The Office for Civil Rights (OCR), the enforcement body for HIPAA compliance, announced eleven settlements in 2019. Each of the eleven organizations received HIPAA violation fines, varying in amounts based on the severity of their violations.
Why Were the HIPAA Violation Fines Issued?
A brief summary of the HIPAA violation fines are as follows:
- Cottage Health: $3 million fine for failure to conduct a thorough risk assessment, implement security measures to reduce risks, evaluate changes in operations, and have a business associate agreement with a contractor.
- Touchstone Medical Imaging: $3 million fine for failure to conduct a thorough risk assessment, conduct a thorough investigation of the breach, and untimely breach notification.
- Medical Informatics Engineering, Inc.: $100,000 fine for failure to conduct a comprehensive risk analysis.
- Bayfront Health St. Petersburg: $85,000 for failure to provide access to medical records in a timely manner.
- Elite Dental Associates: $10,000 fine for failure to have policies and procedures for proper use of social media, and the lack of a HIPAA compliant Notice of Privacy Practices.
- Jackson Health System: $2.154 million fine for failure to conduct enterprise-wide risk analyses, manage identified risks, regularly review access logs, adhere to the minimum necessary standard, and timely and accurate breach notification.
- University of Rochester Medical Center: $3 million fine for failure to conduct enterprise-wide risk analysis, implement security measures to reduce risks, utilize device and media controls, encrypt ePHI when it was reasonable and appropriate to do so.
- Texas Health and Human Services Commission: $1.6 million fine for failure to conduct enterprise-wide risk analysis, and implement access and audit controls.
- Sentara Hospitals: $2.175 million fine for failure to accurately report a breach even after they were warned by OCR to do so, and failure to have a business associate agreement.
- Korunda Medical, LLC.: $85,000 fine failure to provide access to medical records in a timely manner, provide records in the requested format, and charging more than the acceptable fee for records.
- West Georgia Ambulance, Inc.: $65,000 fine for failure to conduct a risk analysis, provide security awareness and training for employees, implement policies and procedures in line with the HIPAA Security Rule.
What Can Behavioral Health Practices Do to Prevent HIPAA Violation Fines?
The key to avoiding HIPAA violation fines is understanding what is required by the Health Insurance Portability and Accountability Act (HIPAA). To be HIPAA compliant, behavioral health practices must adhere to the HIPAA Security and Privacy Rules by:
- Conducting a security risk analysis: required to be completed annually, a security risk analysis identifies gaps in security measures safeguarding protected health information (PHI).
- Implementing security measures to reduce risks: HIPAA requires the confidentiality, integrity, and availability of PHI to be maintained through security measures such as firewalls and data backup.
- Evaluating operational changes: when there are changes to the way a behavioral health practice operates, security measures must be adjusted to account for those changes.
- Adhering to the Breach Notification Rule: a breach affecting 500 or more patients must be reported to the Department of Health and Human Services (HHS), affected patients, and the media within 60 days of discovery. A breach affecting less than 500 patients must be reported to HHS and affected patients by the end of the calendar year.
- Adhering to the HIPAA Right of Access rule: requested patient records must be provided within 30 days of the request in the format that it is requested in (i.e. email, mail, fax, etc.). Providers cannot charge excessively for access to records.
- Adhering to the minimum necessary standard: providers and healthcare employees may only access the minimum necessary PHI to perform their job function.
- Implementing access and audit controls: to ensure that the minimum necessary standard is upheld, access and audit controls must be implemented. Access controls designate different levels of access to PHI based on job role. Audit controls monitor who accesses what PHI, and for how long, to ensure that PHI is not accessed excessively.
- Providing a Notice of Privacy Practices: must be given to patients upon intake. A Notice of Privacy Practices dictates how PHI may be used and disclosed as well as explaining patient’s rights in regards to their PHI.
- Implementing policies and procedures: dictates the proper use and disclosure of PHI as well as what to do in the event of a breach or other security incident.
- Training employees: ensures that employees are aware of policies and procedures.
- Signing business associate agreements: must be signed before it is permitted for a behavioral health practice to share PHI with a business associate. A business associate agreement (BAA) dictates the security measures that must be in place as well as which party is responsible for reporting a breach should one occur.
- Encrypting devices when it is reasonable and appropriate: encryption, or similar security measures, must be implemented to secure PHI on portable devices such as laptops or thumb drives.