By Meghan V. Hoppe, Esq.

September 2020 has brought with it a number of settlements announced by the Office for Civil Rights (“OCR”) at the U.S. Department of Health and Human Services (HHS) for potential violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). In continuance of its 2019 HIPAA Right of Access Initiative and in response to the frequency of healthcare security breaches, OCR has ramped up recent enforcement efforts announcing seven fines imposed so far this month.

On September 15, 2020, OCR announced that it settled an additional five investigations in its HIPAA Right of Access Initiative. The initiative is part of an enforcement priority implemented to support individuals’ right to timely access to their health records at a reasonable cost under the HIPAA Privacy Rule. The five new settlements were with Housing Works Inc., All Inclusive Medical Services Inc., Beth Israel Lahey Health Behavioral Services, King MD and Wise Psychiatry PC.  Each entity agreed to settlements with OCR in amounts ranging from $3,500 to $70,000 depending on the severity of the HIPAA violation. These enforcements are a reminder of the importance of “empowering patients and holding health care providers accountable for failing to take their HIPAA obligations seriously enough,” said OCR Director Roger Severino.

Next, on September 21, 2020, OCR announced a $1.5 million settlement with Athens Orthopedic Clinic PA (“Athens Orthopedic”) for potential violations of the HIPAA Privacy and Security Rules related to a hacking incident.  Athens Orthopedic was notified in June 2016 that a database of patient records had been posted online for sale.  Shortly after, a hacker contacted Athens Orthopedic and demanded money in return for a complete copy of the stolen database.  Athens Orthopedic determined that the hacker had used a vendor's credentials to access their electronic medical record system and steal patients’ protected health information (“PHI”).  Athens Orthopedic filed a breach report with OCR identifying that 208,557 individuals had been affected and that the stolen PHI included patients’ names, dates of birth, social security numbers, medical procedures, test results and health insurance information. OCR’s investigation into the breach discovered that Athens Orthopedic had engaged in longstanding noncompliance with the HIPAA Privacy and Security Rules, including failures to conduct a risk analysis, implement risk management and audit controls, maintain HIPAA policies and procedures, secure business associate agreements and provide appropriate training to workforce members.

Lastly, on September 23, 2020, OCR announced a hefty $2.3 million settlement with CHSPSC LLC (“CHSPSC”) for potential violations of the HIPAA Privacy and Security Rules related to a breach affecting over six million people. While not a health care provider, CHSPSC provides business associate services to HIPAA covered entities, including IT and health information management. In April 2014, the Federal Bureau of Investigation (“FBI”) notified CHSPSC that it had traced a cyberhacking threat to CHSPSC’s information system.  Despite the FBI’s warning, hackers used compromised administrative credentials to remotely access CHSPSC’s information system through a virtual private network (VPN) for four months.  This cyber-attack affected 237 covered entities served by CHSPSC and included over 6 million names, dates of birth, phone numbers, social security numbers and emails. OCR’s investigation found that CHSPSC had systemic noncompliance issues under the HIPAA Security Rule, including that it failed to implement information system activity review, security incident procedures and access controls.

As a condition of the settlements, each of the seven entities agreed to implement a corrective action plan to address deficiencies in its HIPAA compliance program and receive continued monitoring by OCR. These hefty enforcement actions should serve as a stern reminder to HIPAA covered entities and business associates to stay vigilant in their HIPAA compliance efforts.

For more information, please contact Meghan V. Hoppe, Esq. at mvh@spsk.com or 973-540-7351.

DISCLAIMER:  This Alert is designed to keep you aware of recent developments in the law.  It is not intended to be legal advice, which can only be given after the attorney understands the facts of a particular matter and the goals of the client.