[ Monday, December 30, 2024 ]
Recent OCR Enforcement Actions: I've been pretty lazy on the blogging front lately, and let a bunch of items stack up, particularly noting the various enforcement actions of OCR. Now that it's end of year and I'm clearing out some old emails, let me post to a few.
First, OCR continues to make hay with relatively small fines against covered entities that fail to quickly and fully provide access to patients who ask for their PHI. Why do they fail or delay? Sometimes confusion, sometimes bad bureaucracy, but often it's because they want to punish a patient for failing to pay or finding another provider. Those are bad reasons, and if you do so, you should be punished. And why are the fines small? It's usually not a systemic problem (the way a breach shows that a covered entity has overall poor HIPAA hygiene), and it often also involves smaller covered entities who don't have the financial wherewithal to pay 6-figure settlements.
Other settlements involve the big issues: breaches, ransomware, overall HIPAA failures.
Anyway, here are some recent ones.
- October 21, 2024: OCR fines Gums Dental Care, a solo practice, $70,000 for failing to give a patient access to PHI.
- October 31, 2024: OCR settles with Plastic Surgery Associates of South Dakota, levying a $500,000 fine for a ransomware attack and breach that affected over 10,000 patients. A brute force attack was successful, and the hackers encrypted 9 workstations and 2 servers, which the medical practice could not restore from backup. The "usual suspect" problems were there: lack of a good risk analysis, insufficient security measures, lack of system activity auditing, and insufficient policies and procedures.
- November 1, 2024: OCR fines Oklahoma's Bryan County Ambulance Authority $90,000 for its failures in connection with a ransomware cybersecurity hack that encrypted the files of over 14,000 patients. Lack of a good risk analysis and risk management plan was the primary cause.
- November 19, 2024: OCR fines Rio Hondo (CA) Community Mental Health Center $100,00 for a 7-month delay in providing a patient with access to his/her records.
- December 2, 2024: OCR fines Holy Redeemer Hospital $35,581 for improperly providing a patient's employer with too much of the patient's reproductive health information. It appears that the patient had a test done and wanted the hospital to report the results of the test to the patient's employer, but the hospital mistakenly provided a lot more information, perhaps the patient's entire file regarding the matter in question. OCR's hyper-politicization regarding abortion and "reproductive health" information, combined with the small (and odd) amount of the fine, might be a clue to what's really going on here.
- December 4, 2024: BOOM! OCR fines Gulf Coast Pain Consultants $1,190,000 for failing to prevent a former contractor from accessing about 35,000 patient records. The former contractor was using the records to file false Medicare claims. In addition to failing to cut off the former contractor's access, GCPC's errors included insufficient risk analysis and lack of system activity review.
- December 6, 2024: Children's Hospital of Colorado pays about $550,000 to settle HIPAA claims relating to several email phishing breaches affecting about 11,000 patients' data. Lack of MFA and employees sharing their passwords contributed to the success of the attacks. CHC's sins included lack of employee training and (of course) lack of a sufficient risk analysis.
- December 10: OCR and Immediata Health Group (a health care clearinghouse) enter into a $250,000 settlement over Immediata's failure to secure PHI of about 1.5 million people, which was available online. The situation also apparently resulted in Immediata settling with 33 states regarding the matter. Lack of a risk analysis and lack of system activity review were determined to be a part of the cause.
Jeff [3:31 PM]
http://www.blogger.com/template-edit.g?blogID=3380636
Blogger: HIPAA Blog - Edit your Template
