The HHS’ Office for Civil Rights has imposed 8 financial penalties on HIPAA-covered entities and business associates in the first 6 months of 2021 to resolve investigations into noncompliance with the Health Insurance Portability and Accountability Act Rules. In the first 6 months of 2020, only 1 financial penalty was imposed; however, OCR ended the year with 19 financial penalties imposed.
This year, OCR has continued with its drive to improve patients’ access to their medical records by imposing fines on HIPAA-covered entities that have failed to provide patients with a copy of their medical records within 30 days of receiving a written request for access or have charged more than a reasonable, cost-based fee for providing those records.
The HIPAA Right of Access enforcement initiative was launched in 2019 to combat widespread noncompliance with this important patient right. Under the HIPAA Right of Access of the HIPAA Privacy Rule, individuals can request a copy of their healthcare data, inspect the information for errors, and request changes be made to correct any mistakes.
When patients exercise their right, they are able to retain a copy of their records and pass the information on to other healthcare providers or research organizations, or whomsoever they wish. It has become increasing important for patients to have a copy of their records given the number of ransomware attacks that are now occurring. Should medical records be encrypted by ransomware gangs, patients will be guaranteed not to lose their medical histories.
6 of the 8 financial penalties imposed in the first half of 2021 were for HIPAA Right of Access failures, with each of those 6 cases triggered by complaints from patients who were either denied access to their medical records or were not provided with them in a reasonable time frame.
The largest financial penalty in this category was imposed on Banner Health. Banner Health agreed to settle the case, pay the penalty, and adopt a corrective action plan to address the noncompliance. Banner Health will be monitored closely by OCR to ensure continued compliance for 2 years.
OCR received two complaints from patients of Banner Health affiliated covered entities who alleged they had experienced a long delay receiving a copy of their respective medical records. One patient requested records from Banner Estrella Medical Center in December 2017 and was not provided those records until May 2018. A second patient had to wait 5 months for an electronic copy of his records. “This first resolution of the year signals that our Right of Access Initiative is still going strong and that providers of all sizes need to respect the right of patients to have timely access to their medical records,” said then OCR Director Roger Severino.
It was a similar story with the other 5 HIPAA Right of Access cases, all of which were settled with OCR. Renown Health paid $75,000 to resolve its case, Sharpe Healthcare was fined $70,000, Arbour Hospital fined $65,000, Village Plastic Surgery fined $30,000, and The Diabetes, Endocrinology & Lipidology Center, Inc. paid a $5,000 penalty.
In January 2021, OCR announced a settlement had been reached to resolve multiple HIPAA violations discovered during the investigation of one of the top 5 healthcare data breaches ever reported. In 2015, 3 mega data breaches were reported by health plans – the 78.8 million record data breach at Anthem Inc., a 10.5 million record breach at Premera Blue Cross, and the 9.4 million record breach at Excellus Health Plan.
Anthem Inc paid $16,000,000 to resolve its case in 2018, Premera paid a penalty of 6,850,000 in 2020 to resolve HIPAA violations related to its data breach, and now Excellus Health Plan has paid a penalty of $5,100,000. The Excellus settlement, announced in January, resolved multiple noncompliance issues. OCR determined there had been a risk analysis failure, risk management failure, a lack of information system activity reviews, and insufficient technical policies to prevent unauthorized ePHI access, all of which contributed to a data breach of 9,358,891 records.
The last financial penalty is interesting, as while it was imposed on AEON Clinical Laboratories, it actually stemmed from an investigation of another HIPAA-covered entity, which was acquired by the parent company AEON Global Health Corporation.
OCR was investigating AEON Clinical Laboratories when OCR learned its parent company had acquired Peachstate Health Management, LLC. OCR extended the investigation to Peachstate and discovered multiple areas of noncompliance with the HIPAA Security Rule, specifically risk assessment, risk management, and audit control failures. Peachstate had also failed to maintain documentation of HIPAA Security Rule policies and procedures. A financial penalty of $25,000 was imposed.
In total, $5,570,000 has been collected by OCR in the first 6 months of 2020 to resolve HIPAA violations.