[ Monday, May 26, 2025 ]
Happy Memorial Day!
Sorry I've not posted in forever, and when I do it's few and far between, but it has been a very busy spring and when I've had time, I didn't think about the blog. But here's a compilation of stuff that's happened since the beginning of the year (and a few things from the end of last year):
- Access cases: Oregon Health & Science University got tagged with one of the biggest fines for failing to provide a patient with access to his/her PHI, paying $200,000. It was OCR's 53rd enforcement case for an access violation. Apparently, the matter involved a business associate of OHSU. However, the bigger take-away is that this was the second time OCR had to get involved in an access issue between OHSU and the same patient; the first time, OCR issued "guidance," which is basically when OCR decides that the covered entity screwed up but can get away with a warning if they fix the issue. When the patient filed a second complaint, OCR decided that a harsher punishment was necessary.
- Risk Analysis Initiative: In addition to a special focus on the right of access, OCR has started specifically directing investigations and issuing fines where covered entities fail to conduct a security risk assessment (SRA), as required by the Security Rule. As any HIPAAcrat knows, lack of a good SRA is a factor in almost every major HIPAA breach (along with a lack of good policies and procedures). However, instead of simply listing it as an element of the offense resulting in the fine, OCR is now specifically calling them out. And recently called out was wellness plan provider Health Fitness, which suffered 4 breaches in a 3-month period due to exposures of PHI on its website. Health Fitness had to enter into a corrective action plan and was fined $227,816,likely in part because they discovered the software problem 4 months before the breaches started.
- Risk Analysis Initiative: Another risk analysis issue befell Northeast Radiology in NY and CT (I guess they do CTs in CT). This was the 5th enforcement action specifically targeting SRA failure. NERAD left their PACS server exposed, at least partly due to the failure to do a good SRA, and the PHI of almost 300,000 patients was breached. NETAD entered into a corrective action plan and paid a fine of $350,000.
- Ransomware: OCR fined Guam Memorial Hospital $25,000 due to a ransomware attack. 5000 patients were affected, and the investigation uncovered multiple failures by GMHA, including the usual littany: lack of a comprehensive risk assessment, poor risk management, lack of policies, lack of training, and a failure to audit access logs. OCR also fined Comprehensive Neurology of NYC $25,000 for its ransomware event. It marks the 12th ransomware settlement and 8th settlement in the risk analysis initiative.
Finally, I wanted to drop a note here about the tone of OCR public announcements. I understand the OCR is part of the administrative state, which is part of the executive branch, and the regulations drafted and revoked, enforcement actions pursued or neglected, and policies implemented or rejected all are going to reflect the focus and values of the President and his/her staff. But can we lay off the overt politicization of the bulletins and announcements? I know "they started it" (and they did: in its enforcement actions, policy priorities, and public statements OCR sounded like CPUSA), and I know that bullies need to be punched in the mouth to learn the lesson, but I'm tired of watching the lesson be taught. I'm actually glad that there's some pushback against the extremes of the prior administration, and I understand that there should be public announcements of important policy steps, but the announcements don't need to be vitriolic. Balance, please.
Jeff [11:55 AM]
http://www.blogger.com/template-edit.g?blogID=3380636
Blogger: HIPAA Blog - Edit your Template
