The HHS Office for Civil Rights has published detailed information about the HIPAA violations it settled in 2021.
Violations of the HIPAA Security Rule, HIPAA Privacy Rule, and HIPAA Patient Right of Access requirement resulted in some spectacular fines and onerous corrective action plans in 2021, as we explore in this blog post.
The Role of the OCR: Mission Possible!
Among other civil rights related to health and human services, the Office for Civil Rights (OCR) enforces the Privacy Rule, Security Rule, and Breach Notification Rule that are central to the Health Insurance Portability and Accountability Act (HIPAA).
Together, these rules protect individuals’ fundamental healthcare rights, including the privacy and security of their personal health information and their right to obtain copies of their own health records. All healthcare organizations who participate in Medicare are required to comply with HIPAA regulations.
The core elements of the OCR’s mission are (1) helping ensure equal access to health and human services, (2) protecting the exercise of religious beliefs and moral convictions by individuals and institutions participating in HHS programs, (3) protecting individuals’ health information, (4) providing tools to promote healthcare provider awareness, (5) providing tools to encourage individuals to be fully engaged in decisions about their healthcare, and (5) advancing the health and well-being of all Americans.
The OCR meets some of these obligations by investigating complaints of HIPAA violations. If violations are found, the OCR imposes financial penalties and requires corrective action plans to be developed and implemented in a timely manner. Typically, they also require the violating organization to be monitored for two to three years to ensure all corrective actions are taken.
2021 Violations of Patient Right of Access Rule
The HIPAA Privacy Rule includes provisions for individuals to see and get copies of their health information from their healthcare providers and health plans/insurers. This is known as the Patient Right of Access (45 CFR § 164.524). In most cases, the patient or their representative must have their request fulfilled within 30 days. The allowable time may be 60 days in cases where an extension is applicable. Healthcare providers are permitted to charge reasonable fees for copying records, and there are various other stipulations in the rule.
In many cases, the denial of patient access begins innocently enough at the desk of an over-worked healthcare practitioner or office manager who forgets about the records request. Employees are the weakest link in the security and compliance chain, which is why it’s important to reinforce security awareness among all employees and make sure that policies and procedures are documented, up-to-date, widely distributed, or otherwise readily accessible.
Following are the 11 Right of Access violations settled in 2021 for a total of $777,150, presented in descending order by size of the penalty. Since the OCR began focusing on this compliance issue in 2019, 25 Right of Access violations have been settled.
- Banner Health agreed to a corrective action plan and a $200,000 settlement. Based in Phoenix, non-profit Banner operates 30 hospitals and numerous primary care, urgent care, and specialty care facilities and is one of the nation’s largest healthcare systems.
- Robert Glaser, a cardiovascular disease and internal medicine doctor in New Hyde Park, NY, did not cooperate with the OCR investigation or respond to OCR data requests. Ultimately, Dr. Glaser waived his right to a hearing, did not contest the OCR findings, and settled for $100,000.
- Rainrock Treatment Center LLC agreed to a corrective action plan and a $160,000 settlement. The licensed provider of residential treatment services for eating disorders in Oregon does business as Monte Nido Rainrock.
- A private, non-profit health system in Nevada, Renown Health PC agreed to a corrective action plan and a $75,000 settlement.
- Sharp Rees-Stealy Medical Centers agreed to a corrective action plan and a $70,000 settlement. The company operates four acute-care hospitals, three specialty hospitals, three affiliated medical groups, and a health plan in California.
- Offering behavioral health services in Massachusetts as Arbour Hospital, The Arbour Inc. agreed to a corrective action plan and a $65,000 settlement.
- Advanced Spine & Pain Management provides chronic pain treatment services in Ohio and agreed to a corrective action plan and a $32,150 settlement.
- Providing ophthalmological services in Colorado, Denver Retina Center agreed to a corrective action plan and a $30,000 settlement.
- New Jersey-based provider of cosmetic surgery services, Village Plastic Surgery, agreed to a corrective action plan and a $30,000 settlement.
- Wake Health Medical Group, which provides primary care and other healthcare services in Raleigh, NC, agreed to a corrective action plan and a $10,000 settlement.
- In West Virginia, the Diabetes, Endocrinology & Lipidology Center, Inc. agreed to a corrective action plan and a $5,000 settlement.
The Unexpected Risks of an OCR Investigation
When a healthcare provider fails to deliver patient records within the allowable time, they risk having the patient file a complaint with the OCR. When a complaint is filed, the OCR investigates, working with the patient and provider to gather the applicable facts and dates. And once the OCR begins an investigation, additional HIPAA violations may be revealed, which may result in higher fines and stricter corrective action plans.
The Denver Retina Center is one such example. The OCR investigation determined that this healthcare provider did in fact fail to provide “timely access to protected health information about the individual in a designated record set” in violation of HIPAA 45 CFR § 164.524. Furthermore, OCR also determined that the provider “failed to have sufficient written policies and procedures related to providing timely access to protected health information about the individual” as required by HIPAA 45 CFR § 164.530(i). These dual violations cost the provider $30,000 and a corrective action plan with multiple requirements.
HIPAA Security Violation Has Many Consequences
In addition to investigating Patient Right of Access violations, the OCR investigates other complaints related to the HIPAA Security Rule. One such complaint, settled in 2021 for a penalty of $25,000, imposed an onerous corrective action plan on the violator, as described in part below.
Located in Georgia, Peachstate Health Management LLC, doing business as AEON Clinical Laboratories, agreed to a corrective action plan that included detailed requirements for the following actions to bring them into compliance with the HIPAA Security Rule. OCR found Peachstate lacking the required security risk assessment, risk management plan, policies and procedures, and employee training, in addition to other issues.
Security Risk Analysis. Peachstate was required to “conduct an enterprise-wide risk analysis” to be “forwarded to HHS for review and approval within 90 days. Upon receiving HHS notice of required revisions, if any, Peachstate shall have 30 days to revise the risk analysis accordingly and forward to HHS for review and approval.” Peachstate was further required to “review the risk analysis annually” and to “promptly update the risk analysis in response to environmental or operational changes affecting the security of electronic PHI.”
Risk Management Plan. Peachstate was also required to “develop and implement a risk management plan,” to be “forwarded to HHS for review and approval within 90 days.”
Policies and Procedures. The corrective action plan further required Peachstate to “develop, maintain, and revise, as necessary, its written policies and procedures to comply with the Federal standards that govern the privacy and security of individually identifiable health information and to address any threats and vulnerabilities to the electronic PHI identified in the risk analysis and risk management plan.” Within 30 days of HHS approval of the risk analysis and risk management plan required above, Peachstate was required to “provide such policies and procedures to HHS for review and approval.” Additional requirements addressed the “distribution and updating of policies and procedures” as well as the handling of “reportable events during the compliance term.”
Employee Training. Employee training, and the proof of training, was also addressed in comprehensive terms. Peachstate was required to “provide HHS with training materials on the privacy and security of PHI for all members of the workforce that have access to PHI within 30 days of the receiving HHS final approval of policies and procedures” described above. Then, “upon receiving notice from HHS specifying any required changes, Peachstate shall make the required changes and provide revised training materials to HHS within 30 days.”
The corrective action plan for training further specified that “within 30 days after receiving HHS final approval and at least every 12 months thereafter, Peachstate shall provide training for each workforce member who has access to PHI. Peachstate shall also provide such training to each new member of the workforce who has access to PHI within 15 days of their beginning of service.” In addition, “each workforce member who is required to attend training shall certify, in electronic or written form, that he or she has received the training. The training certification shall specify the date training was received.” All course materials are to be kept in compliance with applicable records retention requirements.
Finally, “Peachstate shall review the training at least annually, and, where appropriate, update the training to reflect changes in Federal law or HHS guidance, any issues discovered during audits or reviews, and any other relevant developments.”
Monitoring Compliance. A final stipulation required that Peachstate monitor its corrective actions. Detailed requirements were provided for the “designation of an independent monitor, retention of records, description of monitor reviews, monitor review reports and response, monitor removal/termination, validation review, and implementation report and annual reports.” The requirements ensure that Peachstate implements its corrective action plan as specified, and in accordance with designated timetables. Generally, monitoring is required for two to three years.
The free OCR Newsletter provides security and privacy tips and guidance for avoiding HIPAA violations.
An Eye-Popping $5.1 Million Violation
In the most spectacular settlement of 2021, Excellus Health Plan Inc. agreed to pay a $5.1 million penalty to OCR and to implement a corrective action plan to settle violations of the HIPAA Privacy and Security Rules. Excellus provides health insurance coverage in New York State.
Excellus reported to authorities in September 2015 that it had suffered a data breach, beginning on or before December 23, 2013, and ending on May 11, 2015. After gaining unauthorized access to the company’s information technology systems, hackers installed malware and conducted reconnaissance activities (i.e., spying) for more than 16 months.
The extensive data breach resulted in the impermissible disclosure of the protected health information of more than 9.3 million individuals. Data included names, addresses, dates of birth, email addresses, Social Security numbers, bank account information, health plan claims, and clinical treatment information.
The OCR investigation determined that multiple violations of the HIPAA Privacy and Security Rules had occurred, including (1) failure to conduct an enterprise-wide risk analysis, (2) failure to implement a risk management plan, (3) failure to conduct an information system activity review, and (4) failure to implement access controls. No doubt the eye-popping size of the fine had to do, at least in part, with the duration of the breach before detection, the type of PHI exposed, and the number of individuals affected. This breach should serve as a cautionary tale for all healthcare organizations.
In 2021, the OCR settled with 11 healthcare providers to resolve complaints by patients who did not receive their medical records in the period of time allowed by HIPAA Right of Access provisions. Fines imposed by the OCR totaled $777,150, or an average of $70,650 per violation.
Peachstate Clinical Labs settled violations of the HIPAA Security Rule for $25,000 and a detailed, comprehensive corrective action plan addressing security risk assessments, training, and other non-compliance. Violating both the HIPAA Security Rule and Privacy Rule, Excellus Health Plan made eye-popping headlines with a $5.1 million settlement after a year-long data breach exposed the ePHI of more than 9 million individuals.
As part of most penalties, the OCR also requires healthcare providers to adhere to strict corrective action plans to address the sources of their violations. Several corrective action plans imposed in 2021 were highly detailed and extremely burdensome.
Many organizations lack the resources to fully comply with HIPAA requirements. But this is no excuse to violate the law, especially when the protected health information of hundreds of millions of individuals is at risk. Expert assistance is available to help you achieve and maintain compliance with HIPAA regulations, and it’s only a phone call or click away.