COVID-19 Has Not Slowed Down HIPAA Enforcement

The Office of Civil Rights (OCR) of the U.S. Department of Health and Human Services has been quite active in recent months with respect to enforcement of the health information privacy and security requirements of the Health Insurance Portability and Accountability Act (HIPAA). Below is an overview of some of OCR’s most recently announced HIPAA settlements. The details surrounding the alleged HIPAA violations and the facts that led to OCR’s investigations are instructive to covered entities and business associates seeking to review or improve their HIPAA compliance efforts. Notably, OCR’s investigations are commonly precipitated by a patient complaint to OCR or a report of a data breach, which, in recent times, is often due to cyberattacks through phishing emails or other unauthorized access of log in credentials. See the CSG Client Alert here with respect to recent ransomware threats to the healthcare industry. Some of the most common deficiencies cited by OCR are a lack of HIPAA policies and procedures and a failure to conduct a risk analysis, both of which are threshold compliance requirements. OCR’s continued, robust enforcement efforts in the midst of COVID-19 serve as a reminder to HIPAA covered entities and business associates – both large and small – that HIPAA compliance is a top priority and that failure to comply can lead to substantial penalties.

Athens Orthopedic Clinic PA – Hackers Posted Patient Records Database Online

A clinic located in Athens, Georgia, agreed to pay approximately $1.5 million to settle potential violations related to a breach. According to the OCR Resolution Agreement, the clinic was notified that a database of patient records may have been posted online. Shortly thereafter, hackers demanded money from the clinic in return for the stolen database. It was later determined that the hackers accessed the database through a vendor’s credentials. OCR’s investigation found “longstanding and systematic” noncompliance with the HIPAA Privacy and Security Rules by the clinic. Specifically, OCR pointed to the clinic’s “failures to conduct a risk analysis, implement risk management and audit controls, maintain HIPAA policies and procedures, secure business associate agreements with multiple business associates, and provide HIPAA Privacy Rule training to workforce members.”

CHSPSC LLC – Hackers Compromised Credentials to Access Private Network

CHSPSC LLC, which provides HIPAA business associate services to hospitals and physician clinics, agreed to pay $2.3 million to settle potential HIPAA violations related to a breach. Despite warnings from the FBI of a potential threat to CHSPSC’s information systems, hackers were able to use compromised administrative credentials to remotely access the information system through a virtual private network, thereby accessing protected health information of millions of individuals. OCR’s investigation cited CHSPSC’s “longstanding, systematic noncompliance” with the HIPAA privacy and security rules by failing to conduct a risk analysis and failing to implement information system activity review, security incident procedures, and access controls.

Premera Blue Cross – Cyber-Attackers Gain Access and Install Malware Through Phishing Email

In the second largest payment related to a HIPAA investigation, Premera Blue Cross (PBC) agreed to pay $6.85 million related to a breach affecting over 10 million people. PBC filed a breach report disclosing that cyber-attackers gained unauthorized access to its information technology system through a phishing email which installed malware giving the hackers access to PBC’s information system. The malware went undetected for nearly nine months. OCR’s investigation found that PBC failed to conduct an enterprise-wide risk analysis and failed to implement risk management, and audit controls.

HIPAA Right of Access Initiative

OCR announced a number of new enforcement actions as part of its HIPAA Right of Access Initiative. OCR launched the initiative in 2019 aimed at enforcing the rights of patients to receive copies of their medical records. Since the initiative began and as of the date of this alert, OCR has settled twelve enforcement actions with payments ranging from $3,500 to $160,000. One of the most recent of such settlements was with a private otolaryngologist in New York, who agreed to pay $15,000 and take corrective actions in response to a patient complaint alleging violation of her access rights. Notably, the patient at issue submitted a complaint to OCR twice. After the initial complaint in September of 2018, OCR assisted the physician by providing information with respect to HIPAA access obligations and closed the complaint. However, the patient submitted a second complaint to OCR in July 2019 stating the physician had still not yet provided access. OCR’s announcement of this settlement included the statement that “[d]octor’s offices, large and small, must provide patients their medical records in a timely fashion.”

These recent enforcement initiatives demonstrate the continued importance of HIPAA compliance. Attorneys at CSG are available to assist with all HIPAA compliance needs, such as responding to potential data breaches, development and/or improvement of HIPAA policies and procedures, negotiation of HIPAA business associate agreements, and the provision of HIPAA employee training.