Small and Large Violators Penalized
HIPAA security violations are no laughing matter. From a small local clinical lab to a large regional health plan, violators of the HIPAA Security Rule have paid dearly in the first half of 2021. Through June, two violators have paid a total of $5,125,000 to settle with the Office for Civil Rights.
As the enforcement arm of the U.S. Department of Health and Human Services (HHS), the Office for Civil Rights investigates violations alleged by patients and employees and imposes financial and other penalties upon the violators. The OCR also continues to monitor previous violators as a condition of their individual violation settlements.
And the fact is, if you haven’t conducted a security risk assessment recently … or haven’t documented your security procedures … or haven’t implemented proper risk management or security measures, you could be next.
The Penalties are Severe
In the first half of 2021, two healthcare providers were penalized for HIPAA Security Rule violations that resulted in data breaches affecting their patients, former patients, and insured individuals. The two penalties were $25,000 and $5.1 million.
In both cases, in addition to their financial penalties, violators are required to implement robust remedial action plans that are monitored by the OCR for up to three years.
Also in the first half of 2021, six other healthcare providers were penalized for violations of the HIPAA Privacy Rule’s patient right of access requirement. These fines ranged from $5,000 to $200,000 depending on several variables. We’ll examine these violations in next week’s post.
Violators Posted on Web
OCR Press Releases publicly announce the settlement of each violation and is posted on the HHS OCR website.
The releases provide details as to what the violator was found to have done, when it was done, how long it went on, how many individuals were potentially affected, the amount of the financial penalty, and the specific HIPAA Security Rule and requirement that was violated. Dirty laundry is aired in some of these releases, which can be as onerous as the financial impact.
For the convenience of healthcare providers and other healthcare organizations who don’t keep up with this important news, summarized below are the two settlements of HIPAA Security Rule violations announced by the OCR in the first half of 2021.
Small Violator: AEON Clinical Labs
Systemic Noncompliance and Multiple Security Failures
The first of two HIPAA Security Rule settlements involved Peachstate Health Management, LLC, doing business as AEON Clinical Laboratories, a provider of diagnostic and laboratory-developed tests, including clinical and genetic testing services, based in Georgia.
The OCR initiated a Compliance Review of Peachstate in 2017 to determine its compliance with HIPAA Privacy and Security Rules. While we do not know what prompted the review, the findings were extensive and embarrassing.
According to the OCR report, “the investigation found systemic noncompliance with the HIPAA Security Rule, including failures to conduct an enterprise-wide risk analysis, implement risk management and audit controls, and maintain documentation of HIPAA Security Rule policies and procedures.”
OCR Press Release
The OCR Press Release, published on May 25, 2021, specifically called out these four Security Rule violations:
- Peachstate failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic PHI held by Peachstate. (See 45 C.F.R. § 164.308(a)(1)(ii)(A)).
- Peachstate failed to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level identified in its risk analysis or assessment. (See 45 C.F.R. § 164.308(a)(1)(ii)(B)).
- Peachstate failed to implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic PHI. (See 45 C.F. R. § 164.312(b)).
- Peachstate failed to maintain policies and procedures to comply with Subpart C in written (which may be electronic) form and to maintain written (which may be electronic) record of any action, activity, or assessment required by Subpart C or these policies and procedures. (See 45 C.F.R. § 164.316(b)).
Peachstate got off with a $25,000 penalty and a three-year monitoring requirement.
The year after the OCR Compliance Review, in 2018, the company changed its name to AEON Global Health Corp. An online search for the original AEON Clinical Laboratories redirects visitors to a new address for AEON Global Health.
Large Violator: Excellus Health Plan
Hacking Undetected for 18 Months Due to Poor Security
The Lifetime Healthcare Companies is a $6 billion nonprofit holding company headquartered in Rochester, NY, employing nearly 4,000 workers at various affiliates throughout Upstate New York, according to its website. Affiliates provide health coverage and health care services to more than 1.5 million people.
The offending entity, an affiliate called Excellus Health Plan, was doing business as Excellus BlueCross BlueShield, Univera Healthcare, Lifetime Health Medical Group, Lifetime Benefit Solutions, Lifetime Care, and The MedAmerica Companies.
Excellus Health Plan filed a breach report in September 2015, indicating that hackers had gained unauthorized access to their information technology (IT) systems.
The ensuing OCR investigation found potential violations of HIPAA Security and Privacy Rules, including:
- Failure to conduct an enterprise-wide risk analysis
- Failure to implement risk management measures
- Failure to implement information system activity reviews
- Failure to implement access controls.
In addition to implementing a plan to correct its failures, Excellus agreed to pay a $5.1 million penalty and to be monitored for two years by the OCR.
OCR Press Release
According to the OCR Press Release dated January 15, 2021, for a 15-month period between December 2013 and May 2015, “hackers installed malware and conducted reconnaissance activities that ultimately resulted in the impermissible disclosure of the protected health information of more than 9.3 million individuals, including their names, addresses, dates of birth, email addresses, Social Security numbers, bank account information, health plan claims, and clinical treatment information.”
Summarizing the incident, OCR Director Roger Severino said that Excellus Health Plan failed to “stop hackers from roaming inside its health record system undetected for over a year, which endangered the privacy of millions of its beneficiaries. We know that the most dangerous hackers are sophisticated, patient, and persistent. Healthcare entities need to step up their game.”
Avoid the Penalty Box: Conduct a Risk Assessment Now
In the case of both Security Rule violations, data breach prevention and HIPAA compliance could easily have begun with a security risk assessment, as noted by the OCR in each press release.
In addition to being a HIPAA requirement for healthcare providers, insurers, and their business associates, a thorough security risk assessment is an excellent security safeguard, especially when combined with regular follow-up assessments.
Summary
Violations of the HIPAA Security Rule are no laughing matter, and neither is an investigation by the Office for Civil Rights. The OCR enforces HIPAA compliance by aggressively investigating violations claimed by patients and employees and imposing financial and other penalties upon violators.
The OCR also monitors previous violators as part of their settlements, requiring them to implement HIPAA security and privacy compliance measures in short order.
Healthcare entities who continue to violate HIPAA requirements and put off full compliance are increasingly likely to be investigated, either as part of the OCR’s schedule or in response to an employee or patient complaints. These organizations are rolling the dice in a game the house is committed to winning.