All posts tagged HIPAA Enforcement

HIPAA Enforcement: Employee Access and BAAs Matter

Daniel Solove
Founder of TeachPrivacy

HIPAA Enforcement - Employee Access 01

Pagosa Springs Medical Center (PSMC) has agreed to pay $111,400 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) for an alleged violation of HIPAA. OCR found that the company failed to deactivate a former employee’s access to a web-based calendar that contained the protected health information (PHI) of 557 patients.  The company also failed to obtain a business associate agreement (BAA) with the calendar company (Google).

Under the 2-year resolution agreement, PSMC agreed to:

  • revise their policies and procedures around business associate relationships;
  • revise its policies and procedures about the use and disclosure of PHI to make sure that employees can identify what might be impermissible uses of PHI and know how and when to report issues to the privacy and/or security officer;
  • develop a risk analysis of security risks and vulnerabilities;
  • create new training materials and re-train all workforce members who use or disclose PHI within 60-daysm repeat this training annually, and train all new hires within 15-days of hire; and
  • revise their procedures around notifying HHS of reportable events in the future.

According to the press release: “It’s common sense that former employees should immediately lose access to protected patient information upon their separation from employment,” said OCR Director Roger Severino. “This case underscores the need for covered entities to always be aware of who has access to their ePHI and who doesn’t.”

The press release can be viewed here.  The Resolution Agreement can be viewed here.

Also of Interest Regarding HIPAA

HIPAA Enforcement Guide

HIPAA Training Guide

HIPAA Enforcement 2017: Another Big Year for HIPAA Enforcement

Why Is HIPAA Data Breach Enforcement Increasing? An Insurer’s View from Katherine Keefe

Continue Reading

Vendor Management Matters: HIPAA Enforcement for $500K for Lack of a Business Associate Agreement

Daniel Solove
Founder of TeachPrivacy

HIPAA Enforcement - Business Associate Agreement 01

Advanced Care Hospitalists PL (ACH) has agreed to pay $500,000 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) for an alleged violation of HIPAA. OCR found that the company shared protected health information (PHI) with an unknown vendor without a business associate agreement (BAA).  According to the Resolution Agreement, “ACH impermissibly disclosed the PHI of 9,255 of its patients to a third party for billing processing services without the protections of a business associate agreement in place.”  The PHI later turned up on the vendor’s website.

This was clearly an unforced error in compliance — and an expensive one!   So easy to avoid too!  Providing PHI to a vendor without a business associate agreement is like going to work without your clothes on.  Vendor management is incredibly important, and organizations that fail to have proper agreements with their vendors that receive personal data are often punished severely by many privacy laws beyond HIPAA. The GDPR requires vendor agreements, and the FTC has found that companies engage in an unfair practice under the FTC Act Section 5 when they lack an adequate vendor agreement.

The main lesson from most privacy enforcement cases, whether HIPAA or otherwise: Do the basics!  So many cases involve failing to do obvious things.  There’s not much muddy ground in the land of enforcement.

The press release can be viewed here.  The Resolution Agreement can be viewed here.

Also of Interest Regarding HIPAA

HIPAA Enforcement Guide

HIPAA Training Guide

HIPAA Enforcement 2017: Another Big Year for HIPAA Enforcement

Why Is HIPAA Data Breach Enforcement Increasing? An Insurer’s View from Katherine Keefe

Continue Reading

HIPAA Enforcement Case – Allergy Associates

Daniel Solove
Founder of TeachPrivacy

HIPAA Enforcement

Allergy Associates of Hartford has agreed to pay $125,000 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) for an alleged violation of HIPAA. The incident occurred in February 2015.  A patient reached out to a local TV station about a dispute with a doctor at Allergy Associates. When the reporter contacted the doctor for comment, the doctor improperly disclosed the patient’s PHI.  After Allergy Associates learned that HHS was investigating this incident, no disciplinary action was taken against the doctor.  According to the Resolution Agreement:

(1) Allergy Associates impermissibly disclosed the Complainant’s PHI to an unauthorized third party. See 45 C.F.R. § 164.502(a).

(2) Allergy Associates failed to apply appropriate sanctions against its Workforce Member who failed to comply with the entity’s privacy policies and procedures and the Privacy Rule. See 45 C.F.R. §164.530(e)(l).

According to the HHS press release:

“When a patient complains about a medical practice, doctors cannot respond by disclosing private patient information to the media,” said OCR Director Roger Severino. “Because egregious disclosures can lead to substantial penalties, covered entities need to pay close attention to HIPAA’s privacy rules, especially when responding to press inquiries.”

The press release can be viewed here.  The Notice of Proposed Determination can be viewed here. The Resolution Agreement can be viewed here.

Also of Interest Regarding HIPAA

HIPAA Enforcement Guide

HIPAA Training Guide

HIPAA Enforcement 2017: Another Big Year for HIPAA Enforcement

Why Is HIPAA Data Breach Enforcement Increasing? An Insurer’s View from Katherine Keefe

Continue Reading

Why Is HIPAA Data Breach Enforcement Increasing? An Insurer’s View from Katherine Keefe

Daniel Solove
Founder of TeachPrivacy

 

 

Recently, HIPAA enforcement over data breaches is increasing – a lot. This year has seen some of the largest monetary penalties. Why is this happening?

I had the chance to interview Katherine Keefe, who leads the Beazley Breach Response (BBR) Services Group.  I am particularly interested in the insurer’s perspective, so I interviewed Katherine.

Continue Reading

2017 HIPAA Enforcement

Daniel Solove
Founder of TeachPrivacy

 

Art E.V.Pavlov_by_Repin

The first quarter of 2017 is not yet over and the OCR has already released details of four enforcement penalties totaling over $11 million.  2016 set a record with $20 million in fines for the year, with $5.2 million of that coming in the first quarter.  In just the first 2 months of 2017, the fines have been more than half what the entire amount for 2016 was.  Here are details about enforcement actions in 2017 thus far:

  1. Illinois health care network, Presence Health, was fined $475,000 for failing to notify patients of a breach within the 60-day period. The incident took place over 3 years ago.  In October 2013,  operating room schedules that were written on paper and contained PHI of 836 individuals went missing.   Patients were not notified of the breach until February of 2014.  This represents the first enforcement related to the timeliness of breach notification.
  1. An insurance company, MAPFRE, was fined $2.2 million for failure to safeguard portable devices and poor risk assessment and risk management.  OCR found that MAPFRE did not have an adequate security awareness training program in place for their workforce.   In 2011, an unsecured USB device containing the ePHI of 2,209 individuals was stolen from the company’s IT department.  Despite the corrective measures MAPFRE indicated it would take, it did not actually start securing portable devices until 3 years after the incident.
  1. Children’s Medical Center of Dallas received a $3.2 million fine for multiple incidents where devices with unsecured ePHI were stolen. In 2010 an unencrypted Blackberry was stolen with the ePHI of 3,800 individuals.  In 2013, an unencrypted laptop was stolen with ePHI of 2,463 individuals.  The OCR investigation discovered that the hospital did not begin to secure and safeguard workstations and portable devices until 2013 despite being aware of the risks for many years.
  1. Florida corporation, Memorial Healthcare System, agreed to pay a fine of $5.5 million. This ties Advocate Health Care Network’s fine in August of 2016 for the record of highest penalty.  In this incident, the PHI of 115,143 patients was improperly accessed and disclosed.   Memorial Healthcare failed to terminate a former employee’s log-in credentials which was then used to access 80,000 records with PHI over the course of an entire year.  The company also neglected to review the activity within the system that would have identified that the records were being improperly accessed.   Memorial discovered the breach while investigating two employees who were stealing patient information to file fake tax returns.

Not too long ago, I posted an overview of OCR’s enforcement in 2016.  OCR continues to be active in its enforcement, at its highest level to date.  This is a great opportunity for privacy and security officials to point out to upper management the need for greater resources and attention to HIPAA compliance.

Continue Reading

Lessons from 2016, the Biggest HIPAA Enforcement Year on Record

Daniel Solove
Founder of TeachPrivacy

HIPAA Enforcement

Time to call the Guinness Book of World Records because HHS has set a new world record in HIPAA enforcement.  2016 saw a considerable increase in HIPAA enforcement resolution agreements and monetary penalties.  At the end of 2016, the OCR logged over $20 million in fines for HIPAA violations from 15 enforcement actions with monetary penalties — a stark contrast to 2015 penalties which were just over $6 million from just 6 resolution agreements.

The per entity fines have increased as well increasing from about $850K in recent years to $2 million in 2016.

Also, in late 2015, the Office of the Inspector General released findings of a study that recommended a stronger enforcement and follow-up from the OCR for HIPAA violations:

Continue Reading