2021 HIPAA Enforcement Update – OCR Focus on Rights of Access Continues

From January 2021 via April 2021, the Department of Health and Human Services, Office for Civil Rights (OCR) introduced six settlement agreements to resolve allegations of Health Insurance Portability and Accountability Act ‎‎(HIPAA) violations. Five of these settlements have been in relation to OCR’s HIPAA Right of Access Initiative. One settlement so far in 2021 facilities round dangers ensuing from cybersecurity incidents and improper inside processes.

Settlement Following Data Breach

On January 15, 2021, HHS introduced a $5.1 million settlement with Excellus Health Plan, Inc. for potential violations of the HIPAA Privacy and Security Rules associated to a breach affecting over 9.3 million individuals. In September 2015, Excellus Health Plan filed a breach report stating that cyber-attackers had gained unauthorized entry to its info know-how programs. Excellus Health Plan reported that the breach started on or earlier than December 23, 2013 and ended on May 11, 2015. The hackers put in malware and carried out reconnaissance actions that in the end resulted within the impermissible disclosure of the protected well being info of greater than 9.3 million people, together with their names, addresses, dates of beginning, electronic mail addresses, social safety numbers, checking account info, well being plan claims, and scientific remedy info. OCR’s investigation discovered potential violations of the HIPAA Rules together with failure to conduct an enterprise-wide danger evaluation and failures to implement danger administration, info system exercise evaluation, and entry controls.

In its press launch asserting the settlement, OCR expressed explicit concern with its discovering that hackers roamed contained in the Excellus well being report system undetected for over a 12 months. OCR emphasised that “[h]acking continues to be the best risk to the privateness and safety of people’ well being info” and lined entities should “step up their sport” to guard the privateness of individuals’s well being info from refined hackers.

Settlements for Rights of Access Violations

In 2019, OCR ‎introduced the creation of its Right of Access Initiative, supposed to assist people’ proper of ‎well timed entry to their well being data. OCR has settled 18 ‎investigations associated to its Right of Access Initiative. Since the start of 2021 via the ‎finish of April 2021, 5 of the six OCR introduced settlements have been in relation to the ‎HIPAA Right of Access Initiative, and embrace as follows: ‎

On January 12, 2021, Banner Health, on behalf of the Banner Health affiliated lined entities (Banner Health ACE), agreed to take corrective actions and pay $200,000 to settle potential violations of the HIPAA Privacy Rule’s proper of entry normal. OCR obtained two complaints filed in opposition to Banner Health ACE entities. The first criticism alleged that the person requested entry to her medical data in December 2017, and didn’t obtain the data till May 2018. The second criticism alleged that the person requested entry to an digital copy of his data in September 2019, and the data weren’t despatched till February 2020. OCR’s investigation decided that Banner Health ACE entities’ failure to supply well timed entry to the requested medical data have been potential violations of the HIPAA proper of entry normal.
On February 10, 2021, OCR introduced that Renown Health, P.C., a non-public, not-for-profit well being system in Nevada, agreed to take corrective actions and pay $75,000 to settle a possible violation of the HIPAA Privacy Rule’s proper of entry normal. In February 2019, OCR obtained a criticism alleging that Renown Health did not well timed reply to a affected person’s request that an digital copy of her protected well being info, together with billing data, be despatched to a 3rd celebration.
On February 12, 2021, OCR introduced that Sharp Rees-Stealy Medical Centers (“SRMC”) agreed to take corrective actions and pay $70,000 to settle a possible violation of the HIPAA Privacy Rule’s proper of entry normal. In June 2019, a criticism was filed with OCR alleging that SRMC did not take well timed motion in response to a affected person’s data entry request directing that an digital copy of protected well being info in an digital well being report be despatched to a 3rd celebration. OCR offered SRMC with technical help on the HIPAA Right of Access necessities. In August 2019, OCR obtained a second criticism alleging that SRMC nonetheless had not responded to the affected person’s data entry request. OCR initiated an investigation and decided that SRMC’s failure to supply well timed entry to the requested medical data was a possible violation of the HIPAA proper of entry normal.
On March 24, 2012, OCR introduced that Arbour Hospital (“Arbour”) agreed to take corrective actions ‎and pay $65,000 to settle a possible violation of the HIPAA Privacy Rule’s proper of entry normal. In ‎July 2019, a criticism was filed with OCR alleging that Arbour did not take well timed motion in response to ‎a affected person’s data entry request made in May 2019. OCR offered Arbour with technical help ‎on the HIPAA Right of Access necessities. Later, in July 2019, OCR obtained a second criticism ‎alleging that Arbour nonetheless had not responded to the identical affected person’s data entry request. OCR initiated ‎an investigation and decided that Arbour’s failure to supply well timed entry to the requested medical ‎data was a possible violation of the HIPAA proper of entry normal.‎
On March 26, 2021, OCR introduced that Village Plastic Surgery (“VPS”) agreed to take corrective ‎actions and pay $30,000 to settle a possible violation of the HIPAA Privacy Rule’s proper of entry ‎normal. In September 2019, a criticism was filed with OCR alleging that VPS did not take well timed ‎motion in response to a affected person’s data entry request made in August 2019. ‎

On January 21, 2021, HHS launched ‎proposed modifications to the HIPAA Privacy Rule that, if handed, will impression a person’s ‎proper of entry. The proposed rule would shorten a lined ‎entity’s response time for proper of entry requests to no later than 15 calendar days (with the ‎chance of a one-time 15 calendar day extension). HHS can be proposing to expressly prohibit ‎a lined entity from imposing unreasonable measures on a person exercising the best of ‎entry that create a barrier of entry or unreasonable delay. The remark interval for these guidelines closed on May 6, 2021.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Related Posts

New VPs of News Named for NBC4 and Telemundo 52 in L.A.

Megan Espinoza and Moisés Amsel promoted to Film and Television Development VPs of the Anglo division at Gato Grande

Unveiling the Top Specs and Providers

The Goldman analysts, associates & VPs hedge funds love ❤

Ashley Edelbrock and Justin Stichter appointed as VPs at PGAV

VPs and MDs are finding analysts unusually annoying