All posts in HHS Office for Civil Rights

HIPAA Enforcement 2018

Daniel Solove
Founder of TeachPrivacy

HIPAA Enforcement 2018 - TeachPrivacy HIPAA Training 02

Last year was a record-setting year for HIPAA enforcement.  On HHS’s website, OCR has touted its 2018 enforcement:

OCR has concluded an all-time record year in HIPAA enforcement activity.  In 2018, OCR settled 10 cases and secured one judgment, together totaling $28.7 million. This total surpassed the previous record of $23.5 million from 2016 by 22 percent.  In addition, OCR also achieved the single largest individual HIPAA settlement in history of $16 million with Anthem, Inc., representing a nearly three-fold increase over the previous record settlement of $5.5 million in 2016.

Here is an overview of the resolution agreements and enforcement actions with civil monetary penalties from 2018:

Continue Reading

HIPAA Enforcement: Employee Access and BAAs Matter

Daniel Solove
Founder of TeachPrivacy

HIPAA Enforcement - Employee Access 01

Pagosa Springs Medical Center (PSMC) has agreed to pay $111,400 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) for an alleged violation of HIPAA. OCR found that the company failed to deactivate a former employee’s access to a web-based calendar that contained the protected health information (PHI) of 557 patients.  The company also failed to obtain a business associate agreement (BAA) with the calendar company (Google).

Continue Reading

Vendor Management Matters: HIPAA Enforcement for $500K for Lack of a Business Associate Agreement

Daniel Solove
Founder of TeachPrivacy

HIPAA Enforcement - Business Associate Agreement 01

Advanced Care Hospitalists PL (ACH) has agreed to pay $500,000 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) for an alleged violation of HIPAA. OCR found that the company shared protected health information (PHI) with an unknown vendor without a business associate agreement (BAA).  According to the Resolution Agreement, “ACH impermissibly disclosed the PHI of 9,255 of its patients to a third party for billing processing services without the protections of a business associate agreement in place.”  The PHI later turned up on the vendor’s website.

This was clearly an unforced error in compliance — and an expensive one!   So easy to avoid too!  Providing PHI to a vendor without a business associate agreement is like going to work without your clothes on.  Vendor management is incredibly important, and organizations that fail to have proper agreements with their vendors that receive personal data are often punished severely by many privacy laws beyond HIPAA. The GDPR requires vendor agreements, and the FTC has found that companies engage in an unfair practice under the FTC Act Section 5 when they lack an adequate vendor agreement.

The main lesson from most privacy enforcement cases, whether HIPAA or otherwise: Do the basics! So many cases involve failing to do obvious things.  There’s not much muddy ground in the land of enforcement.

The press release can be viewed here.  The Resolution Agreement can be viewed here.

Also of Interest Regarding HIPAA

HIPAA Enforcement Guide

HIPAA Training Guide

HIPAA Enforcement 2017: Another Big Year for HIPAA Enforcement

Why Is HIPAA Data Breach Enforcement Increasing? An Insurer’s View from Katherine Keefe

Continue Reading

HIPAA Enforcement Case – Allergy Associates

Daniel Solove
Founder of TeachPrivacy

HIPAA Enforcement

Allergy Associates of Hartford has agreed to pay $125,000 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) for an alleged violation of HIPAA. The incident occurred in February 2015.  A patient reached out to a local TV station about a dispute with a doctor at Allergy Associates. When the reporter contacted the doctor for comment, the doctor improperly disclosed the patient’s PHI.  After Allergy Associates learned that HHS was investigating this incident, no disciplinary action was taken against the doctor.  According to the Resolution Agreement:

(1) Allergy Associates impermissibly disclosed the Complainant’s PHI to an unauthorized third party. See 45 C.F.R. § 164.502(a).

(2) Allergy Associates failed to apply appropriate sanctions against its Workforce Member who failed to comply with the entity’s privacy policies and procedures and the Privacy Rule. See 45 C.F.R. §164.530(e)(l).

According to the HHS press release:

“When a patient complains about a medical practice, doctors cannot respond by disclosing private patient information to the media,” said OCR Director Roger Severino. “Because egregious disclosures can lead to substantial penalties, covered entities need to pay close attention to HIPAA’s privacy rules, especially when responding to press inquiries.”

The press release can be viewed here.  The Notice of Proposed Determination can be viewed here. The Resolution Agreement can be viewed here.

Also of Interest Regarding HIPAA

HIPAA Enforcement Guide

HIPAA Training Guide

HIPAA Enforcement 2017: Another Big Year for HIPAA Enforcement

Why Is HIPAA Data Breach Enforcement Increasing? An Insurer’s View from Katherine Keefe

Continue Reading

HIPAA Whiteboard and HIPAA Interactive Whiteboard

Daniel Solove
Founder of TeachPrivacy

HIPAA Whiteboard

Recently, I created two new HIPAA training resources.

HIPAA Whiteboard

I created a 1-page visual summary of HIPAA, which I call the HIPAA WhiteboardThe idea was to summarize HIPAA in a concise and visually-engaging way.  You can download a PDF handout version here.  We’ve been licensing it to many organizations for training and awareness purposes.

HIPAA Whiteboard - TeachPrivacy HIPAA Training

HIPAA Interactive Whiteboard

I subsequently created a new training module — an interactive version of the HIPAA Whiteboard — the HIPAA Interactive Whiteboard When people click on each topic, the program provides brief narrated background information, presented in a very understandable and memorable way.  Trainees can learn at their own pace.  This program is designed to be very short — it is about 5 minutes long.

It can readily be used on internal websites to raise awareness and teach basic information about HIPAA.  It can also be used in learning management systems.

HIPAA Whiteboard Interactive - TeachPrivacy HIPAA Training

HIPAA Whiteboard Interactive - TeachPrivacy HIPAA Training

Continue Reading