Renown Health, P.C. (Renown), a non-profit health system in Nevada, settled with the U.S. Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services in a matter resulting from an enforcement action for a potential violation of patients’ access rights under the OCR’s Health Insurance Portability and Accountability Act of 1996 (HIPAA) Right-of-Access Initiative. The Renown settlement is the 15th settlement under this initiative.
Renown paid $75,000 and agreed to:
- Develop and maintain written access policies and procedures to comply with HIPAA
- Distribute updated policies and procedures related to the right-of-access to all workforce members
- Train workforce members on the right-of-access
- Revise its Notice of Privacy Practices to reflect the steps that patients need to take to access their PHI (including billing records)
OCR alleged that Renown did not respond to a patient’s request that an electronic copy of her protected health information (PHI), including billing records, be sent to a third party in a timely manner under HIPAA. The OCR’s investigation determined that this failure to provide timely access was a potential violation of Renown’s obligations to the patient. As a result of the investigation, Renown also provided access to all the requested records.
Acting Director of OCR, Robinsue Frohboese, said “Access to one’s health records is an essential HIPAA right and health care providers have a legal obligation to their patients to provide access to their health information on a timely basis,” and OCR will certainly continue to enforce these types of violations throughout 2021. OCR announced this initiative in September 2019 seeking to support patients’ right to timely access to their PHI at a reasonable cost under HIPAA.
To view the corrective action plan that Renown has agreed to, click here.
The U.S. Department of Health and Human Services Office for Civil Rights (OCR) recently announced that it had entered into a Resolution Agreement, Corrective Action Plan, and settlement with Lifetime Healthcare, Inc., the parent of Excellus Health Plan, over alleged violations of HIPAA relating to a data breach that occurred from December 23, 2013 through May 11, 2015. During that time, a cybercriminal obtained access to its IT systems and installed malware that allowed the intruder to obtain access to the protected health information of more than 9.3 million individuals.
The accessed information included the individuals’ names, addresses, dates of birth, Social Security numbers, bank account information, health insurance claims, and clinical treatment information.
Following an investigation, OCR found potential violations of HIPAA and the parties agreed to settle the action for a payment of $5.1 million, along with the standard requirements in a Corrective Action Plan that OCR imposes on covered entities following a data breach, including completion of a security risk assessment, implementation of a risk management plan, updating policies and procedures, and annual reporting to OCR.
On January 14, 2021, the U.S. Court of Appeals for the Fifth Circuit overturned a $4.348 million penalty for alleged HIPAA violations assessed by the U.S. Department of Health & Human Services (HHS) against the University of Texas M.D. Anderson Cancer Center (Hospital). The case arises from an enforcement action undertaken by HHS following the Hospital’s self-disclosure of three separate instances of lost or stolen portable devices containing electronic protected health information (ePHI). The government’s investigation determined that the devices were not encrypted, and that the Hospital’s failure to encrypt the devices to protect the ePHI contained therein constituted a violation of HIPAA’s Privacy and Security Rules. After HHS imposed the penalty in 2017, the Hospital appealed the penalty first to an Administrative Law Judge, and then to HHS’s Departmental Appeals Board before petitioning the Fifth Circuit for review in 2019 (see our prior analyses of this case here).
In its decision, a Fifth Circuit panel unanimously determined that the penalty “was arbitrary, capricious and otherwise unlawful” for four reasons: (1) HIPAA’s encryption requirements are “addressable” and require covered entities to implement a mechanism to encrypt and decrypt electronic PHI, and the hospital did implement such a mechanism “even if it could’ve or should’ve been a better one;” (2) the Fifth Circuit disputed that the hospital actually “disclosed” PHI in violation of HIPAA as a result of the lost unencrypted devices containing ePHI, because the government could not demonstrate that the hospital actually undertook an affirmative act to disclose the information, or that someone outside of the entity actually received it; (3) the government did not pursue similar penalties against other similarly-situated covered entities, in violation of longstanding administrative law principles obligating agencies to treat analogous cases similarly; and (4) the government misinterpreted the applicable standard for the penalties assessed, thus imposing a significantly higher penalty than was permitted under HIPAA (an issue HHS conceded as part of the Fifth Circuit’s review in this case).
The Fifth Circuit thus concluded that the government had offered “no lawful basis” for the penalties assessed against the Hospital, and therefore the court vacated the penalties and remanded the case for further proceedings. It remains to be seen whether HHS will now drop the case against the Hospital entirely, or seek to impose reduced penalties in accordance with the Fifth Circuit analysis. Regardless, the Hospital’s successful appeal and this decision provide an interesting roadmap for other covered entities facing HIPAA enforcement actions that might consider challenging the basis for, or amounts of, penalties assessed by HHS.
Health care providers and contractors continue to be a popular target for hackers. Recently, CHSPSC LLC (CHSPSC), which provides various services to hospitals and clinics indirectly owned by Community Health Systems, Inc. of Tennessee, agreed to pay $2,300,000 to the Office for Civil Rights (OCR) in settlement of potential violations of HIPAA’s Privacy and Security Rules. The OCR investigation and settlement stemmed from a data breach affecting over six million people.
The services provided by CHSPSC to the health care facilities included legal, compliance, accounting, operations, human resources, information technology, and health information management. In April 2014, the FBI notified CHSPSC that a cyber-hacking group had compromised administrative credentials and remotely accessed CHSPSC’s information system through its virtual private network (VPN). Nevertheless, even after the FBI’s notice of the problem, the hackers continued for several months to access and exfiltrate the protected health information (PHI) of some six million individuals. The information obtained included names, gender, dates of birth, phone numbers, Social Security numbers, emails, ethnicity, and emergency contact information.
OCR’s investigation found longstanding systemic noncompliance with HIPAA at CHSPSC, including failure to conduct a risk analysis as well as failures to implement information system activity reviews, security incident procedures, and access controls. OCR was particularly critical of the organization’s failure to implement security protections even after being notified by the FBI of the potential breach. Apart from the significant monetary penalty, CHSPSC must comply with a corrective action plan (CAP) that includes the following: development of an internal monitoring plan; completion of an enterprise-wide risk analysis of security risks and vulnerabilities that incorporates all electronic systems, data systems, programs and applications that involve ePHI; creation of a risk management plan; review and revision of policies regarding technical access to applications and systems involving ePHI; and training for all employees. Each step must meet with the approval of the Department of Health & Human Services (HHS), and CHSPSC must periodically report to HHS regarding its compliance with the CAP.