Summary of 2021 HIPAA Violation Fines: OCR Right of Access Initiative

138
0

Generally, the Office for Civil Rights (OCR) issues fines for various reasons. However, the past year’s fines focused heavily on noncompliance with the HIPAA right of access standard. Twelve HIPAA violation fines were issued under the OCR right of access initiative, while one fine was issued for failure to comply with the HIPAA Security Rule. In addition to paying a fine, each organization was also required to implement a HIPAA corrective action plan.

The OCR Right of Access Initiative

Before reviewing the HIPAA fines issued in 2021, it is important to understand the OCR right of access initiative. In 2019, the OCR announced their right of access initiative in which they prioritized enforcing compliance with the HIPAA right of access standard. Before this announcement, the OCR received multiple complaints from patients who were not receiving timely access to their medical records. However, OCR did not enforce compliance with the standard until 2019.

Since the announcement, they have fined 25 healthcare organizations for failing to comply with the standard. There were two right of access settlements in 2019, eleven in 2020, and twelve in 2021. See TBHI’s previous articles for more details below.

2021 HIPAA Violation Fines and HIPAA Corrective Action Plans

HIPAA violation fines are generally coupled with the requirement to implement corrective action plans. The OCR issues fines for an organization’s noncompliance and requires them to implement corrective action plans to prevent further HIPAA violations by the organization. Each fined organization is also required to implement measures to improve its HIPAA compliance.

HIPAA Right of Access Fines: Examples

The focus of 2021 OCR enforcement efforts pressed upon a provider’s obligation to comply with the right of access standard. “Health care providers must provide their patients with timely access to their health records, and will hold providers accountable to this obligation so that patients can exercise their rights and get needed health information to be active participants in their health care,” said Acting OCR Director Robinsue Frohboese.

Right of access fines ranged from $200,000 to $5,000, taking into account the size of the organization and the severity of the violation. The OCR issued Banner Health the largest fine ($200,000) after several patients complained that they had not received timely access to their medical records. In addition to paying the fine, Banner Health is required to adopt a HIPAA corrective action plan and is subject to two years of OCR monitoring.

Other organizations fined for right of access violations included:

  • Rainrock Treatment Center, LLC – $160,000
  • Robert Glaser – $100,000
  • Children’s Hospital & Medical Center – $80,000
  • Renown Health – $75,000
  • Sharp HealthCare – $70,000
  • Arbour Hosptial – $65,000
  • Advanced Spine & Pain Management – $32,150
  • Denver Retina Center – $30,000
  • Village Plastic Surgery – $30,000
  • Wake Health Medical Group – $10,000
  • The Diabetes, Endocrinology & Lipidology Center, Inc. – $5,000

HIPAA Security Rule Fine

The other 2021 area that led to a fine was complying with the HIPAA Security Rule. After a massive cyberattack that affected 9.3 million patients, Excellus Health Plan was the subject of an OCR investigation. Upon conclusion of the investigation, the OCR issued Excellus a $5.1 million fine, along with the usual HIPAA corrective action plan.

In its investigation, OCR found that Excellus failed to:

  • Conduct an accurate and thorough risk analysis;
  • Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level;
  • Implement procedures to review records of information systems activity regularly; and
  • Implement technical policies and procedures for electronic information systems to allow access only to those requiring access.

“Hacking continues to be the greatest threat to the privacy and security of individuals’ health information. In this case, a health plan did not stop hackers from roaming inside its health record system undetected for over a year, which endangered the privacy of millions of its beneficiaries,” said former OCR Director Roger Severino. “We know that the most dangerous hackers are sophisticated, patient, and persistent. Health care entities need to step up their game to protect the privacy of people’s health information.”

How to Prevent HIPAA Violation Fines

The key to preventing HIPAA violations and fines is awareness and preparation. The HIPAA regulation sets forth specific standards that healthcare providers are expected to follow. When they fail to comply, they can be fined. Healthcare organizations are better protected against HIPAA violations and resulting fines by implementing an effective HIPAA compliance program. If aberrations are found, providers should implement a pre-emptive corrective action plan before being investigated by the OCR.

To implement an effective HIPAA compliance program, healthcare organizations must:

  • Conduct annual security risk assessments (SRAs)
  • Implement remediation plans to address deficiencies uncovered by SRAs
  • Have written policies and procedures that follow the HIPAA Privacy, Security, and Breach Notification Rules
  • Conduct annual employee HIPAA training
  • Have signed business associate agreements
  • Create a system for detecting, responding to, and reporting breaches

This Article Contributed by Compliancy Group

Need assistance with HIPAA compliance? Compliancy Group can help! Learn more about 2021 HIPAA violations and fines by signing up for Compliancy Group’s webinar.

HIPAA Compliant Cybersecurity: Practical Implementation Tips

Must-know information about how to protect your telehealth practice from a ransomware attack. Operate w/ EYES WIDE OPEN.

Disclaimer: The Telebehavioral Health Institute (TBHI Telehealth.org) offers information as educational material designed to inform you of issues, products, or services potentially of interest. We cannot and do not accept liability for your decisions regarding any information offered. Please conduct your due diligence before taking action. Also, the views and opinions expressed are not intended to malign any organization, company, or individual. Product names, logos, brands, and other trademarks or images are the property of their respective trademark holders. There is no affiliation, sponsorship, or partnership suggested by using these brands unless contained in an ad. We do not and cannot offer legal, ethical, billing technical, medical, or therapeutic advice. Use of this site constitutes your agreement to TBHI Privacy Policy and Terms and Conditions.

Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x