Generally, the Office for Civil Rights (OCR) issues fines for various reasons. However, the past year’s fines focused heavily on noncompliance with the HIPAA right of access standard. Twelve HIPAA violation fines were issued under the OCR right of access initiative, while one fine was issued for failure to comply with the HIPAA Security Rule. In addition to paying a fine, each organization was also required to implement a HIPAA corrective action plan.
The OCR Right of Access Initiative
Before reviewing the HIPAA fines issued in 2021, it is important to understand the OCR right of access initiative. In 2019, the OCR announced their right of access initiative in which they prioritized enforcing compliance with the HIPAA right of access standard. Before this announcement, the OCR received multiple complaints from patients who were not receiving timely access to their medical records. However, OCR did not enforce compliance with the standard until 2019.
Since the announcement, they have fined 25 healthcare organizations for failing to comply with the standard. There were two right of access settlements in 2019, eleven in 2020, and twelve in 2021. See TBHI’s previous articles for more details below.
- HIPAA Right of Access Violation Fines 2020
- 5 HIPAA Violation Fines for Failing to Grant the Right of Access
- 2019 HIPAA Violation Fines
- More HIPAA Right of Access Violations Reported by OCR
- HIPAA Violations: 4 Easy Ways to Avoid
- HIPAA Violations: 8 Common HIPAA Violations That Increase Legal Risk
- What are HIPAA Violation Consequences?
2021 HIPAA Violation Fines and HIPAA Corrective Action Plans
HIPAA violation fines are generally coupled with the requirement to implement corrective action plans. The OCR issues fines for an organization’s noncompliance and requires them to implement corrective action plans to prevent further HIPAA violations by the organization. Each fined organization is also required to implement measures to improve its HIPAA compliance.
HIPAA Right of Access Fines: Examples
The focus of 2021 OCR enforcement efforts pressed upon a provider’s obligation to comply with the right of access standard. “Health care providers must provide their patients with timely access to their health records, and will hold providers accountable to this obligation so that patients can exercise their rights and get needed health information to be active participants in their health care,” said Acting OCR Director Robinsue Frohboese.
Right of access fines ranged from $200,000 to $5,000, taking into account the size of the organization and the severity of the violation. The OCR issued Banner Health the largest fine ($200,000) after several patients complained that they had not received timely access to their medical records. In addition to paying the fine, Banner Health is required to adopt a HIPAA corrective action plan and is subject to two years of OCR monitoring.
Other organizations fined for right of access violations included:
- Rainrock Treatment Center, LLC – $160,000
- Robert Glaser – $100,000
- Children’s Hospital & Medical Center – $80,000
- Renown Health – $75,000
- Sharp HealthCare – $70,000
- Arbour Hosptial – $65,000
- Advanced Spine & Pain Management – $32,150
- Denver Retina Center – $30,000
- Village Plastic Surgery – $30,000
- Wake Health Medical Group – $10,000
- The Diabetes, Endocrinology & Lipidology Center, Inc. – $5,000
HIPAA Security Rule Fine
The other 2021 area that led to a fine was complying with the HIPAA Security Rule. After a massive cyberattack that affected 9.3 million patients, Excellus Health Plan was the subject of an OCR investigation. Upon conclusion of the investigation, the OCR issued Excellus a $5.1 million fine, along with the usual HIPAA corrective action plan.
In its investigation, OCR found that Excellus failed to:
- Conduct an accurate and thorough risk analysis;
- Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level;
- Implement procedures to review records of information systems activity regularly; and
- Implement technical policies and procedures for electronic information systems to allow access only to those requiring access.
“Hacking continues to be the greatest threat to the privacy and security of individuals’ health information. In this case, a health plan did not stop hackers from roaming inside its health record system undetected for over a year, which endangered the privacy of millions of its beneficiaries,” said former OCR Director Roger Severino. “We know that the most dangerous hackers are sophisticated, patient, and persistent. Health care entities need to step up their game to protect the privacy of people’s health information.”
How to Prevent HIPAA Violation Fines
The key to preventing HIPAA violations and fines is awareness and preparation. The HIPAA regulation sets forth specific standards that healthcare providers are expected to follow. When they fail to comply, they can be fined. Healthcare organizations are better protected against HIPAA violations and resulting fines by implementing an effective HIPAA compliance program. If aberrations are found, providers should implement a pre-emptive corrective action plan before being investigated by the OCR.
To implement an effective HIPAA compliance program, healthcare organizations must:
- Conduct annual security risk assessments (SRAs)
- Implement remediation plans to address deficiencies uncovered by SRAs
- Have written policies and procedures that follow the HIPAA Privacy, Security, and Breach Notification Rules
- Conduct annual employee HIPAA training
- Have signed business associate agreements
- Create a system for detecting, responding to, and reporting breaches
This Article Contributed by Compliancy Group
Need assistance with HIPAA compliance? Compliancy Group can help! Learn more about 2021 HIPAA violations and fines by signing up for Compliancy Group’s webinar.
HIPAA Compliant Cybersecurity: Practical Implementation Tips
Must-know information about how to protect your telehealth practice from a ransomware attack. Operate w/ EYES WIDE OPEN.