The Department of Health and Human Services’ Office for Civil Rights (OCR) resolved 19 cases of HIPAA violation in 2020. This year, OCR issued the most number of financial penalties since the department got the authority to implement HIPAA compliance. It received $13,554,900 as payment to resolve the HIPAA violation cases.
Penalties for Noncompliance with the HIPAA Right of Access
At the end of 2019, the OCR made an announcement about a new HIPAA enforcement initiative to take on noncompliance with the HIPAA Privacy Rule Right of Access standard. Subsequently, OCR became very active and has issued 14 noncompliance financial penalties to date. 11 of the 14 penalties were issued in 2020.
Under the HIPAA Right of Access standard, 45 C.F.R. § 164.524(a), patients have the right to access, examine, and get a copy of their protected health information (PHI) in a specified recordset. Upon submission of a request by a person or a personal representative, the healthcare provider must provide the records within 30 days. The entity may charge a reasonable, cost-based price for furnishing a copy of the needed information. An entity may deny a request for a copy of health records in some limited conditions only.
OCR looks into complaints from people who assert they were refused access to their medical records, they did not get the records in 30 days, or they had to pay excessive fees for the requested copies. In 2020, OCR imposed financial penalties for HIPAA Right of Access violations ranging from $15,000 to $160,000. Usually, the violations stemmed from denials to furnish copies of health records or lengthy delays. In a lot of cases, patients only received the records after OCR intervened.
2020 HIPAA Right of Access Enforcement Actions
1. Dignity Health, dba St. Joseph’s Hospital and Medical Center paid $160,000
2. NY Spine paid $100,000
3. Beth Israel Lahey Health Behavioral Services paid $70,000
4. University of Cincinnati Medical Center paid $65,000
5. Housing Works, Inc. paid $38,000
6. Peter Wrobel, M.D., P.C., dba Elite Primary Care paid $36,000
7. Riverside Psychiatric Medical Group paid $25,000
8. Dr. Rajendra Bhayani paid $15,000
9. All Inclusive Medical Services, Inc. paid $15,000
10. Wise Psychiatry, PC paid $10,000
11. King MD paid $3,500
Other 2020 HIPAA Violation Penalties
There were also HIPAA violation penalties issued by OCR in 2020 for noncompliance with some terms of the HIPAA Rules. The amount of penalty depends on the harm created, the seriousness of the violations, the number of people affected, the degree of cooperation with OCR, the entity’s capability to pay, and the voluntary steps taken to settle the violations. In the HIPAA violation cases listed below, OCR identified several HIPAA rule violations.
1. Premera Blue Cross paid $6,850,000 for failing to perform a comprehensive risk analysis, failing to reduce risks to the integrity, confidentiality, and availability of ePHI to a realistic and proper level, and not having enough hardware and software controls.
2. CHSPSC LLC paid $2,300,000 for not conducting a comprehensive risk analysis, not performing information system activity evaluations, not having enough access controls and security incident response policies, and not responding immediately to the FBI’s cyberattack notification.
3. Athens Orthopedic Clinic paid $1,500,000 for not conducting a comprehensive risk analysis, not implementing security procedures in order to minimize risks to ePHI, not implementing proper hardware, software, and techniques for recording and examining data system activity, not implementing HIPAA policies up to August 2016, not having business associate agreements with three suppliers and not providing HIPAA Privacy Rule training to the employees until January 15, 2018.
4. Lifespan Health System Affiliated Covered Entity paid $1,040,000 for not implementing encryption on mobile devices, not tracking the movement of the devices in and out of the facilities, not doing an inventory of mobile devices, and not having a business associate agreement with Lifespan Corporation and Lifespan ACE.
5. Aetna paid $1,000,000 for not doing regular technical and non-technical assessments of operational adjustments impacting the security of ePHI, not implementing procedures to confirm the identity of people or entities with access to ePHI, not limiting disclosures of ePHI to the minimum required data to accomplish its purpose, and not having the proper administrative, physical and technical safeguards to protect ePHI privacy.
6. City of New Haven, CT paid $202,400 for not terminating the past employee’s access rights, not performing a comprehensive risk analysis, not implementing HIPAA Privacy Rule policies, and not giving unique IDs to track system activity.
7. Steven A. Porter, M.D paid $100,000 for not performing a risk analysis, not reducing the risks to ePHI confidentiality, integrity, and availability to a sensible and acceptable level, not having the appropriate business associate agreement.
8. Metropolitan Community Health Services dba Agape Health Services paid $25,000 for not implementing the HIPAA Security Rule policies and procedures, not performing an accurate risk analysis, and not training the employees on security awareness for over 16 years.