HCA Healthcare Data Breach May Affect 11 Million Patients

Author HeadshotBy George F. Indest III, J.D., M.P.A., LL.M., Board Certified by The Florida Bar in Health Law

On July 11, 2023, HCA Healthcare, which operates 180 hospitals in the U.S. and Britain, said a hacker may have stolen the personal data of about 11 million patients in a data breach. A press release warned patients that critical personal information had been compromised, including their full name, city, and when and where they last saw a healthcare provider.

What Happened to the Patient Data?

Data samples, including addresses, phone numbers, e-mails, and birth dates, were posted to DataBreaches.net (an online forum popular with cyber crooks) by a hacker trying to sell them. However, after publication, an HCA spokesperson told CNBC that the sample data set published was only a “marketing campaign” (or fake data) and was not an individual patient’s real medical assessment.

Who is Affected?

The hack affects patients in nearly two dozen states, including those from dozens of Florida and Texas facilities. The data also included information on scheduled appointments and the medical departments involved. The hacker also dumped a file online in what appeared to be a failed attempt to extort HCA. It included nearly one million records from the company’s San Antonio division.

Patient data breaches are not uncommon, but they can vary in scope and effect. HCA’s breach did not include critical medical records. The company said that the breached data originated at an external storage location exclusively used to automate the formatting of e-mail messages.

HCA Healthcare will offer credit monitoring and identity protection services for patients who have been impacted. But in the meantime, the company is encouraging everyone to look out for spam calls, texts, or e-mails, targeting them for fraud and scams.

For more information on this topic, read one of my prior blogs.

Contact Health Law Attorneys Experienced in Representing Health Care Professionals and Providers.

At the Health Law Firm, we provide legal services for all healthcare providers and professionals. This includes physicians, nurses, dentists, psychologists, psychiatrists, mental health counselors, home health agencies, hospitals, ambulatory surgical centers, social workers, assisted living facilities, and other healthcare providers. It includes resident physicians and fellows, medical students, medical school professors, and clinical staff. We represent health facilities, individuals, groups, and institutions in contracts, sales, mergers, and acquisitions. The lawyers of The Health Law Firm are experienced in complex litigation and both formal and informal administrative hearings. We also represent physicians, nurses, and mental health professionals in investigations for alleged wrongdoing, patient complaints, and Department of Health investigations.

To contact The Health Law Firm, please call our office at (407) 331-6620 or toll-free at (888) 331-6620 and visit our website at www.TheHealthLawFirm.com.

Sources:

Bajak, Frank. “HCA Healthcare says data breach may affect 11 million patients in 20 states.” Associated Press (AP). (July 11, 2023). https://apnews.com/article/data-breach-hca-healthcare-hack-identity-theft-507d8b8915dd934a5be4bd6fb853dfb1

Galarza, Monica. “HCA Healthcare data breach impacts millions of patients, dozens of Florida facilities. Here’s what to know.” CNBC. (July 11, 2023). https://www.nbcmiami.com/news/business/money-report/hca-healthcare-data-breach-impacts-millions-of-patients-dozens-of-florida-facilities-heres-what-to-know/3069139/#:~:text=HCA%20Healthcare%20released%20a%20statement,locations%20of%20the%20patients’%20appointments

Goswami, Rohan. “HCA Healthcare patient data stolen and for sale by hackers.” CNBC.
(July 10, 2023). https://www.cnbc.com/2023/07/10/hca-healthcare-patient-data-stolen-and-for-sale-by-hackers.html

About the Author: George F. Indest III, J.D., M.P.A., LL.M., is Board Certified by The Florida Bar in Health Law; he is the President and Managing Partner of The Health Law Firm, which has a national practice. Its main office is in Orlando, Florida, area. www.TheHealthLawFirm.com The Health Law Firm, 1101 Douglas Avenue, Suite 1000, Altamonte Springs, FL 32714, Phone: (407) 331-6620 or Toll-Free: (888) 331-6620.

Current Open Positions with The Health Law Firm. The Health Law Firm always seeks qualified individuals interested in health law. Its main office is in the Orlando, Florida, area. If you are a current member of The Florida Bar or a qualified professional who is interested, please forward a cover letter and resume to: [email protected] or fax them to (407) 331-3030.

The Health Law Firm” is a registered fictitious business name of and a registered service mark of The Health Law Firm, P.A., a Florida professional service corporation, since 1999.
Copyright © 2023 The Health Law

By |2023-10-10T11:18:59-04:00October 10, 2023|Categories: Nursing Law Blog|Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , |0 Comments

Dental Practice Pays $23,000 For Potential HIPAA Privacy Violations Involving Yelp Posts

Author HeadshotBy George F. Indest III, J.D., M.P.A., LL.M., Board Certified by The Florida Bar in Health Law

On December 14, 2022, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) settled with New Vision Dental (NVD) over a potential HIPAA Privacy violation. The California-based dental practice paid $23,000 to OCR and agreed to implement a corrective action plan after allegedly including protected health information (PHI) in its responses to reviews on Yelp.

The Complaint and Investigation.

On November 29, 2017, the Office for Civil Rights (OCR) received a complaint alleging New Vision Dental had posted responses to several unfavorable reviews by patients on Yelp and frequently disclosed confidential protected health information (PHI) in its responses. For example, in some posts, patients were allegedly identified, and NVD revealed their full names when the patient may have only chosen to use a made-up name on the platform. Other information allegedly posted included detailed information about the patient’s visits, treatment, and health insurance when the patient had not posted that information publicly.

The federal agency’s investigation found potential violations of the HIPAA Privacy Rule, including impermissible uses and disclosures of PHI and failures to provide adequate Notice of Privacy Practices and implement Privacy policies and procedures. “This latest enforcement action demonstrates the importance of following the law even when using social media. Providers cannot disclose protected health information of their patients when responding to negative online reviews. This is a clear ‘NO,’” said OCR Director Melanie Fontes Rainer in a statement.

To read more, click here for the press release from the HHS.

In addition to the settlement, NVD agreed to implement a corrective action plan (CAP) that will be monitored for two years by OCR. As part of its CAP, the dental practice agreed to develop, revise, and maintain written policies and procedures to comply with federal privacy and security standards. All workforce members will also receive training on those policies and procedures, and NVD must remove all social media postings that include PHI.

The resolution agreement and CAP can be viewed here.

Guidelines for Appropriate Use of Social Media and Social Networking.

Healthcare professionals are discouraged from interacting with current or past patients on personal social networking sites and should never, under any circumstances, reveal personal information about the patient or the patient’s treatment or care. Online interaction with patients should only occur when discussing the patient’s medical treatment within the physician-patient relationship and with written, signed consent by the patient to use e-mail or other online services for such messaging. These interactions should never occur on personal social networking or social media websites.

Patient privacy must always be protected, especially on social media and social networking websites. Breaches in patient confidentiality could harm the patient and violate federal privacy laws such as the Health Insurance Portability and Accountability Act of 1996 and applicable state privacy laws.

Failure to Comply With HIPAA Can Result in Both Civil and Criminal Penalties.

This penalty was the 21st financial penalty OCR imposed in 2022 to resolve HIPAA violations, more than in any other year since it was given the authority to enforce HIPAA compliance. With the increased popularity and availability of social media platforms also comes an increase in potential privacy violations. To read a previous blog I wrote on this, click here.

If Notified of a HIPAA Investigation or Audit, Consult an Experience Health Law Attorney Immediately.

If you receive notice that you have a HIPAA Privacy Complaint, are suspected of a HIPAA breach, or are subject to a HIPAA audit, consult an experienced healthcare attorney immediately. There are many technicalities to these laws and regulations, and what may initially seem like a violation may be proven to be nothing. Many defenses can be raised, and often a complaint may be dismissed by the OCR once the correct facts are shown to it by your attorney.

Don’t Wait Until It’s Too Late, Contact a Health Law Attorney Experienced in Defending HIPAA Complaints and Violations.

The attorneys of The Health Law Firm represent physicians, nurses, and other healthcare providers and institutions in investigating and defending alleged HIPAA complaints and violations and in preparing Corrective Action Plans (CAPs).

For more information about HIPAA violations, electronic health records or corrective action plans (CAPs) please visit our website at www.TheHealthLawFirm.com or call (407) 331-6620 or toll-free (888) 331-6620.

Sources:

Alder, Steve. “OCR Fines California Dental Practice for PHI Disclosures on Yelp.” HIPAA Journal. (December 14, 2022). Web.

McKeon, Jill. “OCR Settles Potential HIPAA Violation After Dental Practice Discloses PHI on Yelp.” Health Care It News. (December 14, 2022).

Health News Weekly. “California Dental Practice Pays $23,000 to Resolve Potential HIPAA Violations Involving Social Media Posts.” AHLA. (December 16, 2022). Web.

About the Author: George F. Indest III, J.D., M.P.A., LL.M., is Board Certified by The Florida Bar in Health Law. He is the President and Managing Partner of The Health Law Firm, which has a national practice. Its main office is in the Orlando, Florida, area. www.TheHealthLawFirm.com The Health Law Firm, 1101 Douglas Ave. Suite 1000, Altamonte Springs, FL 32714, Phone: (407) 331-6620 or Toll-Free: (888) 331-6620.

Current Open Positions with The Health Law Firm. The Health Law Firm always seeks qualified individuals interested in health law. Its main office is in the Orlando, Florida, area. If you are a current member of The Florida Bar or a qualified professional who is interested, please forward a cover letter and resume to: [email protected] or fax them to (407) 331-3030.

“The Health Law Firm” is a registered fictitious business name of and a registered service mark of The Health Law Firm, P.A., a Florida professional service corporation, since 1999.
Copyright © 2023 The Health Law Firm. All rights reserved.

By |2023-09-11T13:51:02-04:00September 11, 2023|Categories: Health Facilities Law Blog|Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , |0 Comments

California Dental Practice Pays $23,000 Settlement For Potential HIPAA Privacy Violations Involving Yelp Posts

Author HeadshotBy George F. Indest III, J.D., M.P.A., LL.M., Board Certified by The Florida Bar in Health Law

On December 14, 2022, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) settled with New Vision Dental (NVD) over a potential HIPAA Privacy violation. The California-based dental practice paid $23,000 to OCR and agreed to implement a corrective action plan after allegedly including protected health information (PHI) in its responses to reviews on Yelp.

The Complaint and Investigation.

On November 29, 2017, the Office for Civil Rights (OCR) received a complaint alleging New Vision Dental had posted responses to several unfavorable reviews by patients on Yelp and frequently disclosed confidential protected health information (PHI) in its responses. For example, in some posts, patients were allegedly identified, and NVD revealed their full names when the patient may have only chosen to use a made-up name on the platform. Other information allegedly posted included detailed information about the patient’s visits, treatment, and health insurance, when that information had not been posted publicly by the patient.

The federal agency’s investigation found potential violations of the HIPAA Privacy Rule, including impermissible uses and disclosures of PHI and failures to provide adequate Notice of Privacy Practices and implement Privacy policies and procedures. “This latest enforcement action demonstrates the importance of following the law even when you are using social media. Providers cannot disclose protected health information of their patients when responding to negative online reviews. This is a clear ‘NO,’” said OCR Director Melanie Fontes Rainer in a statement.

To read more, click here for the press release from the HHS.

In addition to the settlement, NVD agreed to implement a corrective action plan (CAP) that will be monitored for two years by OCR. As part of its CAP, the dental practice agreed to develop, revise, and maintain written policies and procedures to comply with federal privacy and security standards. All workforce members will also receive training on those policies and procedures, and NVD is required to remove all social media postings that include PHI.

The resolution agreement and CAP can be viewed here.

Guidelines for Appropriate use of Social Media and Social Networking.

Healthcare professionals are discouraged from interacting with current or past patients on personal social networking sites and should never, under any circumstances, reveal personal information about the patient or the patient’s treatment or care. Online interaction with patients should only occur when discussing the patient’s medical treatment within the physician-patient relationship and with written, signed consent by the patient to use e-mail or other online services for such messaging. These interactions should never occur on personal social networking or social media websites.

Patient privacy must be protected at all times, especially on social media and social networking websites. Breaches in patient confidentiality could harm the patient and violate federal privacy laws such as the Health Insurance Portability and Accountability Act of 1996 and applicable state privacy laws.

Failure to Comply With HIPAA Can Result in Both Civil and Criminal Penalties.

This penalty was the 21st financial penalty to be imposed by OCR in 2022 to resolve HIPAA violations, more than in any other year since it was given the authority to enforce HIPAA compliance. With the increased popularity and availability of social media platforms also comes an increase in potential privacy violations. To read a previous blog I wrote on this, click here.

If Notified of a HIPAA Investigation or Audit, Consult an Experience Health Law Attorney Immediately.

If you receive notice that you have a HIPAA Privacy Complaint, are suspected of a HIPAA breach, or are subject to a HIPAA audit, consult with an experienced health care attorney immediately. There are many technicalities to these laws and regulations, and what may initially seem like a violation may be proven to be nothing. Many defenses can be raised, and often a complaint may be dismissed by the OCR once the correct facts are shown to it by your attorney.

Don’t Wait Until It’s Too Late, Contact a Health Law Attorney Experienced in Defending HIPAA Complaints and Violations.

The attorneys of The Health Law Firm represent physicians, nurses, and other healthcare providers and institutions in investigating and defending alleged HIPAA complaints and violations and in preparing Corrective Action Plans (CAPs).

For more information about HIPAA violations, electronic health records or corrective action plans (CAPs) please visit our website at www.TheHealthLawFirm.com or call (407) 331-6620 or toll-free (888) 331-6620.

Sources:

Alder, Steve. “OCR Fines California Dental Practice for PHI Disclosures on Yelp.” HIPAA Journal. (December 14, 2022). Web.

McKeon, Jill. “OCR Settles Potential HIPAA Violation After Dental Practice Discloses PHI on Yelp.” Health Care It News. (December 14, 2022).

Health News Weekly. “California Dental Practice Pays $23,000 to Resolve Potential HIPAA Violations Involving Social Media Posts.” AHLA. (December 16, 2022). Web.

About the Author: George F. Indest III, J.D., M.P.A., LL.M., is Board Certified by The Florida Bar in Health Law. He is the President and Managing Partner of The Health Law Firm, which has a national practice. Its main office is in the Orlando, Florida, area. www.TheHealthLawFirm.com The Health Law Firm, 1101 Douglas Ave. Suite 1000, Altamonte Springs, FL 32714, Phone: (407) 331-6620 or Toll-Free: (888) 331-6620.

Current Open Positions with The Health Law Firm. The Health Law Firm always seeks qualified individuals interested in health law. Its main office is in the Orlando, Florida, area. If you are a current member of The Florida Bar or a qualified professional who is interested, please forward a cover letter and resume to: [email protected] or fax them to (407) 331-3030.

“The Health Law Firm” is a registered fictitious business name of and a registered service mark of The Health Law Firm, P.A., a Florida professional service corporation, since 1999.
Copyright © 2023 The Health Law Firm. All rights reserved.

By |2023-01-17T11:36:47-05:00January 17, 2023|Categories: Dental Law Blog|Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , |0 Comments

Florida Primary Care Practice Settles HIPAA Investigation for $20,000

By George F. Indest III, J.D., M.P.A., LL.M., Board Certified by The Florida Bar in Health Law

On December 15, 2022, the Department of Health and Human Services (HHS), Office for Civil Rights (OCR), announced that Health Specialists of Central Florida, Inc., will pay $20,000 to resolve alleged violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule’s right of access standard.

The primary care provider also agreed to a corrective action plan (CAP) with two years of monitoring.

It is extremely important that Florida physicians and health professionals remember that there is a federal law requirement under HIPAA that requires the timely furnishing of a health record requested by a patient. You must be sure to meet the deadline, but, more importantly, document that you have met it. Use cover letters, obtain receipts when possible, and document the date you provided the record in the record.

Click here to view the press release issued by the OCR.

Right of Access Standard.

OCR first launched an investigation into Health Specialists of Central Florida after the daughter of a deceased patient filed a complaint in November 2019. The complainant made a written access request for her father’s medical records but did not receive them for nearly five months, and only after multiple requests.

The HIPAA right of access standard requires covered entities to respond to requests for records within 30 days of receipt or 60 days if it obtains an extension of time. OCR’s guidance on the right of access is available here.

The Settlement.

In addition to the monetary settlement, Health Specialists of Central Florida will undertake a corrective action plan (CAP) that includes two years of monitoring. The CAP requires the practice to develop, maintain, and revise its written privacy procedures and policies, distribute them to the workforce, and review and update its right of access to PHI policy.

This case marks the 42nd case resolved under OCR’s HIPAA Right of Access Initiative. To view the settlement agreement and CAP, click here.

 

Contact a Health Law Attorney Experienced in Defending HIPAA Complaints and Violations.

The attorneys of The Health Law Firm represent physicians, dental practices, medical groups, nursing homes, home health agencies, pharmacies, hospitals, and other healthcare providers and institutions in investigating and defending against HIPAA investigations and complaints and in preparing Corrective Action Plans (CAPs).

For more information about HIPAA violations, electronic health records or corrective action plans (CAPs) please visit our website at www.TheHealthLawFirm.com or call (407) 331-6620 or toll-free (888) 331-6620.

Sources:

Health Law Weekly. “Florida Primary Care Provider to Pay $20,000 to Resolve Right of Access Probe.” AHLA. (December 16, 2022). Web.

Giles, Bruce. “Florida primary care practice fined HHS $20K for not giving timely access to patient data.” Becker’s Hospital Review. (December 16, 2022). Web.

McKeon, Jill. “OCR Resolves HIPAA Right of Access Case With FL Primary Care Practice.” Health IT Security. (December 16, 2022). Web.

About the Author: George F. Indest III, J.D., M.P.A., LL.M., is Board Certified by The Florida Bar in Health Law. He is the President and Managing Partner of The Health Law Firm, which has a national practice. Its main office is in the Orlando, Florida, area. www.TheHealthLawFirm.com The Health Law Firm, 1101 Douglas Ave. Suite 1000, Altamonte Springs, FL 32714, Phone: (407) 331-6620 or Toll-Free: (888) 331-6620.

Current Open Positions with The Health Law Firm. The Health Law Firm always seeks qualified individuals interested in health law. Its main office is in the Orlando, Florida, area. If you are a current member of The Florida Bar or a qualified professional who is interested, please forward a cover letter and resume to: [email protected] or fax them to (407) 331-3030.

“The Health Law Firm” is a registered fictitious business name of and a registered service mark of The Health Law Firm, P.A., a Florida professional service corporation, since 1999.
Copyright © 2022 The Health Law Firm. All rights reserved.

 

 

By |2022-12-28T11:39:15-05:00December 28, 2022|Categories: Health Facilities Law Blog|Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , |0 Comments

Multiple Settlements with HHS for HIPAA Security Rule Violations & Data Breaches

George IndestBy George F. Indest III, J.D., M.P.A., LL.M., Board Certified by The Florida Bar in Health Law

In September 2020, the Department of Health and Human Services (HHS) announced three settlements to resolve alleged violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. The settlements, totaling $10.6 million, stem from data breaches in which hackers were able to access and obtain individuals’ protected health information (PHI) from U.S. health providers. Combined, the three hacking incidents compromised the health information of more than 16 million patients.

Summary of the HIPAA Security Rule Settlements.

On September 21, 2020, the Office of Civil Rights, or OCR, the division of HHS which receives and investigates HIPAA complaints, announced a settlement with an orthopedic clinic in Georgia. The clinic agreed to pay $1.5 million after a 2016 hacking incident that compromised over 200,000 patient records. Part of the settlement included a Corrective Action Plan, or CAP, which the clinic agreed to adopt, to help prevent future breaches of privacy. Click here to view the resolution agreement and Corrective Action Plan (CAP).

On September 24, 2020, the OCR publicized a settlement with an information technology (IT) and health information management company. The business agreed to pay $2.3 million to settle claims of systemic security rule violations relating to a 2014 hacking incident impacting the personal health information (PHI) of more than 6 million individuals. Click here to read the settlement agreement.

Days later, the OCR released information about a $6.85 million settlement with Premera Blue Cross, the largest health plan in the Pacific Northwest. The settlement, the second largest to date, related to a 2015 cyber-attack which exposed the health information of more than 10 million individuals. To read the resolution agreement in full, click here.

In regard to these settlements, the OCR alleged that the following security rule violations had occurred:

1. Failure to conduct an adequate and thorough risk analysis;

2. Failure to implement sufficient mechanisms to record and examine system activities;

3. Failure to enter into business associate agreements with vendors with access to electronic protected health information;

4. Failure to implement reasonable security measures to reduce risks and vulnerabilities;

5. Failure to respond to and document a known security incident;

6. Failure to implement technical policies and procedures regarding access; and

7. Failure to implement procedures to regularly review system activity logs and reports.

Readers could use the above as a compliance checklist to make sure their own systems of records are being properly protected.

Consequences of HIPAA Rule Noncompliance.

The HIPAA Security Rule establishes a set of national standards for confidentiality, integrity, and availability of e-PHI. HHS is responsible for administering and enforcing these standards, along with enforcement of the HIPAA Privacy Rule. Therefore, the agency may conduct complaint investigations and compliance reviews. To learn more details about the HIPAA Security Rule, click here.

HHS looks for systems failures, prior breaches, missing risk analyses, or absence of or inadequate HIPAA policies. Without question, any compliance violations will result in an enforcement action. And as these three settlements have demonstrated, enforcement can be costly.

Don’t Wait Until It’s Too Late, Protect Yourself from HIPAA Security Rule Compliance Violations.

Businesses and organizations need to acknowledge the need to act and create a HIPAA security rule compliance plan. Locating existing security policies and the last completed risk analysis is an essential step in compliance. If it’s been over a year, perform or update risk analysis to identify risks or vulnerabilities on all systems that contain any e-PHI. Security rule compliance requires regular attention and detailed records. Take steps now to help protect e-PHI from data breaches, and avoid millions of dollars in settlements or fines.


Contact a Health Law Attorney Experienced in Defending HIPAA Complaints and Violations.

The Health Law Firm represent physicians, medical groups, nursing homes, home health agencies, pharmacies, hospitals, and other healthcare providers and institutions to investigate and defend alleged HIPAA complaints and violations and prepare Corrective Action Plans (CAPs). Our attorneys regularly defend OCR HIPAA audits, defend in HIPAA complaint investigations, assist in preparing a HIPAA Risk Analyses, defend in federal administrative actions and administrative hearing cases, and defend in civil or administrative litigation of HIPAA/breach of medical confidentiality law suits.

For more information about HIPAA violations, electronic health records or corrective action plans (CAPs) please visit our website at www.TheHealthLawFirm.com or call (407) 331-6620 or toll-free (888) 331-6620.

Sources:

Kraus, Anna and Carrier, Tara. “HHS Announces Multiple HIPAA Settlements Related to Data Breaches and the Right of Access Initiative.” Lexology. (October 6, 2020). Web.

Castricone, Dena. “The Crushing Cost Of HIPAA Security Rule Noncompliance.” Law360. (October 1, 2020). Web.

About the Author: George F. Indest III, J.D., M.P.A., LL.M., is Board Certified by The Florida Bar in Health Law. He is the President and Managing Partner of The Health Law Firm, which has a national practice. Its main office is in the Orlando, Florida, area. www.TheHealthLawFirm.com The Health Law Firm, 1101 Douglas Ave. Suite 1000, Altamonte Springs, FL 32714, Phone: (407) 331-6620 Toll-Free: (888) 331-6620.

The Health Law Firm” is a registered fictitious business name of and a registered service mark of The Health Law Firm, P.A., a Florida professional service corporation, since 1999.
Copyright © 2021 The Health Law

Multiple Settlements with HHS for HIPAA Security Rule Violations & Data Breaches

George IndestBy George F. Indest III, J.D., M.P.A., LL.M., Board Certified by The Florida Bar in Health Law

In September 2020, the Department of Health and Human Services (HHS) announced three settlements to resolve alleged violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. The settlements, totaling $10.6 million, stem from data breaches in which hackers were able to access and obtain individuals’ protected health information (PHI) from U.S. health providers. Combined, the three hacking incidents compromised the health information of more than 16 million patients.

Summary of the HIPAA Security Rule Settlements.

On September 21, 2020, the Office of Civil Rights, or OCR, the division of HHS which receives and investigates HIPAA complaints, announced a settlement with an orthopedic clinic in Georgia. The clinic agreed to pay $1.5 million after a 2016 hacking incident that compromised over 200,000 patient records. Part of the settlement included a Corrective Action Plan, or CAP, which the clinic agreed to adopt, to help prevent future breaches of privacy. Click here to view the resolution agreement and Corrective Action Plan (CAP).

On September 24, 2020, the OCR publicized a settlement with an information technology (IT) and health information management company. The business agreed to pay $2.3 million to settle claims of systemic security rule violations relating to a 2014 hacking incident impacting the personal health information (PHI) of more than 6 million individuals. Click here to read the settlement agreement.

Days later, the OCR released information about a $6.85 million settlement with Premera Blue Cross, the largest health plan in the Pacific Northwest. The settlement, the second largest to date, related to a 2015 cyber-attack which exposed the health information of more than 10 million individuals. To read the resolution agreement in full, click here.

In regard to these settlements, the OCR alleged that the following security rule violations had occurred:

1. Failure to conduct an adequate and thorough risk analysis;

2. Failure to implement sufficient mechanisms to record and examine system activities;

3. Failure to enter into business associate agreements with vendors with access to electronic protected health information;

4. Failure to implement reasonable security measures to reduce risks and vulnerabilities;

5. Failure to respond to and document a known security incident;

6. Failure to implement technical policies and procedures regarding access; and

7. Failure to implement procedures to regularly review system activity logs and reports.

Readers could use the above as a compliance checklist to make sure their own systems of records are being properly protected.

Consequences of HIPAA Rule Noncompliance.

The HIPAA Security Rule establishes a set of national standards for confidentiality, integrity, and availability of e-PHI. HHS is responsible for administering and enforcing these standards, along with enforcement of the HIPAA Privacy Rule. Therefore, the agency may conduct complaint investigations and compliance reviews. To learn more details about the HIPAA Security Rule, click here.

HHS looks for systems failures, prior breaches, missing risk analyses, or absence of or inadequate HIPAA policies. Without question, any compliance violations will result in an enforcement action. And as these three settlements have demonstrated, enforcement can be costly.

Don’t Wait Until It’s Too Late, Protect Yourself from HIPAA Security Rule Compliance Violations.

Businesses and organizations need to acknowledge the need to act and create a HIPAA security rule compliance plan. Locating existing security policies and the last completed risk analysis is an essential step in compliance. If it’s been over a year, perform or update risk analysis to identify risks or vulnerabilities on all systems that contain any e-PHI. Security rule compliance requires regular attention and detailed records. Take steps now to help protect e-PHI from data breaches, and avoid millions of dollars in settlements or fines.


Contact a Health Law Attorney Experienced in Defending HIPAA Complaints and Violations.

The Health Law Firm represent physicians, medical groups, nursing homes, home health agencies, pharmacies, hospitals, and other healthcare providers and institutions to investigate and defend alleged HIPAA complaints and violations and prepare Corrective Action Plans (CAPs). Our attorneys regularly defend OCR HIPAA audits, defend in HIPAA complaint investigations, assist in preparing a HIPAA Risk Analyses, defend in federal administrative actions and administrative hearing cases, and defend in civil or administrative litigation of HIPAA/breach of medical confidentiality law suits.

For more information about HIPAA violations, electronic health records or corrective action plans (CAPs) please visit our website at www.TheHealthLawFirm.com or call (407) 331-6620 or toll-free (888) 331-6620.

Sources:

Kraus, Anna and Carrier, Tara. “HHS Announces Multiple HIPAA Settlements Related to Data Breaches and the Right of Access Initiative.” Lexology. (October 6, 2020). Web.

Castricone, Dena. “The Crushing Cost Of HIPAA Security Rule Noncompliance.” Law360. (October 1, 2020). Web.

About the Author: George F. Indest III, J.D., M.P.A., LL.M., is Board Certified by The Florida Bar in Health Law. He is the President and Managing Partner of The Health Law Firm, which has a national practice. Its main office is in the Orlando, Florida, area. www.TheHealthLawFirm.com The Health Law Firm, 1101 Douglas Ave. Suite 1000, Altamonte Springs, FL 32714, Phone: (407) 331-6620 Toll-Free: (888) 331-6620.

The Health Law Firm” is a registered fictitious business name of and a registered service mark of The Health Law Firm, P.A., a Florida professional service corporation, since 1999.
Copyright © 2021 The Health Law

Multiple Settlements with HHS for HIPAA Security Rule Violations & Data Breaches

George IndestBy George F. Indest III, J.D., M.P.A., LL.M., Board Certified by The Florida Bar in Health Law

In September 2020, the Department of Health and Human Services (HHS) announced three settlements to resolve alleged violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. The settlements, totaling $10.6 million, stem from data breaches in which hackers were able to access and obtain individuals’ protected health information (PHI) from U.S. health providers. Combined, the three hacking incidents compromised the health information of more than 16 million patients.

Summary of the HIPAA Security Rule Settlements.

On September 21, 2020, the Office of Civil Rights, or OCR, the division of HHS which receives and investigates HIPAA complaints, announced a settlement with an orthopedic clinic in Georgia. The clinic agreed to pay $1.5 million after a 2016 hacking incident that compromised over 200,000 patient records. Part of the settlement included a Corrective Action Plan, or CAP, which the clinic agreed to adopt, to help prevent future breaches of privacy. Click here to view the resolution agreement and Corrective Action Plan (CAP).

On September 24, 2020, the OCR publicized a settlement with an information technology (IT) and health information management company. The business agreed to pay $2.3 million to settle claims of systemic security rule violations relating to a 2014 hacking incident impacting the personal health information (PHI) of more than 6 million individuals. Click here to read the settlement agreement.

Days later, the OCR released information about a $6.85 million settlement with Premera Blue Cross, the largest health plan in the Pacific Northwest. The settlement, the second largest to date, related to a 2015 cyber-attack which exposed the health information of more than 10 million individuals. To read the resolution agreement in full, click here.

In regard to these settlements, the OCR alleged that the following security rule violations had occurred:

1. Failure to conduct an adequate and thorough risk analysis;

2. Failure to implement sufficient mechanisms to record and examine system activities;

3. Failure to enter into business associate agreements with vendors with access to electronic protected health information;

4. Failure to implement reasonable security measures to reduce risks and vulnerabilities;

5. Failure to respond to and document a known security incident;

6. Failure to implement technical policies and procedures regarding access; and

7. Failure to implement procedures to regularly review system activity logs and reports.

Readers could use the above as a compliance checklist to make sure their own systems of records are being properly protected.

Consequences of HIPAA Rule Noncompliance.

The HIPAA Security Rule establishes a set of national standards for confidentiality, integrity, and availability of e-PHI. HHS is responsible for administering and enforcing these standards, along with enforcement of the HIPAA Privacy Rule. Therefore, the agency may conduct complaint investigations and compliance reviews. To learn more details about the HIPAA Security Rule, click here.

HHS looks for systems failures, prior breaches, missing risk analyses, or absence of or inadequate HIPAA policies. Without question, any compliance violations will result in an enforcement action. And as these three settlements have demonstrated, enforcement can be costly.

Don’t Wait Until It’s Too Late, Protect Yourself from HIPAA Security Rule Compliance Violations.

Businesses and organizations need to acknowledge the need to act and create a HIPAA security rule compliance plan. Locating existing security policies and the last completed risk analysis is an essential step in compliance. If it’s been over a year, perform or update risk analysis to identify risks or vulnerabilities on all systems that contain any e-PHI. Security rule compliance requires regular attention and detailed records. Take steps now to help protect e-PHI from data breaches, and avoid millions of dollars in settlements or fines.


Contact a Health Law Attorney Experienced in Defending HIPAA Complaints and Violations.

The Health Law Firm represent physicians, medical groups, nursing homes, home health agencies, pharmacies, hospitals, and other healthcare providers and institutions to investigate and defend alleged HIPAA complaints and violations and prepare Corrective Action Plans (CAPs). Our attorneys regularly defend OCR HIPAA audits, defend in HIPAA complaint investigations, assist in preparing a HIPAA Risk Analyses, defend in federal administrative actions and administrative hearing cases, and defend in civil or administrative litigation of HIPAA/breach of medical confidentiality law suits.

For more information about HIPAA violations, electronic health records or corrective action plans (CAPs) please visit our website at www.TheHealthLawFirm.com or call (407) 331-6620 or toll-free (888) 331-6620.

Sources:

Kraus, Anna and Carrier, Tara. “HHS Announces Multiple HIPAA Settlements Related to Data Breaches and the Right of Access Initiative.” Lexology. (October 6, 2020). Web.

Castricone, Dena. “The Crushing Cost Of HIPAA Security Rule Noncompliance.” Law360. (October 1, 2020). Web.

About the Author: George F. Indest III, J.D., M.P.A., LL.M., is Board Certified by The Florida Bar in Health Law. He is the President and Managing Partner of The Health Law Firm, which has a national practice. Its main office is in the Orlando, Florida, area. www.TheHealthLawFirm.com The Health Law Firm, 1101 Douglas Ave. Suite 1000, Altamonte Springs, FL 32714, Phone: (407) 331-6620 Toll-Free: (888) 331-6620.

The Health Law Firm” is a registered fictitious business name of and a registered service mark of The Health Law Firm, P.A., a Florida professional service corporation, since 1999.
Copyright © 2021 The Health Law

Go to Top