The Office for Civil Rights (OCR), the enforcement body for HIPAA compliance, announced eleven settlements in 2019. Each of the eleven organizations received HIPAA fines, varying in amounts based on the severity of their violations.
Why Were the HIPAA Fines Issued?
A brief summary of the HIPAA fines are as follows:
- Cottage Health: $3 million fine for failure to conduct a thorough risk assessment, implement security measures to reduce risks, evaluate changes in operations, and have a business associate agreement with a contractor.
- Touchstone Medical Imaging: $3 million fine for failure to conduct a thorough risk assessment, conduct a thorough investigation of the breach, and untimely breach notification.
- Medical Informatics Engineering, Inc.: $100,000 fine for failure to conduct a comprehensive risk analysis.
- Bayfront Health St. Petersburg: $85,000 for failure to provide access to medical records in a timely manner.
- Elite Dental Associates: $10,000 fine for failure to have policies and procedures for proper use of social media, and the lack of a HIPAA compliant Notice of Privacy Practices.
- Jackson Health System: $2.154 million fine for failure to conduct enterprise-wide risk analyses, manage identified risks, regularly review access logs, adhere to the minimum necessary standard, and timely and accurate breach notification.
- University of Rochester Medical Center: $3 million fine for failure to conduct enterprise-wide risk analysis, implement security measures to reduce risks, utilize device and media controls, encrypt ePHI when it was reasonable and appropriate to do so.
- Texas Health and Human Services Commission: $1.6 million fine for failure to conduct enterprise-wide risk analysis, and implement access and audit controls.
- Sentara Hospitals: $2.175 million fine for failure to accurately report a breach even after they were warned by OCR to do so, and failure to have a business associate agreement.
- Korunda Medical, LLC.: $85,000 fine failure to provide access to medical records in a timely manner, provide records in the requested format, and charging more than the acceptable fee for records.
- West Georgia Ambulance, Inc.: $65,000 fine for failure to conduct a risk analysis, provide security awareness and training for employees, implement policies and procedures in line with the HIPAA Security Rule.
What Can Behavioral Health Practices Do to Prevent HIPAA Fines?
The key to avoiding HIPAA fines is understanding what is required by the Health Insurance Portability and Accountability Act (HIPAA). To be HIPAA compliant, behavioral health practices must adhere to the HIPAA Security and Privacy Rules by:
- Conducting a security risk analysis: required to be completed annually, a security risk analysis identifies gaps in security measures safeguarding protected health information (PHI).
- Implementing security measures to reduce risks: HIPAA requires the confidentiality, integrity, and availability of PHI to be maintained through security measures such as firewalls and data backup.
- Evaluating operational changes: when there are changes to the way a behavioral health practice operates, security measures must be adjusted to account for those changes.
- Adhering to the Breach Notification Rule: a breach affecting 500 or more patients must be reported to the Department of Health and Human Services (HHS), affected patients, and the media within 60 days of discovery. A breach affecting less than 500 patients must be reported to HHS and affected patients by the end of the calendar year.
- Adhering to the HIPAA Right of Access rule: requested patient records must be provided within 30 days of the request in the format that it is requested in (i.e. email, mail, fax, etc.). Providers cannot charge excessively for access to records.
- Adhering to the minimum necessary standard: providers and healthcare employees may only access the minimum necessary PHI to perform their job function.
- Implementing access and audit controls: to ensure that the minimum necessary standard is upheld, access and audit controls must be implemented. Access controls designate different levels of access to PHI based on job role. Audit controls monitor who accesses what PHI, and for how long, to ensure that PHI is not accessed excessively.
- Providing a Notice of Privacy Practices: must be given to patients upon intake. A Notice of Privacy Practices dictates how PHI may be used and disclosed as well as explaining patient’s rights in regards to their PHI.
- Implementing policies and procedures: dictates the proper use and disclosure of PHI as well as what to do in the event of a breach or other security incident.
- Training employees: ensures that employees are aware of policies and procedures.
- Signing business associate agreements: must be signed before it is permitted for a behavioral health practice to share PHI with a business associate. A business associate agreement (BAA) dictates the security measures that must be in place as well as which party is responsible for reporting a breach should one occur.
- Encrypting devices when it is reasonable and appropriate: encryption, or similar security measures, must be implemented to secure PHI on portable devices such as laptops or thumb drives.
Need assistance with HIPAA compliance? Compliancy Group can help! They help you achieve HIPAA compliance with Compliance Coaches® guiding you through the entire process. Find out more about the HIPAA Seal of Compliance® and Compliancy Group. Get HIPAA compliant today!
Ransomware hackers attack smaller healthcare practices daily, creating serious data breaches, and HIPAA violations. Are you and your clients/patients vulnerable, too?
Managing social media use and HIPAA compliance can lead to some of the most common misunderstandings faced by healthcare providers. Improperly trained employees can expose your organization to HIPAA violations and costly fines!
Disclaimer: The views and opinions expressed in the article and on this blog post are those of the authors. These do not necessarily reflect the views, opinions, and position of the Telebehavioral Health Institute (TBHI). Any content written by the authors are their opinion and are not intended to malign any organization, company or individuals.