OCR Continues Enforcement of HIPAA
Rights of Access Initiative
Last year, the Department of Health and Human Services Office for Civil Rights (“OCR”) announced its Right of Access Initiative in order to improve enforcement of the right of access requirement under the Federal Health Insurance Portability and Accountability Act (“HIPAA”). Right of access allows patients to request copies of their medical records. Covered Entities are required to respond to these requests within certain time parameters, but are permitted to charge a reasonable fee for producing requested records to account for time and resources, subject to state limitations. Pursuant to Federal regulations, Covered Entities that charge excessive costs or fail to timely provide patients with requested records may be in violation of the HIPAA Privacy Rule and subject to financial penalties.
After announcing the first settlement pursuant to the Right of Access Initiative last fall, OCR has now announced five more settlements related to the Initiative:
- New York City based non-profit organization, Housing Works Inc., agreed to a $38,000 settlement and to adopt a corrective action plan that includes one year of monitoring due to its failure to provide an individual with access to his records on two occasions.
- California based multi-specialty family medicine clinic, All Inclusive Medical Services, Inc., agreed to a $15,000 settlement and to adopt a corrective action plan that includes two years of monitoring. The clinic refused to give a patient access to her medical records when she requested to inspect and receive a copy of her records.
- Beth Israel Lahey Health Behavioral Services, a network of mental health and substance use disorder services in Massachusetts, agreed to a $70,000 settlement and to a corrective action plan that includes one year of monitoring for its failure to respond to a request from a personal representative that sought access to her deceased father’s records.
- King MD, a psychiatric health care provider in Virginia, agreed to a $3,500 settlement and to adopt a corrective action plan that includes two years of monitoring for its failure to respond to a patient’s request for access to her medical records on two occasions.
- Wise Psychiatry, PC, a psychiatric health care provider in Colorado, agreed to a $10,000 settlement and to adopt a corrective action plan that includes one year of monitoring. It had failed to provide a personal representative with access to her minor son’s medical records on two occasions.
OCR’s Right of Access Initiative aims to empower patients’ rights to access their data pursuant to HIPAA, and to hold Covered Entities liable for their failure to comply. Covered Entities should review, revise and/or implement policies and procedures to ensure a timely and appropriate response to patient requests for records in order to avoid penalties.
Million Dollar Settlements for Noncompliance with HIPAA
Athens Orthopedic Clinic PA, a medical group located in Georgia (the “Practice”), agreed to a $1.5 million settlement and to adopt a corrective action plan that includes two years of monitoring. In June 2016, the Practice was notified that its database of patient records may have been posted online for sale. Shortly thereafter, a hacker contacted the Practice and demanded compensation in return for the database. Through a forensic audit, the Practice determined that the hacker gained access to its system through a vendor’s compromised log in credentials and promptly terminated the account. However, the hacker was not effectively blocked from accessing the database for several additional weeks. As a result, over 200,000 individuals were affected by the breach.
As a result of the incident, the Practice filed a breach report with OCR, which prompted an investigation revealing that the Practice had longstanding, systemic noncompliance with HIPAA. The Practice failed to: (i) maintain copies of its HIPAA policies and procedures; (ii) implement appropriate hardware and software to record and monitor electronic protected health information; (iii) enter into compliant business associate agreements; (iv) provide its workforce proper HIPAA training; (v) conduct accurate and thorough assessments of potential risks and vulnerabilities to its electronic protected health information; and (vi) implement sufficient security measures to reduce risks and vulnerabilities to a reasonable level. Due to its failures to maintain compliance with HIPAA, the Practice not only agreed to a $1.5 million settlement, but also a robust corrective action plan. The corrective action plan provides numerous requirements for the Practice, including developing an enterprise-wide risk analysis and HIPAA policy and procedure manual, all of which must be approved by OCR.
Additionally, OCR announced a $2.3 million settlement with CHSPSC, LLC, a business associate service provider to hospitals and clinics. In April 2014, the FBI notified CHSPSC that a cyber-hacking group remotely accessed and compromised CHSPSC’s information system through its virtual private network. Despite this notice, the cyber-hacking group maintained access CHSPSC’s information system for several months. As a result, 237 Covered Entities and over six million individuals were affected. An OCR investigation found that CHSPSC did not appropriately respond to and mitigate known security risks. CHSPSC failed to: conduct accurate and thorough risk assessments; implement technical policies and procedures to limit access to authorized individuals; and implement procedures that required regular reviews of information system activity. Due to its failures to comply with HIPAA, CHSPSC agreed to pay OCR $2.3 million and to adopt a corrective action plan that includes two years of monitoring. Furthermore, the corrective action plan requires CHSPSC to adopt and implement OCR-approved internal monitoring and risk management plans, and policies and procedures on technical access controls. CHSPSC must also submit annual reports to OCR detailing its compliance with the corrective action plan.
How Frier Levitt Can Help
Covered Entities and Business Associates alike must maintain robust policy and procedure manuals to ensure compliance with HIPAA and avoid costly penalties. Contact Frier Levitt for assistance with the development of these policies and procedures, risk assessments, HIPAA training protocols, and breach response and reporting.