identified in their risk analysis;
Review and develop, maintain, and revise, as necessary its written policies and procedures to comply with the HIPAA Rules; and
Train their workforce on their HIPAA policies and procedures.

OCR recommends health care providers, health plans, clearinghouses, and business associates that are covered by HIPAA take the following steps to mitigate or prevent cyber-threats:

Review all vendor and contractor relationships to ensure business associate agreements are in place as appropriate and address breach/security incident obligations.
Integrate risk analysis and risk management into business processes; conducted regularly and when new technologies and business operations are planned.
Ensure audit controls are in place to record and examine information system activity.
Implement regular review of information system activity.
Utilize multi-factor authentication to ensure only authorized users are accessing electronic protected health information (ePHI).
Encrypt ePHI to guard against unauthorized access to ePHI.
Incorporate lessons learned from incidents into the overall security management process.
Provide training specific to organization and job responsibilities and on regular basis; reinforce workforce members’ critical role in protecting privacy and security.

The resolution agreement and corrective action plan may be found at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/hvhs-ra-cap/index.html

Reference

HIPAA News Releases & Bulletins

OCR Updates Change Healthcare Cybersecurity Incident FAQs

Zachary Edgar — Fri, 31 May 2024 16:17:06 GMT

Today, the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) published an update to the frequently asked questions (FAQs) webpage concerning the Change Healthcare cybersecurity incident. The webpage, first published on April 19, 2024, provides answers to FAQs concerning the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Rules and the cybersecurity incident impacting Change Healthcare, a unit of UnitedHealth Group (UHG), and many other health care entities.

OCR enforces the HIPAA Privacy, Security, and Breach Notification Rules, which sets forth the requirements that HIPAA covered entities (health plans, health care clearinghouses, and most health care providers) and their business associates must follow to protect the privacy and security of protected health information and the required notifications to HHS and affected individuals following a breach.

“Ensuring patient privacy is one of the pillars of HIPAA. Our updated FAQs webpage on the Change Healthcare breach reiterates that importance by making clear that individuals affected by this breach must be notified that their protected health information was breached. This ensures that the potentially millions of Americans, including the elderly, the disabled, those with limited English proficiency, those with limited access to technology, and more, will understand the impact of this breach on their private medical records and their health care,” said OCR Director Melanie Fontes Rainer. “Affected covered entities that want Change Healthcare to provide breach notifications on their behalf should contact Change Healthcare. All of the required HIPAA breach notifications may be performed by Change Healthcare. We encourage all parties to take the necessary steps to ensure that the HIPAA breach notifications are prioritized.”

The webpage updates address questions OCR has received concerning who is responsible for performing breach notification to HHS, affected individuals, and where applicable the media. Specifically, the FAQs make clear that:

Covered entities affected by the Change Healthcare breach may delegate to Change Healthcare the tasks of providing the required HIPAA breach notifications on their behalf.
Only one entity – which could be the covered entity itself or Change Healthcare – needs to complete breach notifications to affected individuals, HHS, and where applicable the media.
If covered entities work with Change Healthcare to perform the required breach notifications in a manner consistent with the HITECH Act and HIPAA Breach Notification Rule, they would not have additional HIPAA breach notification obligations.

The new and updated FAQs on the Change Healthcare Cybersecurity Incident may be viewed at: https://www.hhs.gov/hipaa/for-professionals/special-topics/change-healthcare-cybersecurity-incident-frequently-asked-questions/index.html.

Reference

HIPAA News Releases & Bulletins

The Biden-Harris Administration Issues New Rule to Support Reproductive Health Care Privacy Under HIPAA

Zachary Edgar — Mon, 22 Apr 2024 16:30:15 GMT

The Final Rule strengthens privacy protections for medical records and health information for women, their family members, and doctors who are seeking, obtaining, providing, or facilitating lawful reproductive health care.

Today, the Biden-Harris Administration, through the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) announced a Final Rule, entitled HIPAA Privacy Rule to Support Reproductive Health Care Privacy. The Final Rule strengthens the Health Insurance Portability Act of 1996 (HIPAA) Privacy Rule by prohibiting the disclosure of protected health information (PHI) related to lawful reproductive health care in certain circumstances. HHS is issuing this Final Rule after hearing from communities that changes were needed to better protect patient confidentiality and prevent medical records from being used against people for providing or obtaining lawful reproductive health care. This Final Rule will bolster patient-provider confidentiality and help promote trust and open communication between individuals and their health care providers or health plans, which is essential for high-quality health care.

“Many Americans are scared their private medical information will be being shared, misused, and disclosed without permission. This has a chilling effect on women visiting a doctor, picking up a prescription from a pharmacy, or taking other necessary actions to support their health,” said HHS Secretary Xavier Becerra. “The Biden-Harris Administration is providing stronger protections to people seeking lawful reproductive health care regardless of whether the care is in their home state or if they must cross state lines to get it. With reproductive health under attack by some lawmakers, these protections are more important than ever.”

“Since the fall of Roe v. Wade, providers have shared concerns that when patients travel to their clinics for lawful care, their patients’ records will be sought, including when the patient goes home. Patients and providers are scared, and it impedes their ability to get and to provide accurate information and access safe and legal health care,” said OCR Director Melanie Fontes Rainer. “Today’s rule prohibits the use of protected health information for seeking or providing lawful reproductive health care and helps maintain and improve patient-provider trust that will lead to improved health outcomes and protect patient privacy.”

OCR administers and enforces the Privacy Rule, which requires most health care providers, health plans, health care clearinghouses, and business associates (collectively, “regulated entities”) to safeguard the privacy of PHI and sets limits and conditions on the uses and disclosures of such information. The HIPAA Privacy Rule also gives individuals certain rights over their PHI. In April 2023, OCR published proposed modifications to the HIPAA Privacy Rule to address changes in the legal landscape affecting reproductive health care privacy that make it more likely than before that PHI may be used and disclosed in ways that HIPAA intended to protect. OCR received almost 30,000 comments on the proposed rule from the public. After carefully considering these comments, the Department is issuing a Final Rule that:

Prohibits the use or disclosure of PHI when it is sought to investigate or impose liability on individuals, health care providers, or others who seek, obtain, provide, or facilitate reproductive health care that is lawful under the circumstances in which such health care is provided, or to identify persons for such activities.
Requires a regulated health care provider, health plan, clearinghouse, or their business associates, to obtain a signed attestation that certain requests for PHI potentially related to reproductive health care are not for these prohibited purposes.
Requires regulated health care providers, health plans, and clearinghouses to modify their Notice of Privacy Practices to support reproductive health care privacy.

View the Final Rule on the Federal Register.

View The Final Rule Fact Sheet here.

Reference

HIPAA News Releases & Bulletins

HHS Office for Civil Rights Imposes a Civil Monetary Penalty on New Jersey Nursing Facility for Failing to Provide Timely Access to Patient Records

Zachary Edgar — Mon, 01 Apr 2024 16:30:50 GMT

Today, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), announced a $100,000 civil monetary penalty against Essex Residential Care, LLC, doing business as Hackensack Meridian Health, West Caldwell Care Center (“Hackensack Meridian Health”), a skilled nursing facility that provides long-term care and rehabilitation services. OCR investigated Hackensack Meridian Health under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule for failing to provide a patient’s personal representative with timely access to the patient’s medical records.

The HIPAA Privacy Rule is the federal law that establishes national standards to protect individuals’ medical records, sets limits and conditions on the uses and disclosures of protected health information, and gives individuals certain rights, including the right to timely access and obtain a copy of their health records. Today’s action resolves a matter where patient records were not provided in a timely manner.

“A patient’s timely access to health records is paramount for medical care. The Office for Civil Rights continues to receive complaints from individuals and personal representatives on behalf of individuals who do not receive timely access to their health records,” said OCR Director Melanie Fontes Rainer. “OCR will continue to vigorously enforce this essential right to ensure compliance by health care facilities across the country.”

In May 2020, OCR received a complaint alleging that Hackensack Meridian Health failed to provide a personal representative with access to his mother’s medical records. The records were allegedly withheld even after Hackensack Meridian Health received sufficient documentation demonstrating that the son was serving as his mother’s personal representative. The requested records were sent to the personal representative in November 2020, as a result of OCR’s investigation.

OCR found that Hackensack Meridian Health failed to respond timely to a HIPAA right of access request. In September 2023, OCR issued a Notice of Proposed Determination seeking to impose a civil money penalty. Hackensack Meridian Health waived its right to a hearing and did not contest OCR’s findings. Accordingly, OCR imposed a civil money penalty of $100,000.

The Notice of Proposed Determination may be found at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/hackensack-meridian-health-west-caldwell-care-center/index.html#npd

The Notice of Final Determination may be found at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/hackensack-meridian-health-west-caldwell-care-center/index.html#nfd

Reference

HIPAA News Releases & Bulletins

HHS’ Office for Civil Rights Settles HIPAA Investigation with Phoenix Healthcare

Zachary Edgar — Fri, 29 Mar 2024 16:32:13 GMT

Today, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), announced a settlement with Phoenix Healthcare, an Oklahoma multi-facility organization in nursing care. The settlement resolves a potential violation under the Health Insurance Portability and Accountability Act (HIPAA) Right of Access provision, requires that individuals or their personal representatives have timely access to their health information.

Under HIPAA, it is required that a covered entity must provide access to the protected health information within 30 days of receiving an individual’s request. OCR’s investigation involved a daughter, serving as a personal representative for her mother, who was not able to obtain access to her mother’s protected health information for nearly one year, despite multiple requests. The agreement marks OCR’s 47th Right of Access enforcement action.

“Patients need to make the best decisions possible for their health and well-being, so timely access to their medical records is imperative,” said OCR Director Melanie Fontes Rainer. “Without this access, patients are at risk for incorrect treatments, inaccurate health records, and lack of understanding of their health conditions. It is unacceptable for a health care provider to delay or deny requests to release medical records for months, and we are calling on providers everywhere to be compliant to help empower patients.”

In April 2019, a complaint was filed with OCR alleging that Phoenix Healthcare would not provide a daughter, who serves as a personal representative, with a copy of her mother’s medical records. After attempt at technical assistance and attempts to get the records by OCR, Phoenix Healthcare sent the requested records on January 30, 2020, 323 days after the request.

A copy of the Settlement Agreement may be found at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/phoenix-healthcare/index.html.

The regulations under HIPAA recognize the importance of providing individuals with the ability to access and obtain a copy of their health information. To learn more about your rights under the HIPAA Right of Access provision, view OCR’s guidance at: https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html.

Reference

HIPAA News Releases & Bulletins

HHS Finalizes New Provisions to Enhance Integrated Care and Confidentiality for Patients with Substance Use Conditions

Zachary Edgar — Thu, 08 Feb 2024 16:33:44 GMT

Today, the U.S. Department of Health and Human Services, through its Office for Civil Rights (OCR) and the Substance Abuse and Mental Health Services Administration (SAMHSA), finalized modifications to the Confidentiality of Substance Use Disorder (SUD) Patient Records regulations at 42 CFR part 2 (“Part 2”), which protect the privacy of patients’ SUD treatment records. Specifically, today’s final rule increases coordination among providers treating patients for SUDs, strengthens confidentiality protections through civil enforcement, and enhances integration of behavioral health information with other medical records to improve patient health outcomes.

Today’s rule was informed by the bipartisan Coronavirus Aid, Relief, and Economic Security Act (CARES Act) that, among other things, required HHS to bring the Part 2 program into closer alignment with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Breach Notification, and Enforcement Rules.

“Patient confidentiality is one of the bedrock principals in health care. People who are struggling with substance use disorders must have the same ability to keep their information private as anyone else. This new rule helps to ensure that happens, by strengthening confidentiality protections and improving the integration of behavioral health with other medical records,” said HHS Secretary Xavier Becerra. “The Biden-Harris Administration has made it a priority to end the stigmatization of those living with substance use disorders and give health care providers the tools they need so they can treat the whole patient while continuing to protect patient privacy. We will not rest until behavioral health is fully integrated into health care and those struggling with behavioral health challenges get the best treatment available.”

“The Final Rule strengthens confidentiality protections while improving care coordination for patients and providers. Patients can seek needed treatment and care for substance use disorder knowing that greater protections are in place to keep their records private, and providers can now better share information to improve patient care,” said OCR Director Melanie Fontes Rainer.

“One of SAMHSA’s priorities is working to make effective treatments and recovery supports for SUD more accessible to all Americans,” said Miriam E. Delphin-Rittmon, Ph.D., the HHS Assistant Secretary for Mental Health and Substance Use and the leader of SAMHSA. “The Final Rule supports access to care and treatment and mitigates the discrimination and stigmatization that we know too often people with SUD experience while continuing to apply stringent privacy protections.”

The final rule includes the following modifications to Part 2:

Permits use and disclosure of Part 2 records based on a single patient consent given once for all future uses and disclosures for treatment, payment, and health care operations.
Permits redisclosure of Part 2 records by HIPAA covered entities and business associates in accordance with the HIPAA Privacy Rule, with certain exceptions.
Provides new rights for patients under Part 2 to obtain an accounting of disclosures and to request restrictions on certain disclosures, as also granted by the HIPAA Privacy Rule.
Expands prohibitions on the use and disclosure of Part 2 records in civil, criminal, administrative, and legislative proceedings.
Provides HHS enforcement authority, including the potential imposition of civil money penalties for violations of Part 2.
Outlines new breach notification requirements applying to Part 2 records.

Reference

HIPAA News Releases & Bulletins

HHS’ Office for Civil Rights Settles Malicious Insider Cybersecurity Investigation for $4.75 Million

Zachary Edgar — Tue, 06 Feb 2024 16:35:43 GMT

Today, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), announced a settlement with Montefiore Medical Center, a non-profit hospital system based in New York City for several potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. OCR is responsible for administering and enforcing health information privacy, including enforcement of the HIPAA Privacy, Security, and Breach Notification Rules for the health care sector. OCR plays a unique role in serving as the agency at HHS that enforces federal civil rights, privacy and security laws in health care. HIPAA requires that health care providers, insurers and others take steps to protect the privacy and security of patients’ protected health information. The $4.75 million monetary settlement and corrective action resolves multiple potential failures by Montefiore Medical Center relating to data security failures by Montefiore that led to an employee stealing and selling patients’ protected health information over a six-month period.

“Unfortunately, we are living in a time where cyber-attacks from malicious insiders are not uncommon. Now more than ever, the risks to patient protected health information cannot be overlooked and must be addressed swiftly and diligently,” said OCR Director Melanie Fontes Rainer. “This investigation and settlement with Montefiore are an example of how the health care sector can be severely targeted by cyber criminals and thieves—even within their own walls.

Cyber-attacks do not discriminate based on organization size or stature, and it’s incumbent that our health care system follow the law to protect patient records.”

The action is the latest step by HHS who released a Department-wide Cybersecurity strategy for the health care sector in December of 2023, and released voluntary performance goals to enhance cybersecurity across the health sector just last week.

“Cyber-attacks that are carried out by insiders are one of the many ways that can lead to a security breach, leaving patients vulnerable,” said HHS Deputy Secretary Andrea Palm. “Our priority is and always has been improving the quality of health care patients receive. Part of this health care is establishing a trust that medical records will not be exposed. HHS will continue to remind health care systems of their responsibility as providers, which is to have policies and procedures in place to keep patients’ medical information secure.”

In May 2015, the New York Police Department informed Montefiore Medical Center that there was evidence of theft of a specific patient’s medical information. The incident prompted Montefiore Medical Center to conduct an internal investigation. It discovered that two years prior, one of their employees stole the electronic protected health information of 12,517 patients and sold the information to an identity theft ring. Montefiore Medical Center filed a breach report with OCR.

OCR’s investigation revealed multiple potential violations of the HIPAA Security Rule, including failures by Montefiore Medical Center to analyze and identify potential risks and vulnerabilities to protected health information, to monitor and safeguard its health information systems’ activity, and to implement policies and procedures that record and examine activity in information systems containing or using protected health information. Without these safeguards in place, Montefiore Medical Center was unable to prevent the cyberattack or even detect the attack had happened until years later.

Under the terms of the settlement, Montefiore Medical Center will pay $4,750,000 to OCR and implement a corrective action plan that identifies certain steps toward protecting and securing the security of protected health information. These actions include:

Conducting an accurate and thorough assessment of the potential security risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information;
Developing a written risk management plan to address and mitigate security risks and vulnerabilities identified in the Risk Analysis;
Developing a plan to implement hardware, software, and/or other procedural mechanisms that record and examine activity in all information systems that contain or use electronic protected health information;
Reviewing and revising, if necessary, written policies and procedures to comply with the HIPAA Privacy and Security Rules; and
Providing training to its workforce on HIPAA policies and procedures.

OCR will monitor Montefiore Medical Center for two years to ensure compliance with the law.

In OCR’s breach reports, over 134 million individuals have been affected by large breaches in 2023, whereas 55 million were affected in 2022. OCR recommends that health care providers, health plans, clearinghouses, and business associates that are covered by HIPAA must implement safeguards to mitigate or prevent cyber threats. These include:

Reviewing all vendor and contractor relationships to ensure business associate agreements are in place as appropriate and address breach/security incident reporting obligations.
Integrating risk analysis and risk management into business processes; and ensuring that they are conducted regularly, especially when new technologies and business operations are planned. Ensuring audit controls are in place to record and examine information system activity.
Implementing regular review of information system activity.
Utilizing multi-factor authentication to ensure only authorized users are accessing protected health information.
Encrypting protected health information to guard against unauthorized access.
Incorporating lessons learned from previous incidents into the overall security management process.
Providing training specific to organization and job responsibilities and on regular basis; and reinforcing workforce members’ critical role in protecting privacy and security.

Reference

HIPAA News Releases & Bulletins

HHS’ Office for Civil Rights Settles HIPAA Investigation of St. Joseph’s Medical Center for Disclosure of Patients’ Protected Health Information to a News Reporter

Zachary Edgar — Mon, 20 Nov 2023 19:44:32 GMT

Today, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a settlement with Saint Joseph’s Medical Center for potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule. Saint Joseph’s Medical Center is a non-profit academic medical center in New York that provides a full range of health care services. The settlement involved the impermissible disclosure of COVID-19 patients’ protected health information to a national media outlet.

“When receiving medical care in hospitals and emergency rooms, patients should not have to worry that providers may disclose their health information to the media without their authorization,” said OCR Director Melanie Fontes Rainer. “Providers must be vigilant about patient privacy and take necessary steps to protect it and follow the law. The Office for Civil Rights will continue to take enforcement actions that puts patient privacy first.”

OCR investigated Saint Joseph’s Medical Center after the Associated Press published an article about the medical center’s response to the COVID-19 public health emergency, which included photographs and information about the facility’s patients. These images were distributed nationally, exposing protected health information including patients’ COVID-19 diagnoses, current medical statuses and medical prognoses, vital signs, and treatment plans.

OCR determined that Saint Joseph’s Medical Center disclosed three patients’ protected health information to the Associated Press without first obtaining written authorization from the patients, therefore potentially violating the HIPAA Privacy Rule. Under the HIPAA Privacy Rule, a covered entity (including a health care provider), may not use or disclose protected health information, except either:

As the HIPAA Privacy Rule permits or requires; or
The individual who is the subject of the information (or the individual’s personal representative) authorizes in writing.

Therefore, regulated entities cannot disclose a patient’s protected health information to the media without first obtaining written authorization from the patient permitting the entity to do so. This includes when health care providers have print or television reporters on the premise.

Saint Joseph’s Medical Center paid $80,000 to OCR and agreed to implement a corrective action plan requiring the facility to develop written policies and procedures that comply with the HIPAA Privacy Rule. Saint Joseph’s Medical Center also agreed to train its workforce on the revised policies and procedures. Under this agreement, OCR will monitor St. Joseph’s Medical Center for two years to ensure compliance under the plan and with the law.

Reference

HIPAA News Releases & Bulletins

HHS’ Office for Civil Rights Settles Ransomware Cyber-Attack Investigation with Doctors’ Management Services

Zachary Edgar — Tue, 31 Oct 2023 17:20:29 GMT

OCR Settles with Business Associate in attack affecting over 200,000 individuals.

Today, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a settlement under the Health Insurance Portability and Accountability Act (HIPAA) with Doctors’ Management Services, a Massachusetts medical management company that provides a variety of services, including medical billing and payor credentialing. The HIPAA Privacy, Security, and Breach Notification Rules set forth the requirements that HIPAA-regulated entities must follow to protect the privacy and security of health information. The $100,000 settlement resolves a large breach report regarding a ransomware attack that affected the electronic protected health information of 206,695 individuals. Ransomware is a type of malware (malicious software) designed to deny access to a user’s data, usually by encrypting the data with a key known only to the hacker who deployed the malware, until a ransom is paid. This marks the first ransomware agreement OCR has reached.

October is Cybersecurity Awareness Month, and OCR has been working with health insurers, providers, and clearinghouses covered by HIPAA to ensure better data security. Ransomware and hacking are the primary cyber-threats in health care. In the past four years, there has been a 239% increase in large breaches reported to OCR involving hacking and a 278% increase in ransomware. This trend continues in 2023, where hacking accounts for 77% of the large breaches reported to OCR. Additionally, the large breaches reported this year have affected over 88 million individuals, a 60% increase from last year.

“Our settlement highlights how ransomware attacks are increasingly common and targeting the health care system. This leaves hospitals and their patients vulnerable to data and security breaches.” said OCR Director, Melanie Fontes Rainer. “In this ever-evolving space, it is critical that our health care system take steps to identify and address cybersecurity vulnerabilities along with proactively and regularly review risks, records, and update policies. These practices should happen regularly across an enterprise to prevent future attacks.”

On April 22, 2019, Doctors’ Management Services filed a breach report with HHS stating that approximately 206,695 individuals were affected when their network server was infected with GandCrab ransomware. The initial unauthorized access to the network occurred on April 1, 2017; however, Doctors’ Management Services did not detect the intrusion until December 24, 2018, after ransomware was used to encrypt their files. In April 2019, OCR began its investigation.

OCR’s investigation found evidence of potential failures by Doctors’ Management Services to have in place an analysis to determine the potential risks and vulnerabilities to electronic protected health information across the organization. Other findings included insufficient monitoring of its health information systems’ activity to protect against a cyber-attack, and a lack of policies and procedures in place to implement the requirements of the HIPAA Security Rule to protect the confidentiality, integrity, and availability of electronic protected health information.

Under the terms of the settlement agreement, OCR will monitor Doctors’ Management Services for three years to ensure compliance with HIPAA. In addition, Doctors’ Management Services has agreed to pay $100,000 to OCR and to implement a corrective action plan, which identifies steps that Doctors’ Management Services will take to resolve potential violations of the HIPAA Privacy and Security Rules and protect the security of electronic protected health information, including:

Review and update its Risk Analysis to identify the potential risks and vulnerabilities to Doctor’s Management Services data to protect the confidentiality, integrity, and availability of electronic protected health information.
Update its enterprise-wide Risk Management Plan (strategy to protect the confidentiality, integrity, and availability of ePHI) to address and mitigate any security risks and vulnerabilities found in the updated Risk Analysis.
Review and revise, if necessary, its written policies and procedures to comply with the Privacy and Security Rules.
Provide workforce training on HIPAA policies and procedures.

OCR recommends health care providers, health plans, clearinghouses, and business associates that are covered by HIPAA take the following best practices to mitigate or prevent cyber-threats:

Review all vendor and contractor relationships to ensure business associate agreements are in place as appropriate and address breach/security incident obligations.
Risk analysis and risk management should be integrated into business processes; conducted regularly and when new technologies and business operations are planned.
Ensure audit controls are in place to record and examine information system activity.
Implement regular review of information system activity.
Utilize multi-factor authentication to ensure only authorized users are accessing ePHI.
Encrypt ePHI to guard against unauthorized access to ePHI.
Incorporate lessons learned from incidents into the overall security management process.
Provide training specific to organization and job responsibilities and on regular basis; reinforce workforce members’ critical role in protecting privacy and security.

Reference

HIPAA News Releases & Bulletins

October 2023 OCR Cybersecurity Newsletter: How Sanction Policies Can Support HIPAA Compliance

Zachary Edgar — Thu, 19 Oct 2023 17:19:15 GMT

Last year, the Department of Health and Human Services’ (HHS) Health Sector Cybersecurity Coordination Center (HC3) released a threat brief on the different types of social engineering¹ that hackers use to gain access to healthcare information systems and data. The threat brief recommended several protective measures to combat social engineering, one of which was holding “every department accountable for security.” An organization’s sanction policies can be an important tool for supporting accountability and improving cybersecurity and data protection. Sanction policies can be used to address the intentional actions of malicious insiders, such as the stealing of data by identity-theft rings, as well as workforce member failures to comply with policies and procedures, such as failing to secure data on a network server or investigate a potential security incident.

The HIPAA Privacy, Security, and Breach Notification Rules (“HIPAA Rules”) require covered entities and business associates (“regulated entities”) to ensure that workforce members comply with the HIPAA Rules. Regulated entities are responsible for protecting the privacy and security of protected health information (PHI)⁴ by training their workforce, adopting written policies and procedures, and sanctioning workforce members who violate those policies and procedures.

Sanction policies are specifically required by both the Privacy Rule and the Security Rule:

The Privacy Rule requires covered entities⁶ to “have and apply appropriate sanctions against members of its workforce who fail to comply with the privacy policies and procedures of the covered entity or the requirements of [the Privacy Rule] or [the Breach Notification Rule] of this part.”⁷
The Security Rule requires covered entities and business associates to: “[a]pply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity or business associate.”

The Functions of a Sanction Policy

Sanction policies can improve a regulated entity’s compliance with the HIPAA Rules. Imposing consequences on workforce members who violate a regulated entity’s policies or the HIPAA Rules can be effective in creating a culture of HIPAA compliance and improved cybersecurity because of the knowledge that there is “a negative consequence to noncompliance enhances the likelihood of compliance.” Training workforce members on a regulated entity’s sanction policy can also promote compliance and greater cybersecurity vigilance by informing workforce members in advance which “actions are prohibited and punishable.” A sanction policy that clearly communicates a regulated entity’s expectations should ensure that workforce members understand their individual compliance obligations and consequences of noncompliance.

Content: What Should a Sanction Policy Look Like?

Because HIPAA regulated entities “are so varied in terms of installed technology, size, resources, and relative risk,” the HIPAA Rules allow for a flexibility of approach to achieve compliance. This flexibility of approach also extends to sanction policies: the Privacy Rule preamble states that “we leave the details of sanction policies to the discretion of the covered entity . . . [that] will be familiar with the circumstances of the violation . . . .” Similarly, the Security Rule preamble states that regulated entities “have the flexibility to implement the standard in a manner consistent with numerous factors, including such things as, but not limited to, their size, degree of risk, and environment.”

The HIPAA Rules do not require regulated entities to impose any specific penalty for any individual violation, or to implement any particular sanction methodology. Rather, in any individual case “[t]he type and severity of sanctions imposed, and for what causes, must be determined by each covered entity [or business associate] based upon its security policy and the relative severity of the violation.” Regulated entities may structure their sanction policies in the manner most suitable to their organization.

Regulated entities may want to consider the following when drafting or revising their sanction policies:

Documenting or implementing sanction policies pursuant to a formal process.
Requiring workforce members to affirmatively acknowledge that a violation of the organization’s HIPAA policies or procedures may result in sanctions.
Documenting the sanction process, including the personnel involved, the procedural steps, the time-period, the reason for the sanction(s), and the final outcome of an investigation. NOTE: These records should be retained for at least six years.
Creating sanctions that are “appropriate to the nature of the violation.”
Creating sanctions that “vary depending on factors such as the severity of the violation, whether the violation was intentional or unintentional, and whether the violation indicated a pattern or practice of improper use or disclosure of protected health information.”
Creating sanctions that “range from a warning to termination.”
Providing examples “of potential violations of policy and procedures.”

By making these considerations, regulated entities can craft a thoughtful and well-documented sanction policy that informs workforce members of the regulated entity’s expectations, deters misconduct, and promotes HIPAA compliance through greater understanding and transparency of the policies and procedures that protect the privacy and security of PHI.

Execution: Sanctioning Consistently

How a regulated entity implements its sanction policy is just as important as the policy’s content. It is important for a regulated entity to consider whether its sanction policies align with its general disciplinary policies, and how the individuals or departments involved in the sanction processes can work in concert, when appropriate. Regulated entities may also want to consider how sanction policies can be fairly and consistently applied throughout the organization, to all workforce members, including management. Indeed, sanctioning workforce members inconsistently can undermine the integrity of a regulated entity’s compliance program.

In 2017 and 2018, OCR resolved two investigations with regulated entities that potentially violated the HIPAA Rules sanctions requirements. In the first case, OCR found evidence that the regulated entity potentially “impermissibly disclosed the patient’s PHI through press releases issued to fifteen media outlets and/or reporters,” and senior leaders disclosed the patient’s PHI to advocacy groups and in a published statement on their website. OCR also found evidence that the regulated entity potentially “failed to document timely the sanctions imposed against members of its workforce who failed to comply with its privacy policies and procedures or the Privacy Rule.” In the second case, OCR found evidence of a potential violation of the sanction requirements when a workforce member allegedly disclosed PHI to a reporter, and then the regulated entity allegedly failed to apply appropriate sanctions against its Workforce Member who failed to comply with the entity's privacy policies and procedures and the Privacy Rule.”

Conclusion

Sanction policies offer a great opportunity for regulated entities to establish and communicate compliance obligations and expectations to their workforce members. The deterrent effect of penalizing noncompliance and misconduct paired with clear communications about the consequences of noncompliance can promote greater compliance with the HIPAA Rules through accountability, understanding, and transparency. At a time when the need for constant vigilance to protect ePHI is at an all-time high due to hacking and other threats to the privacy and security of health information, regulated entities should make sure that their policies and practices include sanction policies that hold all workforce members accountable for noncompliance with the HIPAA Rules.

Reference

HIPAA News Releases & Bulletins

HHS Office for Civil Rights Settles with L.A. Care Health Plan Over Potential HIPAA Security Rule Violations

Zachary Edgar — Mon, 11 Sep 2023 17:17:53 GMT

LA Care, the largest publicly operated health plan in the country paid $1,300,000 to settle

Today, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) announced a settlement of potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Rules with LA Care, the nation's largest publicly operated health plan that provides health care benefits and coverage through state, federal, and commercial programs. OCR enforces the HIPAA Privacy, Security, and Breach Notification Rules that set the requirements that HIPAA-regulated entities must follow to protect the privacy and security of protected health information (PHI). The settlement concludes two OCR investigations initiated from a large breach report and a media article regarding a separate security incident. Under the agreement, LA Care agreed to pay $1,300,000 and to implement a corrective action plan, discussed in further detail below, which identifies steps LA Care will take to resolve these potential violations of the HIPAA Security Rule and protect the security of electronic protected health information (ePHI).

“Breaches of protected health information by a HIPAA-regulated entity often reveal systemic, noncompliance with the HIPAA Rules,” said OCR Director Melanie Fontes Rainer. “HIPAA-regulated entities need to be proactive in ensuring their compliance with the HIPAA Rules, and not wait for OCR to reveal long-standing HIPAA deficiencies. Entities such as LA Care must protect the health information of its insureds while providing health care for the most vulnerable residents of Los Angeles County through its coverage, which includes Medicaid, Medicare, and Affordable Care Act health plans.”

The potential violations in this case included:

Failure to conduct an accurate and thorough risk analysis to determine risks and vulnerabilities to ePHI across the organization,
Failure to implement security measures sufficient to reduce risks and vulnerabilities to ePHI to a reasonable and appropriate level,
Failure to implement sufficient procedures to regularly review records of information system activity,
Failure to perform a periodic technical and nontechnical evaluation in response to environmental or operational changes affecting the security of ePHI, and
Failure to implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI.

OCR’s investigation found evidence of potential noncompliance with the HIPAA Privacy and Security Rules across LA Care’s organization, a serious concern given the size of this covered entity. In addition to the monetary settlement, LA Care has agreed to take the following steps under a comprehensive corrective action plan that will be monitored for three years by OCR to ensure compliance with HIPAA:

Conduct an accurate and thorough risk analysis to determine risks and vulnerabilities to electronic patient/system data across the organization.

Develop and implement a risk management plan to address identified risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.
Develop, implement, and distribute policies and procedures for a risk analysis and risk management plan.
Report to HHS when it conducts an evaluation due to an environmental and operational change that affects the security of ePHI in LA Care’s possession or control.
Report to HHS within thirty (30) days when workforce members fail to comply with the HIPAA Rules.

Reference

HIPAA News Releases & Bulletins

UnitedHealthcare Pays $80,000 Settlement to HHS to Resolve HIPAA Matter over Patient Medical Records Request

Zachary Edgar — Thu, 24 Aug 2023 17:14:09 GMT

Today, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) has announced a settlement with UnitedHealthcare Insurance Company (“UHIC”), a health insurer that provides insurance coverage to millions of individuals across the U.S., concerning a potential violation of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule's right of access provision. The rule requires that patients be able to access their health information in a timely manner. This investigation marks the 45th Right of Access case to be resolved via voluntary settlement. UHIC agreed to implement a corrective action plan and pay $80,000 to resolve this investigation.

“Timely access to health information is one of the cornerstones of HIPAA. OCR will continue to ensure that covered entities with a record of delaying or denying access requests will be subject to enforcement,” said OCR Director, Melanie Fontes Rainer. “Health insurers are not exempt from the right of access and must ensure that they are taking steps to train their workforce to ensure that they are doing all they can to help members’ access to health information.”

In March 2021, OCR received a complaint alleging that UHIC did not respond to an individual’s request for a copy of their medical record. The individual first requested a copy of their records on January 7, 2021, but did not receive the records until July 2021, after OCR initiated its investigation. This was the third complaint OCR received from the complainant against UHIC alleging failures to respond to his right of access. OCR's investigation determined that UHIC’s failure to provide timely access to the requested medical records was a potential violation of the HIPAA right of access provision.

Reference

HIPAA News Releases & Bulletins

HHS OCR & FTC Warn Hospital Systems and Telehealth Providers about Privacy and Security Risks from Online Tracking Tech

Zachary Edgar — Thu, 20 Jul 2023 17:12:53 GMT

The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) and the Federal Trade Commission (FTC) are cautioning hospitals and telehealth providers about the privacy and security risks related to the use of online tracking technologies that may be integrated into their websites or mobile apps that may be impermissibly disclosing consumers’ sensitive personal health data to third parties. Tracking technologies are used to collect and analyze information about how users interact with websites or mobile apps. Generally, tracking technologies developed by third parties send information directly to the third parties who developed such technologies and may continue to track users and gather information about them even after they navigate away from the original website to other websites.

OCR administers and enforces the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security and Breach Notification Rules which set minimum privacy and security standards for the protection of certain individually identifiable health information. FTC’s mission is protecting the public from deceptive or unfair business practices and from unfair methods of competition through law enforcement, advocacy, research, and education.

“Although online tracking technologies can be used for beneficial purposes, patients and others should not have to sacrifice the privacy of their health information when using a hospital’s website,” said Melanie Fontes Rainer, OCR Director. “OCR continues to be concerned about impermissible disclosures of health information to third parties and will use all of its resources to address this issue.”

“When consumers visit a hospital’s website or seek telehealth services, they should not have to worry that their most private and sensitive health information may be disclosed to advertisers and other unnamed, hidden third parties,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “The FTC is again serving notice that companies need to exercise extreme caution when using online tracking technologies and that we will continue doing everything in our powers to protect consumers’ health information from potential misuse and exploitation.”

The two agencies sent the joint letter - PDF to approximately 130 hospital systems and telehealth providers to emphasize the risks and concerns about the use of technologies, such as the Meta/Facebook pixel and Google Analytics, that can track a user’s online activities. These tracking technologies gather identifiable information about users, usually without their knowledge and in ways that are hard for users to avoid, as users interact with a website or mobile app.

OCR highlighted these concerns in a bulletin it issued late last year that reminded entities covered by HIPAA of their responsibilities to protect health data from unauthorized disclosure under the law. Since that time, OCR has confirmed its active investigations nationwide to ensure compliance with HIPAA.

Companies not covered by HIPAA still have a responsibility to protect against the unauthorized disclosure of personal health information—even when a third party developed their website or mobile app. Through its recent enforcement actions against BetterHelp, GoodRx and Premom, as well as recent guidance from the FTC’s Office of Technology, the FTC has put companies on notice that they must monitor the flow of health information to third parties that use tracking technologies integrated into websites and apps. The unauthorized disclosure of such information may violate the FTC Act and could constitute a breach of security under the FTC’s Health Breach Notification Rule.

Reference

HIPAA News Releases & Bulletins

HHS Office for Civil Rights Settles HIPAA Investigation with iHealth Solutions Regarding Disclosure of Protected Health Information on an Unsecured Server for $75,000

Zachary Edgar — Wed, 28 Jun 2023 15:49:55 GMT

Today, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) announced a settlement of potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules with iHealth Solutions, LLC (doing business as Advantum Health), a Kentucky-based business associate that provides coding, billing, and onsite information technology services to health care providers. The settlement involved a data breach, where a network server containing the protected health information of 267 individuals was left unsecure on the internet. The HIPAA Privacy, Security, and Breach Notification Rules set the requirements that HIPAA-regulated entities must follow to protect the privacy and security of health information.

“HIPAA business associates must protect the privacy and security of the health information they are entrusted with by HIPAA covered entities,” said OCR Director Melanie Fontes Rainer. “Effective cybersecurity includes ensuring that electronic protected health information is secure, and not accessible to just anyone with an internet connection.”

In August 2017, OCR initiated an investigation of iHealth Solutions following the receipt of a breach report stating that iHealth Solutions had experienced an unauthorized transfer of protected health information, known as exfiltration, from its unsecured server. The protected health information included patient names, dates of birth, addresses, Social Security numbers, email addresses, diagnoses, treatment information, medical procedures, and medical histories. In addition to the impermissible disclosure of protected health information, OCR’s investigation found evidence of the potential failure by iHealth Solutions to have in place an analysis to determine risks and vulnerabilities to electronic protected health information across the organization.

iHealth Solutions has paid $75,000 to OCR and agreed to implement a corrective action plan, which identifies steps iHealth Solutions will take to resolve potential violations of the HIPAA Privacy and Security Rules and protect the security of electronic protected health information. Under the terms of the settlement agreement, iHealth Solutions will be monitored by OCR for two years to ensure compliance with the HIPAA Security Rule. iHealth Solutions has agreed to take the following steps:

Conduct an accurate and thorough analysis of its organization to determine the possible risks and vulnerabilities to the electronic protected health information it holds;
Develop and implement a risk management plan to address and mitigate identified security risks and vulnerabilities to the confidentiality, integrity, and availability of its electronic protected health information;
Implement a process to evaluate environmental and operational changes that affect the security of electronic protected health information; and
Develop, maintain, and revise, as necessary, its written HIPAA policies and procedures.

The resolution agreement and corrective action plan may be found at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/ihealth-ra-cap/index.html

OCR is committed to enforcing the HIPAA Rules that protect the privacy and security of peoples’ health information. If you believe that your or another person’s health information privacy or civil rights have been violated, you can file a complaint with OCR at https://www.hhs.gov/ocr/complaints/index.html.

Reference

HIPAA News Releases & Bulletins

Snooping in Medical Records by Hospital Security Guards Leads to $240,000 HIPAA Settlement

Zachary Edgar — Thu, 15 Jun 2023 15:48:54 GMT

Today, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) announced a settlement with Yakima Valley Memorial Hospital, a not-for-profit community hospital located in Yakima, Washington resolving an investigation under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). OCR investigated allegations that several security guards from Yakima Valley Memorial Hospital impermissibly accessed the medical records of 419 individuals. HIPAA is a federal law that protects the privacy and security of protected health information. The HIPAA Privacy, Security, and Breach Notification Rules apply to most health care organizations and set the requirements that HIPAA-regulated entities must follow to protect the privacy and security of health information. To voluntarily resolve this matter, Yakima Valley Memorial Hospital agreed to pay $240,000 and implement a plan to update its policies and procedures to safeguard protected health information and train its workforce members to prevent this type of snooping behavior in the future.

“Data breaches caused by current and former workforce members impermissibly accessing patient records are a recurring issue across the healthcare industry. Health care organizations must ensure that workforce members can only access the patient information needed to do their jobs,” said OCR Director Melanie Fontes Rainer. “HIPAA covered entities must have robust policies and procedures in place to ensure patient health information is protected from identify theft and fraud.”

In May 2018, OCR initiated an investigation of Yakima Valley Memorial Hospital following the receipt of a breach notification report, stating that 23 security guards working in the hospital’s emergency department used their login credentials to access patient medical records maintained in Yakima Valley Memorial Hospital’s electronic medical record system without a job-related purpose. The information accessed included names, dates of birth, medical record numbers, addresses, certain notes related to treatment, and insurance information.

As a result of the settlement agreement, Yakima Valley Memorial Hospital will be monitored for two years by OCR to ensure compliance with the HIPAA Security Rule. Yakima Valley Memorial Hospital has agreed to take the following steps to bring their organization into compliance with the HIPAA Rules:

Conduct an accurate and thorough risk analysis to determine risks and vulnerabilities to electronic protected health information;
Develop and implement a risk management plan to address and mitigate identified security risks and vulnerabilities identified in the risk analysis;
Develop, maintain, and revise, as necessary, its written HIPAA policies and procedures;
Enhance its existing HIPAA and Security Training Program to provide workforce training on the updated HIPAA policies and procedures;
Review all relationships with vendors and third-party service providers to identify business associates and obtain business associate agreements with business associates if not already in place.

The resolution agreement and corrective action plan may be found at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/yakima-ra-cap/index.html

OCR is committed to enforcing the HIPAA Rules that protect the privacy and security of peoples’ health information. If you believe that you or another person’s health information privacy or civil rights have been violated, you can file a complaint with OCR at https://www.hhs.gov/ocr/complaints/index.html.

Reference

HIPAA News Releases & Bulletins

HHS Office for Civil Rights Reaches Agreement with Health Care Provider in New Jersey That Disclosed Patient Information in Response to Negative Online Reviews

Zachary Edgar — Mon, 05 Jun 2023 19:19:11 GMT

Today, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announces a settlement with Manasa Health Center, LLC, a health care provider in New Jersey that provides adult and child psychiatric services. The settlement resolves a complaint received by OCR in April 2020, alleging that Manasa Health Center impermissibly disclosed the protected health information of a patient when the entity posted a response to the patient’s negative online review. Following an OCR investigation, potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule include impermissible disclosures of patient protected health information in response to negative online reviews, and failure to implement policies and procedures with respect to protected health information. Manasa Health Center paid $30,000 to OCR and agreed to implement a corrective action plan to resolve these potential violations.

“OCR continues to receive complaints about health care providers disclosing their patients’ protected health information on social media or on the internet in response to negative reviews. Simply put, this is not allowed,” said OCR Director Melanie Fontes Rainer. “The HIPAA Privacy Rule expressly protects patients from this type of activity, which is a clear violation of both patient trust and the law. OCR will investigate and take action when we learn of such impermissible disclosures, no matter how large or small the organization.”

OCR opened an investigation in response to a complaint by a patient alleging that Manasa Health Center posted a response to the patient’s negative online review that included specific information regarding the individual’s diagnosis and treatment of their mental health condition. In addition to the patient who filed the complaint, OCR’s investigation found that Manasa Health Center impermissibly disclosed the protected health information of three other patients in response to their negative online reviews. OCR’s investigation also found that Manasa Health Center failed to implement HIPAA Privacy policies and procedures.

In addition to the monetary settlement, Manasa Health Center will undertake a corrective action plan that will be monitored for two years by OCR to ensure compliance with the HIPAA Privacy Rule. The corrective action plan includes the following steps:

Develop, maintain, and revise its written policies and procedures to comply with the HIPAA Privacy Rule,
Train all members of Manasa Health Center’s workforce, including owners and managers, on the organization’s policies and procedures to comply with the HIPAA Privacy and Security Rules,
Within 30 calendar days of the agreement, Manasa Health Center shall issue breach notices to all individuals, or their personal representatives, whose protected health information is disclosed on any internet platform without a valid authorization, and
Within 30 calendar days of the agreement, Manasa Health Center shall submit a breach report to HHS concerning individuals whose protected health information is disclosed on any internet platform without a valid authorization.

The resolution agreement and corrective action plan may be found at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/manasa-ra-cap/index.html

Reference

HIPAA News Releases & Bulletins

HHS Office for Civil Rights Settles HIPAA Investigation with Arkansas Business Associate MedEvolve Following Unlawful Disclosure of Protected Health Information on an Unsecured Server for $350,000

Zachary Edgar — Tue, 16 May 2023 19:17:41 GMT

Today, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) announced a settlement of potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Rules with MedEvolve, Inc., a business associate that provides practice management, revenue cycle management, and practice analytics software services to covered health care entities. The settlement concludes OCR’s investigation of a data breach, where a server containing the protected health information of 230,572 individuals was left unsecure and accessible on the internet. HIPAA is the federal law that required the establishment of national standards to protect the privacy and security of protected health information. The HIPAA Privacy, Security, and Breach Notification Rules apply to most health care breaches and set the requirements that HIPAA-regulated entities must follow to protect the privacy and security of health information.

The potential HIPAA violations in this case include the lack of an analysis to determine risks and vulnerabilities to electronic protected health information across the organization, and the failure to enter into a business associate agreement with a subcontractor. The HIPAA Rules require that covered entities and business associates (person or entity that has access to protected health information as part of their relationship with a covered entity), enter into contracts – or business associate agreements – that generally document the permissible uses and disclosures of protected health information, that appropriate safeguards will be implemented, and that the covered entity will be notified of any breaches. MedEvolve has paid a $350,000 monetary settlement to OCR and agreed to implement a corrective action plan which identifies steps MedEvolve will take to resolve these potential violations and protect the security of electronic patient health information.

“Ensuring that security measures are in place to protect electronic protected health information where it is stored is an integral part of cybersecurity and the protection of patient privacy,” said OCR Director Melanie Fontes Rainer. “HIPAA regulated entities must ensure that they are not leaving patient health information unsecured on network servers available to the public via the internet.”

In July 2018, OCR initiated an investigation of MedEvolve following the receipt of a breach notification report stating that an FTP server containing electronic protected health information was openly accessible to the internet. The information included patient names, billing addresses, telephone numbers, primary health insurer and doctor's office account numbers, and in some cases Social Security numbers. OCR investigates every report we receive of breaches of unsecured protected health information affecting 500 or more people. Hacking/IT incidents was the most frequent (79%) type of large breach that was reported to OCR in 2022. Network servers are the largest category by location for breaches involving 500 or more individuals. It is critical that HIPAA covered entities and their business associates improve their efforts to identify, deter, protect against, detect, and respond to cybersecurity threats and malicious actors.

As a result of the settlement agreement, MedEvolve will be monitored for two years by OCR to ensure compliance with the HIPAA Security Rule. MedEvolve has agreed to take the following steps:

Conduct an accurate and thorough risk analysis to determine risks and vulnerabilities to electronic patient/system data across the organization;
Develop and implement a risk management plan to address and mitigate identified security risks and vulnerabilities identified in the risk analysis;
Develop, maintain, and revise, as necessary, its written policies and procedures to comply with the HIPAA Privacy and Security Rules;
Augment its existing HIPAA and Security Training Program for all MedEvolve workforce members who have access to protected health information; and
Report to HHS within sixty (60) days when workforce members fail to comply with MedEvolve’s written policies and procedures to comply with the HIPAA Privacy and Security Rules.

The resolution agreement and corrective action plan may be found at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/medevolve-ra-cap/index.html.

Reference

HIPAA News Releases & Bulletins

HHS Office for Civil Rights Enters Into $15,000 Settlement Resolving Potential HIPAA Violation Under the Right of Access Initiative

Zachary Edgar — Mon, 08 May 2023 19:16:48 GMT

OCR has announced a settlement with David Mente, MA, LPC (“Mente”), a licensed counselor providing psychotherapy services in Pittsburgh, Pennsylvania, concerning a potential violation of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule's right of access provision. The rule requires that patients be able to access their health information in a timely manner. This investigation marks the 44th case to be resolved under OCR’s HIPAA Right of Access Initiative, designed to improve compliance by regulated entities with the law. Under the resolution agreement (RA), Mente must respond to the right of access request without delay, implement a corrective action plan (CAP) to be in compliance with the HIPAA Privacy Rule and pay a resolution amount of $15,000:

Reference

HIPAA News Releases & Bulletins

HHS Office for Civil Rights Announces the Expiration of COVID-19 Public Health Emergency HIPAA Notifications of Enforcement Discretion

Zachary Edgar — Tue, 11 Apr 2023 19:11:20 GMT

Today, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) announces that the Notifications of Enforcement Discretion issued under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act during the COVID-19 public health emergency will expire at 11:59 pm on May 11, 2023, due to the expiration of the COVID-19 public health emergency.

“OCR exercised HIPAA enforcement discretion throughout the COVID-19 public health emergency to support the health care sector and the public in responding to this pandemic,” said Melanie Fontes Rainer, OCR Director. “OCR is continuing to support the use of telehealth after the public health emergency by providing a transition period for health care providers to make any changes to their operations that are needed to provide telehealth in a private and secure manner in compliance with the HIPAA Rules.”

In 2020 and 2021, OCR published four Notifications of Enforcement Discretion in the Federal Register regarding how the Privacy, Security, Breach Notification, and Enforcement Rules (“HIPAA Rules”) would be applied to certain violations during the COVID-19 nationwide public health emergency. These Notifications and the effective beginning and end dates are:

Enforcement Discretion Regarding COVID-19 Community-Based Testing Sites During the COVID-19 Nationwide Public Health Emergency - PDF, effective from March 13, 2020, to 11:59 pm May 11, 2023.
Enforcement Discretion for Telehealth Remote Communications During the COVID–19 Nationwide Public Health Emergency - PDF (“Telehealth Notification”), effective from March 17, 2020, to 11:59 pm May 11, 2023.
Enforcement Discretion Under HIPAA To Allow Uses and Disclosures of Protected Health Information by Business Associates for Public Health and Health Oversight Activities in Response to COVID-19 - PDF, effective from April 7, 2020, to 11:59 pm May 11, 2023.
Enforcement Discretion Regarding Online or Web-Based Scheduling Applications for the Scheduling of Individual Appointments for COVID-19 Vaccination During the COVID-19 Nationwide Public Health Emergency - PDF, effective from December 11, 2020, to 11:59 pm May 11, 2023.

OCR is providing a 90-calendar day transition period for covered health care providers to come into compliance with the HIPAA Rules with respect to their provision of telehealth. The transition period will be in effect beginning on May 12, 2023 and will expire at 11:59 p.m. on August 9, 2023. OCR will continue to exercise its enforcement discretion and will not impose penalties on covered health care providers for noncompliance with the HIPAA Rules that occurs in connection with the good faith provision of telehealth during the 90-calendar day transition period.

The Notice of Expiration of Certain Notifications of Enforcement Discretion Issued in Response to the COVID-19 Nationwide Public Health Emergency may be found at: https://public-inspection.federalregister.gov/2023-07824.pdf - PDF.

Reference

HIPAA News Releases & Bulletins

HHS Office for Civil Rights Settles HIPAA Investigation with Arizona Hospital System Following Cybersecurity Hacking

Zachary Edgar — Thu, 02 Feb 2023 19:04:48 GMT

Banner Health pays $1.25 million to settle cybersecurity breach that affected nearly 3 million people

OCR has announced a settlement with Banner Health Affiliated Covered Entities (“Banner Health”), a nonprofit health system headquartered in Phoenix, Arizona, to resolve a data breach resulting from a hacking incident by a threat actor in 2016 which disclosed the protected health information of 2.81 million consumers. The potential violations specifically include: the lack of an analysis to determine risks and vulnerabilities to electronic protected health information across the organization, insufficient monitoring of its health information systems’ activity to protect against a cyber-attack, failure to implement an authentication process to safeguard its electronic protected health information, and failure to have security measures in place to protect electronic protected health information from unauthorized access when it was being transmitted electronically. As a result, Banner Health paid $1,250,000 to OCR and agreed to implement a corrective action plan, which identifies steps Banner Health will take to resolve these potential violations of the HIPAA Security Rule and protect the security of electronic patient health information:

Read the HHS Press Release

Read the Resolution Agreement and Correction Action Plan

Reference

HIPAA News Releases & Bulletins

HHS Office for Civil Rights Issues Bulletin on Requirements under HIPAA for Online Tracking Technologies to Protect the Privacy and Security of Health Information

Zachary Edgar — Thu, 01 Dec 2022 19:03:51 GMT

Today, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services issued a bulletin to highlight the obligations of Health Insurance Portability and Accountability Act of 1996 (HIPAA) on covered entities and business associates (“regulated entities”) under the HIPAA Privacy, Security, and Breach Notification Rules (“HIPAA Rules”) when using online tracking technologies. These online tracking technologies, like Google Analytics or Meta Pixel, collect and analyze information about how internet users are interacting with a regulated entity’s website or mobile application.

Some regulated entities regularly share electronic protected health information (ePHI) with online tracking technology vendors and some may be doing so in a manner that violates the HIPAA Rules. The HIPAA Rules apply when the information that regulated entities collect through tracking technologies or disclose to tracking technology vendors includes ePHI. Regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of ePHI to tracking technology vendors or any other violations of the HIPAA Rules.

Today’s bulletin addresses potential impermissible disclosures of ePHI by HIPAA regulated entities to online technology tracking vendors. The Bulletin explains what tracking technologies are, how they are used, and what steps regulated entities must take to protect ePHI when using tracking technologies to comply with the HIPAA Rules. Specifically, the Bulletin provides insight and examples of:

Tracking on webpages
Tracking within mobile apps
HIPAA compliance obligations for regulated entities when using tracking technologies

“Providers, health plans, and HIPAA-regulated entities, including technology platforms, must follow the law. This means considering the risks to patients’ health information when using tracking technologies,” said OCR Director Melanie Fontes Rainer. “Our Bulletin answers questions for those using tracking technologies, importantly how to protect the privacy and security of the health information they hold.”

Read the Bulletin here: https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/hipaa-online-tracking/index.html

Reference

HIPAA News Releases & Bulletins

OCR Settles Three Cases with Dental Practices for Patient Right of Access under HIPAA

Zachary Edgar — Tue, 20 Sep 2022 19:00:11 GMT

The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) announced the resolution of three investigations concerning potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule's patient right of access to their medical records. These cases are part of a collective effort, bringing the total 41 cases, to drive compliance on right of access under the law. OCR has taken the following enforcement actions that underscore the importance and necessity of compliance with the HIPAA Right of Access:

Read the HHS Press Release
Read the Family Dental Care, P.C.
Read the Great Expressions Dental Center of Georgia, P.C.
Read the B. Steven L. Hardy, D.D.S., LTD ("Paradise")

Reference

HIPAA News Releases & Bulletins

OCR Settles Case Concerning Improper Disposal of Protected Health Information

Zachary Edgar — Tue, 23 Aug 2022 16:29:08 GMT

OCR announced a settlement with New England Dermatology P.C., d/b/a a New England Dermatology and Laser Center (“NDELC”), over the improper disposal of protected health information, a potential violation of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. As a result, NEDLC paid $300,640 to OCR and agreed to implement a corrective action plan to resolve this investigation. NEDLC is located in Massachusetts and provides dermatology services.

Reference

HIPAA News Releases & Bulletins

Eleven Enforcement Actions Uphold Patients’ Rights Under HIPAA

Zachary Edgar — Fri, 15 Jul 2022 16:20:21 GMT

Today, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) announced the resolution of eleven investigations in its Health Insurance Portability and Accountability Act (HIPAA) Right of Access Initiative, bringing the total number of these enforcement actions to thirty-eight since the initiative began. OCR created this initiative to support individuals' right to timely access their health records at a reasonable cost under the HIPAA Privacy Rule.

Read the HHS Press Release
Read the ACPM Podiatry Notice of Proposed Determination, and Notice of Final Determination
Read the Associated Retina Specialists
Read the Lawrence Bell, Jr., D.D.S. Resolution Agreement and Corrective Action Plan
Read the Coastal Ear, Nose, and Throat (ENT) Resolution Agreement and Corrective Action Plan
Read the Danbury Psychiatric Consultants (DPC)
Read the Erie County Medical Center Corporation Resolution Agreement and Corrective Action Plan
Read the Fallbrook Family Health Center Resolution Agreement and Corrective Action Plan
Read the Hillcrest Nursing and Rehabilitation Resolution Agreement and Corrective Action Plan
Read the MelroseWakefield Healthcare (MWH) Resolution Agreement and Corrective Action Plan
Read the Memorial Hermann Health System Resolution Agreement and Corrective Action Plan
Read the Southwest Surgical Associates (SWSA) Resolution Agreement and Corrective Action Plan

Reference

HIPAA News Releases & Bulletins

Oklahoma State University – Center for Health Services Pays $875,000 to Settle Hacking Breach

Zachary Edgar — Thu, 14 Jul 2022 19:59:37 GMT

Oklahoma State University – Center for Health Sciences (OSU-CHS) has paid $875,000 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) and agreed to implement a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules. OSU-CHS is a public land-grant research university which provides preventive, rehabilitative, and diagnostic care in Oklahoma.

Reference

HIPAA News Releases & Bulletins

HHS Issues Guidance to Protect Patient Privacy in Wake of Supreme Court Decision on Roe

Zachary Edgar — Wed, 29 Jun 2022 19:46:35 GMT

On the heels of the Supreme Court ruling in Dobbs vs. Jackson Women’s Health Organization, where the right to safe and legal abortion was taken away, President Biden and U.S. Department of Health and Human Services (HHS) Secretary Xavier Becerra called on HHS agencies to take action to protect access to sexual and reproductive health care, including abortion, pregnancy complications, and other related care. Today, in direct response, the HHS Office for Civil Rights (OCR) issued new guidance to help protect patients seeking reproductive health care, as well as their providers.

In general, the guidance does two things:

Addresses how federal law and regulations protect individuals’ private medical information (known as protected health information or PHI) relating to abortion and other sexual and reproductive health care – making it clear that providers are not required to disclose private medical information to third parties; and
Addresses the extent to which private medical information is protected on personal cell phones and tablets, and provides tips for protecting individuals’ privacy when using period trackers and other health information apps.

According to recent reports, many patients are concerned that period trackers and other health information apps on smartphones may threaten their right to privacy by disclosing geolocation data which may be misused by those seeking to deny care.

“How you access health care should not make you a target for discrimination. HHS stands with patients and providers in protecting HIPAA privacy rights and reproductive health care information,” said HHS Secretary Xavier Becerra. “Anyone who believes their privacy rights have been violated can file a complaint with OCR as we are making this an enforcement priority. Today’s action is part of my commitment to President Biden to protect access to health care, including abortion care and other forms of sexual and reproductive health care.”

This guidance addresses the circumstances under which the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule permits disclosure of PHI without an individual’s authorization. It explains that disclosures for purposes not related to health care, such as disclosures to law enforcement officials, are permitted only in narrow circumstances tailored to protect the individual’s privacy and support their access to health care, including abortion care. Specifically, the guidance:

Reminds HIPAA covered entities and business associates that they can use and disclose PHI, without an individual’s signed authorization, only as expressly permitted or required by the Privacy Rule.
Explains the Privacy Rule’s restrictions on disclosures of PHI when required by law, for law enforcement purposes, and to avert a serious threat to health or safety.

OCR is also issuing information for individuals about protecting the privacy and security of their health information when using their personal cell phone or tablet. This guidance explains that, in most cases, the HIPAA Privacy, Security, and Breach Notification Rules do not protect the privacy or security of individuals’ health information when they access or store the information on personal cell phones or tablets. This guidance also provides tips about steps an individual can take to decrease how their cell phone or tablet collects and shares their health and other personal information without the individual’s knowledge. This guidance:

Explains how to turn off the location services on Apple and Android devices.
Identifies best practices for selecting apps, browsers, and search engines that are recognized as supporting increased privacy and security.

The guidance on the HIPAA Privacy Rule and Disclosures of Information Relating to Reproductive Health Care may be found at https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/phi-reproductive-health/index.html.

The guidance on Protecting the Privacy and Security of Your Health Information When Using Your Personal Cell Phone or Tablet may be found at https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/cell-phone-hipaa/index.html.

Reference

HIPAA News Releases & Bulletins

HHS Issues Guidance on HIPAA and Audio-Only Telehealth

Zachary Edgar — Mon, 13 Jun 2022 16:59:06 GMT

The U.S. Department of Health and Human Services (HHS), through its Office for Civil Rights (OCR), is issuing guidance on how covered health care providers and health plans can use remote communication technologies to provide audio-only telehealth services when such communications are conducted in a manner that is consistent with the applicable requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security, and Breach Notification Rules, including when OCR’s Notification of Enforcement Discretion for Telehealth - PDF is no longer in effect.

This guidance will help individuals to continue to benefit from audio-only telehealth by clarifying how covered entities can provide these services in compliance with the HIPAA Rules and by improving public confidence that covered entities are protecting the privacy and security of their health information.

While telehealth can significantly expand access to health care, certain populations may have difficulty accessing or be unable to access technologies used for audio-video telehealth because of various factors, including financial resources, limited English proficiency, disability, internet access, availability of sufficient broadband, and cell coverage in the geographic area. Audio-only telehealth, especially using technologies that do not require broadband availability, can help address the needs of some of these individuals.

“Audio telehealth is an important tool to reach patients in rural communities, individuals with disabilities, and others seeking the convenience of remote options. This guidance explains how the HIPAA Rules permit health care providers and plans to offer audio telehealth while protecting the privacy and security of individuals’ health information,” said OCR Director Lisa J. Pino.

The Guidance on How the HIPAA Rules Permit Health Plans and Covered Health Care Providers to Use Remote Communication Technologies for Audio-Only Telehealth may be found at: https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/hipaa-audio-telehealth/index.html.

HHS' Office for Civil Rights Seeks Public Comment on Recognized Security Practices and Sharing Civil Money Penalties and Monetary Settlements Under the HITECH Act

Zachary Edgar — Wed, 06 Apr 2022 16:57:48 GMT

The U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) today released a Request for Information (RFI) seeking input from the public on two requirements of the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act), as amended in 2021. The growing number of cybersecurity threats are a significant concern driving the need for enhanced safeguards of electronic protected health information (ePHI). This RFI will enable OCR to consider ways to support the healthcare industry’s implementation of recognized security practices. The RFI also will help OCR consider ways to share funds collected through enforcement with individuals who are harmed by violations of the HIPAA Rules.

“This request for information has long been anticipated, and we look forward to reviewing the input we receive from the public and regulated industry alike on these important topics,” said OCR Director Lisa J. Pino. “I encourage those who have been historically underserved, marginalized, or subject to discrimination or systemic disadvantage to comment on this RFI, so we hear your voice and fully consider your interests in future rulemaking and guidance.”

Through today’s RFI, OCR is seeking public comment on the following provisions of law:

Recognized Security Practices. Section 13412 of the HITECH Act requires HHS to take into consideration certain recognized security practices of covered entities (health plans, health care clearinghouses, and most health care providers) and business associates1 when determining potential fines, audit results, or other remedies for resolving potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule pursuant to an investigation, compliance review, or audit. Public Law 116-321 went into effect when it was signed into law on January 5, 2021.

One of the primary goals of this provision is to encourage covered entities and business associates to do “everything in their power to safeguard patient data.”

The RFI solicits comment on how covered entities and business associates are implementing “recognized security practices,” how they anticipate adequately demonstrating that recognized security practices are in place, and any implementation issues they would like OCR to clarify through future guidance or rulemaking.

Civil Money Penalty (CMP) and Settlement Sharing. Section 13410(c)(3) of the HITECH Act requires HHS to establish by regulation a methodology under which an individual harmed by a potential violation of the HIPAA Privacy, Security, and/or Breach Notification Rules may receive a percentage of any CMP or monetary settlement collected with respect to such offense. Section 13140(d)(1) of HITECH requires that OCR base determinations of appropriate penalty amounts on the nature and extent of the violation and the nature and extent of the harm resulting from such violation. The HITECH Act does not define “harm,” nor does it provide direction to aid HHS in defining the term.

The RFI solicits public comment on the types of harms that should be considered in the distribution of CMPs and monetary settlements to harmed individuals, discusses potential methodologies for sharing and distributing monies to harmed individuals, and invites the public to submit alternative methodologies.

OCR encourages comments from all stakeholders, including patients and their families, HIPAA covered entities and their business associates, consumer advocates, health care professional associations, health information management professionals, health information technology vendors, and government entities.

Individuals seeking more information about the RFI or how to provide written or electronic comments to OCR should visit the Federal Register to learn more: https://www.federalregister.gov/documents/2022/04/06/2022-07210/considerations-for-implementing-the-health-information-technology-for-economic-and-clinical-health

Four HIPAA enforcement actions hold healthcare providers accountable with compliance

Zachary Edgar — Mon, 28 Mar 2022 16:57:11 GMT

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced the resolution of three investigations and one matter before an Administration Law Judge related to compliance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. Two of these cases are part of OCR’s HIPAA Right of Access Initiative, bringing the total number of these enforcement actions to twenty-seven since the initiative began. OCR created this initiative to support individuals' right to timely access their health records at a reasonable cost under the HIPAA Privacy Rule. The other enforcement actions result from healthcare providers impermissibly disclosing their patients’ protected health information (PHI). OCR has taken the following enforcement actions that underscore the importance and necessity of compliance with the HIPAA Rules, including the foundational Right of Access provision:

Read the HHS Press Release
Read the Dr. Donald Brockley, D.D.M. Settlement Agreement
Read the Dr. U. Phillip Igbinadolor, D.M.D. & Associates, P.A. (UPI) Notice of Proposed Determination and Notice of Final Determination
Read the Jacob and Associates Resolution Agreement and Corrective Action Plan
Read the Northcutt Dental-Fairhope, LLC (Northcutt Dental) Resolution Agreement and Corrective Action Plan

Improving the Cybersecurity Posture of Healthcare in 2022

Zachary Edgar — Mon, 28 Feb 2022 16:56:22 GMT

Cyberattacks grabbed headlines throughout 2021 as hacking and IT incidents affected government agencies, major companies, and even supply chains for essential goods, like gasoline. For healthcare, this year was even more turbulent as cybercriminals took advantage of hospitals and healthcare systems responding to the Covid-19 pandemic. More than one health care provider was forced to cancel surgeries, radiology exams, and other services, because their systems, software, and/or networks had been disabled. And at the end of December, a critical vulnerability in a widely used Java-based software known as “Log4j” grabbed headlines with warnings about the potential risks this security flaw could pose for organizations of all sizes. Such unpatched vulnerabilities give hackers easy access to an organization’s computer server, and possible entry into other parts of a network. These reports underscore why it is so important for health care to be vigilant in their approach to cybersecurity. With these risks in mind, I would like to call on covered entities and business associates to strengthen your organization’s cyber posture in 2022.

All too often, we see that risk analyses only cover the electronic health record. I cannot underscore enough the importance of enterprise-wide risk analysis. Risk management strategies need to be comprehensive in scope. You should fully understand where all electronic protected health information (ePHI) exists across your organization – from software, to connected devices, legacy systems, and elsewhere across your network.

If you haven’t looked at your risk management policies and procedures recently to prevent or mitigate these concerns, now is the time to do so. Some best practices include:

Maintaining offline, encrypted backups of data and regularly test your backups;
Conducting regular scans to identify and address vulnerabilities, especially those on internet-facing devices, to limit the attack surface;
Regular patches and updates of software and Operating Systems; and
Training your employees regarding phishing and other common IT attacks.

Good cyber hygiene habits help keep your network healthy and protect the ePHI on your systems. OCR is here to help with guidance and resources:

Ransomware: https://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf - PDF
Cybersecurity: https://www.hhs.gov/hipaa/for-professionals/security/guidance/cybersecurity/index.html
Risk Analysis: https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/rafinalguidancepdf.pdf - PDF
HHS Security Risk Assessment Tool: https://www.healthit.gov/topic/privacy-security-and-hipaa/security-risk-assessment-tool.

HHS Issues Guidance on HIPAA and Disclosures of Protected Health Information for Extreme Risk Protection Orders

Zachary Edgar — Mon, 20 Dec 2021 16:55:36 GMT

The U.S. Department of Health and Human Services' (HHS) through its Office for Civil Rights (OCR) is issuing guidance to help clarify how the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule permits covered health care providers to disclose protected health information to support applications for extreme risk protection orders that temporarily prevent a person in crisis, who poses a danger to themselves or others, from accessing firearms. This guidance helps implement the U.S. Department of Justice's model extreme risk protection order legislation that provides a framework for states to consider in creating laws allowing law enforcement, concerned family members, or others to seek these orders and to intervene in an effort to save lives. These orders can be an important step toward improving the public's safety by helping to prevent firearm injuries and deaths.

The guidance issued today by OCR provides new guidance to support an extreme risk protection order on how HIPAA allows covered health care providers to disclose protected health information about an individual, without the individual's authorization. The guidance includes specific examples for each permission.

"Too often, communities bear the weight of heartbreaking tragedies caused by the epidemic of gun violence in our country," said HHS Secretary Xavier Becerra. "Today's guidance on HIPAA and Extreme Risk Protection Orders is an important step the Biden-Harris Administration is taking towards protecting communities from gun violence by allowing law enforcement, concerned family members, or others to prevent a person in crisis from accessing fire arms."

"HIPAA should not be a barrier to communication for law enforcement, concerned family members, health care providers, and others when they see an individual in crisis," said OCR Director Lisa J. Pino. "Today's guidance helps clarify legal requirements and to better support individuals in crisis."

The Guidance on HIPAA and Disclosures of Protected Health Information for Extreme Risk Protection Orders may be found at: https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/extreme-risk-protection-orders/index.html.

OCR Issues Guidance on HIPAA, COVID-19 Vaccinations, and the Workplace

Zachary Edgar — Thu, 30 Sep 2021 21:59:25 GMT

Today, the U.S. Department of Health and Human Services' (HHS) Office for Civil Rights (OCR) issued guidance to help the public understand when the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule applies to disclosures and requests for information about whether a person has received a COVID-19 vaccine.

The guidance reminds the public that the HIPAA Privacy Rule does not apply to employers or employment records. This is because the HIPAA Privacy Rule only applies to HIPAA covered entities (health plans, health care clearinghouses, and health care providers that conduct standard electronic transactions), and, in some cases, to their business associates.

Today's guidance addresses common workplace scenarios and answers questions about whether and how the HIPAA Privacy Rule applies. This information will be helpful to the public as we continue to navigate the COVID-19 pandemic.

"We are issuing this guidance to help consumers, businesses, and health care entities understand when HIPAA applies to disclosures about COVID-19 vaccination status and to ensure that they have the information they need to make informed decisions about protecting themselves and others from COVID-19," said OCR Director Lisa Pino.

The Guidance on HIPAA, COVID-19 Vaccinations, and the Workplace may be found at https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/hipaa-covid-19-vaccination-workplace/index.html.

OCR Resolves Twentieth Investigation in HIPAA Right of Access Initiative with $80,000 Settlement

Zachary Edgar — Fri, 10 Sep 2021 22:00:31 GMT

The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services announces the resolution of its twentieth investigation in its HIPAA Right of Access Initiative. OCR created this initiative to support individuals’ right to timely access their health records at a reasonable cost under the HIPAA Privacy Rule. Children’s Hospital & Medical Center (CHMC) has agreed to take corrective actions and pay $80,000 to settle a potential violation of the HIPAA Privacy Rule’s right of access standard. CHMC is located in Omaha, Nebraska, and provides pediatric health care services.

OCR Settles Nineteenth Investigation in HIPAA Right of Access Initiative

Zachary Edgar — Wed, 02 Jun 2021 22:02:23 GMT

The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services has announced its nineteenth settlement of an enforcement action in its HIPAA Right of Access Initiative, which supports individuals' right to timely access their health records at a reasonable cost under the HIPAA Privacy Rule. The Diabetes, Endocrinology & Lipidology Center, Inc. (“DELC”) has agreed to take corrective actions and pay $5,000 to settle a potential violation of the HIPAA Privacy Rule's right of access standard. DELC is a West Virginia based healthcare provider that provides treatment for Endocrine disorders.

Clinical Laboratory Pays $25,000 to Settle Potential HIPAA Security Rule Violations

Zachary Edgar — Tue, 25 May 2021 22:03:57 GMT

Peachstate Health Management, LLC, doing business as AEON Clinical Laboratories (Peachstate), has agreed to pay $25,000 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) and to implement a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. Peachstate is based in Georgia and is certified under the Clinical Laboratory Improvement Amendments of 1988 (CLIA). Peachstate provides diagnostic and laboratory-developed tests, including clinical and genetic testing services.

OCR Settles Eighteenth Investigation in HIPAA Right of Access Initiative

Zachary Edgar — Fri, 26 Mar 2021 22:04:54 GMT

The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services announces its eighteenth settlement of an enforcement action in its HIPAA Right of Access Initiative. OCR announced this initiative to support individuals' right to timely access of their health records at a reasonable cost under the HIPAA Privacy Rule. Village Plastic Surgery ("VPS") has agreed to take corrective actions and pay $30,000 to settle a potential violation of the HIPAA Privacy Rule's right of access standard. VPS is located in New Jersey and provides cosmetic plastic surgery services.

OCR Settles Seventeenth Investigation in HIPAA Right of Access Initiative

Zachary Edgar — Wed, 24 Mar 2021 22:05:46 GMT

The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services announces its seventeenth settlement of an enforcement action in its HIPAA Right of Access Initiative. OCR announced this initiative to support individuals' right to timely access to their health records at a reasonable cost under the HIPAA Privacy Rule.

The Arbour, Inc., doing business as Arbour Hospital ("Arbour"), has agreed to take corrective actions and pay $65,000 to settle a potential violation of the HIPAA Privacy Rule's right of access standard. Arbour is located in Massachusetts and provides behavioral health services.

Extension of the Public Comment Period for Proposed Modifications to the HIPAA Privacy Rule

Zachary Edgar — Tue, 09 Mar 2021 22:09:18 GMT

Today, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) announces a 45-day extension of the public comment period for the Notice of Proposed Rulemaking (NPRM) to modify the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule.

OCR first released the NPRM to the public on the HHS website on December 10, 2020, and it was published in the Federal Register on January 21, 2021. The 45-day extension moves the current deadline for the public to submit comments from March 22, 2021, to May 6, 2021. The notice of extension of the comment period is available at https://public-inspection.federalregister.gov/2021-05021.pdf - PDF.

The proposed changes to the HIPAA Privacy Rule include strengthening individuals’ rights to access their own health information, including electronic information; improving information sharing for care coordination and case management for individuals; facilitating greater family and caregiver involvement in the care of individuals experiencing emergencies or health crises; enhancing flexibilities for disclosures in emergency or threatening circumstances, such as the Opioid and COVID-19 public health emergencies; and reducing administrative burdens on HIPAA covered health care providers and health plans, while continuing to protect individuals’ health information privacy interests.

OCR encourages and will carefully consider comments from all stakeholders, including patients and their families, consumer advocates, HIPAA covered entities (health plans, health care clearinghouses, and most health care providers) and their business associates, health care professional associations, health information management professionals, health information technology vendors, and government entities.

“OCR anticipates a high degree of public interest in providing input on the proposals because the HIPAA Privacy Rule affects nearly anyone who interacts with the health care system,” said Acting OCR Director Robinsue Frohboese. “The 45-day extension of the comment period to May 6, 2021, will give the public a full opportunity to consider the proposals and submit comments to inform future policy.”

Interested members of the public may submit their comments on the NPRM no later than May 6, 2021. The NPRM is available for review and comment at https://www.federalregister.gov/documents/2021/01/21/2020-27157/proposed-modifications-to-the-hipaa-privacy-rule-to-support-and-remove-barriers-to-coordinated-care.

OCR Settles Sixteenth Investigation in HIPAA Right of Access Initiative

Zachary Edgar — Fri, 12 Feb 2021 22:12:48 GMT

The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services announces its sixteenth settlement of an enforcement action in its HIPAA Right of Access Initiative. OCR announced this initiative to support individuals’ right to timely access their health records at a reasonable cost under the HIPAA Privacy Rule.

Sharp HealthCare, doing business as Sharp Rees-Stealy Medical Centers (“SRMC”), has agreed to take corrective actions and pay $70,000 to settle a potential violation of the HIPAA Privacy Rule’s right of access standard. SRMC is located in California and provides health care through four acute-care hospitals, three specialty hospitals, three affiliated medical groups, and a health plan.

OCR Settles Fifteenth Investigation in HIPAA Right of Access Initiative

Zachary Edgar — Wed, 10 Feb 2021 22:19:14 GMT

The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services announces its fifteenth settlement of an enforcement action in its HIPAA Right of Access Initiative. OCR announced this initiative to support individuals’ right to timely access their health records at a reasonable cost under the HIPAA Privacy Rule. Renown Health, P.C., a private, not-for-profit health system in Nevada, has agreed to take corrective actions and pay $75,000 to settle a potential violation of the HIPAA Privacy Rule’s right of access standard.

Health Insurer Pays $5.1 Million to Settle Data Breach Affecting Over 9.3 Million People

Zachary Edgar — Fri, 15 Jan 2021 22:24:14 GMT

The Lifetime Healthcare Companies, including its affiliates Excellus Health Plan, Inc. doing business as Excellus BlueCross BlueShield and Univera Healthcare, Lifetime Health Medical Group, Lifetime Benefit Solutions, Lifetime Care, and The MedAmerica Companies (collectively "Excellus Health Plan") have agreed to pay $5.1 million to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) and to implement a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules related to a breach affecting over 9.3 million people. Excellus Health Plan is a New York state health services corporation that provides health insurance coverage to over 1.5 million people in Upstate and Western New York.

OCR Settles Fourteenth Investigation in HIPAA Right of Access Initiative

Zachary Edgar — Tue, 12 Jan 2021 22:36:42 GMT

The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services announces its fourteenth settlement of an enforcement action in its HIPAA Right of Access Initiative. OCR announced this initiative as an enforcement priority in 2019 to support individuals’ right to timely access their health records at a reasonable cost under the HIPAA Privacy Rule.

Banner Health, on behalf of the Banner Health affiliated covered entities (Banner Health ACE), has agreed to take corrective actions and pay $200,000 to settle potential violations of the HIPAA Privacy Rule’s right of access standard. Banner Health is a non-profit health system based in Phoenix, Arizona. Banner Health operates 30 hospitals and numerous primary care, urgent care, and specialty care facilities and is one of the largest health care systems in the United States.

What is the Difference Between “Required” and “Addressable” Specification in the HIPAA Security Rule?

Zachary Edgar — Wed, 17 Jul 2019 20:18:36 GMT

The purpose of the Health Insurance Portability and Accountability (HIPAA) Security Rule is to:

Ensure the confidentiality, integrity, and availability of all electronic protected health information that the covered entity (healthcare provider, health plan) or business associate creates, receives, maintains, or transmits;
Protect against any reasonably anticipated threats or hazards to the security or integrity of such information;
Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under the Privacy Rule; and
Ensure compliance of the covered entity’s workforce. 45 C.F.R. §164.306.

The Security Rule is broken down into five different sections: Administrative Safeguards, Physical Safeguards, Technical Safeguards, Organizational Requirements, and Policies and Procedures and Documentation Requirements. Each one of these sections has multiple “standards” that must be followed by the covered entity. Many of these “standards” have more detailed implementation specifications which can either be “Required” or “Addressable”.

A “required” implementation specification must be implemented by the covered entity.

An “addressable” implementation specification is more flexible, but it is not optional. A covered entity must perform an assessment to determine whether the implementation specification is a reasonable and appropriate safeguard for implementation in the covered entity’s environment. In general, after performing the assessment, a covered entity decides if it will:

Implement the addressable implementation specification;
Implement an equivalent alternative measure that allows the entity to comply with the standard; or
Not implement the addressable specification or any alternative measures, if equivalent measures are not reasonable and appropriate within its environment.

Covered entities must document the assessment and decision made regarding each specification.

If a given addressable implementation specification is determined to be reasonable and appropriate, the covered entity must consider options for implementing it. The decision regarding which security measures to implement to address the standards and implementation specifications will depend on a variety of factors, including:

The entity's risk analysis – What current circumstances leave the entity open to unauthorized access and disclosure of EPHI?
The entity’s security analysis - What security measures are already in place or could reasonably be put into place?
The entity’s financial analysis - How much will implementation cost?

Citation

45 CFR §164.306

U.S. Department of Health and Human Services, HIPAA Security Series, Security 101 for Covered Entities

NIST SP 800-66

Indiana Medical Records Service Pays $100,000 to Settle HIPAA Breach

Zachary Edgar — Wed, 22 May 2019 19:06:00 GMT

Medical Informatics Engineering, Inc. (MIE) has paid $100,000 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services, and has agreed take corrective action to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. MIE is an Indiana company that provides software and electronic medical record services to healthcare providers.

Read the HHS Press Release

Tennessee Diagnostic Medical Imaging Services Company Pays $3,000,000 to Settle Breach Exposing Over 300,000 Patients' Protected Health Information

Zachary Edgar — Wed, 15 May 2019 19:04:18 GMT

Tennessee diagnostic medical imaging services company pays $3,000,000 to settle breach exposing over 300,000 patients' protected health information – May 6, 2019

Touchstone Medical Imaging ("Touchstone") has agreed to pay $3,000,000 to OCR, and to adopt a corrective action plan to settle potential violations of the HIPAA Security and Breach Notification Rules. Touchstone, based in Franklin, Tennessee, provides diagnostic medical imaging services in Nebraska, Texas, Colorado, Florida, and Arkansas.

Read the HHS Press Release