October 15, 2021

COVID-19 Has Not Slowed Down HIPAA Enforcement

You've Reached Your
Free Article Limit This Month
Subscribe now to get unlimited access to all OnPractice content. Your subscription is free.
Subscribe Now

The Office of Civil Rights (OCR) of the U.S. Department of Health and Human Services has been quite active in recent months with respect to enforcement of the health information privacy and security requirements of the Health Insurance Portability and Accountability Act (HIPAA). Below is an overview of some of OCR's most recently announced HIPAA settlements. The details surrounding the alleged HIPAA violations and the facts that led to OCR's investigations are instructive to covered entities and business associates seeking to review or improve their HIPAA compliance efforts. Notably, OCR's investigations are commonly precipitated by a patient complaint to OCR or a report of a data breach, which, in recent times, is often due to cyberattacks through phishing emails or other unauthorized access of log in credentials. See the CSG Client Alert here with respect to recent ransomware threats to the healthcare industry. Some of the most common deficiencies cited by OCR are a lack of HIPAA policies and procedures and a failure to conduct a risk analysis, both of which are threshold compliance requirements. OCR's continued, robust enforcement efforts in the midst of COVID-19 serve as a reminder to HIPAA covered entities and business associates - both large and small - that HIPAA compliance is a top priority and that failure to comply can lead to substantial penalties.

Athens Orthopedic Clinic PA - Hackers Posted Patient Records Database Online

A clinic located in Athens, Georgia, agreed to pay approximately $1.5 million to settle potential violations related to a breach. According to the OCR Resolution Agreement, the clinic was notified that a database of patient records may have been posted online. Shortly thereafter, hackers demanded money from the clinic in return for the stolen database. It was later determined that the hackers accessed the database through a vendor's credentials. OCR's investigation found "longstanding and systematic" noncompliance with the HIPAA Privacy and Security Rules by the clinic. Specifically, OCR pointed to the clinic's "failures to conduct a risk analysis, implement risk management and audit controls, maintain HIPAA policies and procedures, secure business associate agreements with multiple business associates, and provide HIPAA Privacy Rule training to workforce members."

CHSPSC LLC - Hackers Compromised Credentials to Access Private Network

CHSPSC LLC, which provides HIPAA business associate services to hospitals and physician clinics, agreed to pay $2.3 million to settle potential HIPAA violations related to a breach. Despite warnings from the FBI of a potential threat to CHSPSC's information systems, hackers were able to use compromised administrative credentials to remotely access the information system through a virtual private network, thereby accessing protected health information of millions of individuals. OCR's investigation cited CHSPSC's "longstanding, systematic noncompliance" with the HIPAA privacy and security rules by failing to conduct a risk analysis and failing to implement information system activity review, security incident procedures, and access controls.

Premera Blue Cross - Cyber-Attackers Gain Access and Install Malware Through Phishing Email

In the second largest payment related to a HIPAA investigation, Premera Blue Cross (PBC) agreed to pay $6.85 million related to a breach affecting over 10 million people. PBC filed a breach report disclosing that cyber-attackers gained unauthorized access to its information technology system through a phishing email which installed malware giving the hackers access to PBC's information system. The malware went undetected for nearly nine months. OCR's investigation found that PBC failed to conduct an enterprise-wide risk analysis and failed to implement risk management, and audit controls.

HIPAA Right of Access Initiative

OCR announced a number of new enforcement actions as part of its HIPAA Right of Access Initiative. OCR launched the initiative in 2019 aimed at enforcing the rights of patients to receive copies of their medical records. Since the initiative began and as of the date of this alert, OCR has settled twelve enforcement actions with payments ranging from $3,500 to $160,000. One of the most recent of such settlements was with a private otolaryngologist in New York, who agreed to pay $15,000 and take corrective actions in response to a patient complaint alleging violation of her access rights. Notably, the patient at issue submitted a complaint to OCR twice. After the initial complaint in September of 2018, OCR assisted the physician by providing information with respect to HIPAA access obligations and closed the complaint. However, the patient submitted a second complaint to OCR in July 2019 stating the physician had still not yet provided access. OCR's announcement of this settlement included the statement that "[d]octor's offices, large and small, must provide patients their medical records in a timely fashion."

These recent enforcement initiatives demonstrate the continued importance of HIPAA compliance. Attorneys at CSG are available to assist with all HIPAA compliance needs, such as responding to potential data breaches, development and/or improvement of HIPAA policies and procedures, negotiation of HIPAA business associate agreements, and the provision of HIPAA employee training.

Please contact a CSG attorney for more information.

ALM expressly disclaims any express or implied warranty regarding the OnPractice Content, including any implied warranty that the OnPractice Content is accurate, has been corrected or is otherwise free from errors.

More From Chiesa Shahinian & Giantomasi PC

U.S. Supreme Court Limits Patent Law Doctrine of Assignor Estoppel

By Jeffrey M. Weinick Chiesa Shahinian & Giantomasi PC October 27 , 2021

On June 29, 2021, the Supreme Court of the United States issued its ruling in Minerva Surgical, Inc. v. Hologic, Inc. limiting the patent law doctrine of assignor estoppel.

More From COVID-19

UK: What are the risks of mandatory vaccination policies in the workplace?

By Ben Rouse Littler December 03 , 2021

As workplaces reopen after COVID-19, many employers in the United Kingdom are considering whether to implement policies requiring employees to be fully vaccinated before returning to the workplace.

Local Compliance Code: The China Pharmaceutical Industry Association (CPIA) Sets Its Compliance Management Standards

By Gary F. Giampetruzzi Paul Hastings LLP November 30 , 2021

With heightened anti-corruption enforcement by the Chinese government, the landscape of compliance in China is changing rapidly, especially for the already highly regulated life science industry.

New York State Department of Health Designates COVID-19 an Airborne Infectious Disease under New York HERO Act

By Marc E Bernstein Paul Hastings LLP November 30 , 2021

On September 6, 2021, Governor Kathy Hochul announced the designation of COVID-19 as a “highly contagious communicable disease that presents a serious risk of harm to the public health” under the NY HERO Act.

Featured Stories
Publish Your Firm's Content on OnPractice

Become a publisher and expand your audience reach. More Info