2020 HIPAA Violation Cases and Penalties
Jan13

2020 HIPAA Violation Cases and Penalties

The Department of Health and Human Services’ Office for Civil Rights (OCR) settled 19 HIPAA violation cases in 2020. More financial penalties were issued in 2020 than in any other year since the Department of Health and Human Services was given the authority to enforce HIPAA compliance. $13,554,900 was paid to OCR to settle the HIPAA violation cases. Penalties for Noncompliance with the HIPAA Right of Access In late 2019, the OCR announced a new HIPAA enforcement initiative to tackle noncompliance with the Right of Access standard of the HIPAA Privacy Rule. Since then, OCR has been highly active and has imposed 14 financial penalties for noncompliance, 11 of which were announced in 2020. The HIPAA Right of Access standard – 45 C.F.R. § 164.524(a) – gives patients the right to access, inspect, and obtain a copy of their own protected health information in a designated record set.  When a request is received from an individual or their personal representative, the records must be provided within 30 days. A reasonable, cost-based fee may be charged for providing a copy of...

Read More
COPS Monitoring Confirmed as HIPAA Compliant by Compliancy Group
Jan13

COPS Monitoring Confirmed as HIPAA Compliant by Compliancy Group

Compliancy Group has confirmed Williamstown, NJ-based COPS Monitoring, the largest provider of professional monitoring in the United States, has implemented an effective HIPAA compliance program. The regulatory standards of the Health Insurance Portability and Accountability Act (HIPAA) govern the privacy, security, and integrity of sensitive healthcare data called Protected Health Information (PHI). Any vendor of a HIPAA-covered entity whose products or services ‘touch’ PHI is classed as a business associate and is required by law to comply with certain provisions of the HIPAA Rules. Many business associates of HIPAA-covered entities partner with Compliancy Group and use the company’s proven HIPAA compliance methodology and proprietary compliance tracking software – The Guard – to demonstrate they are fully compliant with the appropriate standards of the HIPAA Privacy Rule, Security Rule, Breach Notification Rule, Omnibus Rule, and the HITECH Act. By completing Compliancy Group’s Implementation Program, COPS Monitoring demonstrated its adherence to the meticulous regulatory...

Read More
OCR Continues HIPAA Right of Access Crackdown with $200,000 Fine
Jan13

OCR Continues HIPAA Right of Access Crackdown with $200,000 Fine

The HHS’ Office for Civil Rights (OCR) is continuing to crackdown on healthcare providers that are not providing patients with timely access to their medical records. Yesterday, OCR announced a settlement had been agreed with Banner Health to resolve a HIPAA Right of Access investigation. Banner Health agreed to pay $200,000 to settle the case. The HIPAA Privacy Rule gives individuals the right to access, inspect, and obtain a copy of their own protected health information. When a request is received, HIPAA-covered entities are required to provide a copy of the requested records within 30 days. In late 2019, OCR announced it was cracking down on noncompliance with this important provision of HIPAA. Since then, 14 financial penalties have been imposed on covered entities that have failed to provide patients with timely access to their medical records. Phoenix, AZ-based Banner Health is one of the largest health care systems in the United States. The non-profit health system operates 30 hospitals and many primary care, urgent care, and specialty care facilities. OCR received two...

Read More
LSU Health Discovers Additional Hospital Affected by September 2020 Email Account Breach
Jan12

LSU Health Discovers Additional Hospital Affected by September 2020 Email Account Breach

The protected health information of certain patients of LSU Health University Medical Center-New Orleans has potentially been compromised in an email security breach. LSU Health New Orleans Health Care Services Division previously announced on November 20, 2020 that it has suffered a security breach involving the email account of an employee in September 2020. At the time, it appeared that the breach only affected certain patients who had received medical services at Lallie Kemp Regional Medical Center in Independence; Leonard J. Chabert Medical Center in Houma; W. O. Moss Regional Medical Center in Lake Charles; and the former Earl K. Long Medical Center in Baton Rouge; Bogalusa Medical Center in Bogalusa; University Medical Center in Lafayette; or Interim LSU Hospital in New Orleans. LSU Health’s ongoing investigation revealed the data of certain patients of its partner hospital, University Medical Center-New Orleans, was also stored in the compromised email account. The breach occurred on September 15, 2020 and was discovered on September 18.  While the email account was...

Read More
HITECH Act Amendment Creating Cybersecurity Safe Harbor Signed into Law
Jan12

HITECH Act Amendment Creating Cybersecurity Safe Harbor Signed into Law

On January 5, 2020, President Trump added his signature to a bill (HR 7898) that amends the Health Information Technology for Economic and Clinical Health Act (HITECH Act) and creates a safe harbor for companies that have implemented recognized security best practices prior to experiencing a data breach. While the bill does not go as far as preventing the Department of Health and Human Services’ Office for Civil Rights from imposing financial penalties for HIPAA compliance issues that contributed to a data breach, the amendment requires OCR to take into consideration the security measures that were in place to reduce cybersecurity risk in the 12 months prior to a data breach. The main aim of the bill is to incentivize healthcare organizations to adopt an established, formalized, and recognized cybersecurity framework and adhere to industry security best practices, as doing so will provide a degree of insulation against regulatory enforcement actions. The bill requires the HHS to consider an entity’s use of recognized security best practices when investigating reported data breaches...

Read More