ncsam if you connect it protect itThe first week of National Cybersecurity Awareness Month (#NCSAM) 2020 is next week. The theme: If You Connect It, Protect It. How can you use it in your organization? We cover that plus OCR’s 5 resolutions in one announcement reiterating their commitment to patient access rights.


A 5 star review is all we ask from our listeners.
Free HIPAA Training
Subscribe to the weekly email update from HMWH

I have read and agreed to your Privacy Policy.

This episode:

If You Connect It. Protect It. – Ep 274

Share Help Me With HIPAA with one person this week!

Thanks to our donors.  We appreciate your support!

If you would like to donate to the cause you can do that at

If you need to know HIPAA you need to listen to this podcast

⭐ ⭐ ⭐ ⭐ ⭐

Well knock me down and steal my teeth- it’s another great podcast from Donna and David! Always in tune with current events and how HIPAA and security apply to our daily work. And thanks for keeping the learning fun!

BKhipaa via Apple Podcasts · United States of America · 09/08/20

I know that is you Beth. Glad you got a chance to hear it – glad you shared it. Clearly I did love it.

Like us and leave a review on our Facebook page:

HIPAA Say What!?!

[07:41] If you are leaving your job you CAN NOT just export a patient list and take it with you. It is NOT allowed because it is NOT TPO. Easy one but for some reason it comes up often.

If You Connect It. Protect It.

[12:39] As promised we are reminding you that next week begins the first week of the Cybersecurity Awareness Month. The theme for this week is If you connect it. Protect it.

As we have said many times before there are a lot of freely available resources that can be used to promote these themes in very simple ways within your organization. Here are some we thought may be particularly helpful.

DHS NCSAM INTERNET OF THINGS Tip Sheet – one page PDF with a section about why do we care as well as tips for improving the cybersecurity of connected devices.

Another one of those tips sheets is the CYBERSECURITY WHILE TRAVELING Tip Sheet.

You can also start rolling out some of these short awareness videos Security Awareness Episodes. Spread these out over the month based on what you find most relevant to your situation. They all include blog posts to go with them for those who do better reading than watching the video.

If you signed up as a Champion you have access to additional content that will be distributed by the NCSA group each week. For week one there is a flyer and a pretty cool video.  The flyer CYBERSECURE YOUR SMART HOME and video of the same name include

We have been trying to build things that connect cybersecurity to each person specifically. Everyone needs to learn to handle their own device security not just at work. But here is the thing. The more you have them involved in worrying about it at home, the more they worry about it at work too.  With that in mind make sure each week you include things about sharing with family and friends. You can include the same ones or different ones.  This week start your awareness month by sharing the Tips for Seniors sheet, at least.

[23:03] Encourage everyone to share this with seniors in their family or community that need help protecting themselves from scammers on the internet. We as a community will all win when we work together like that. We don’t have much of a chance otherwise. If everyone finds something they connect with this way, you have found a way to educate them better than a thousand video classes.

One final tool you should review is the Five Ways to Make Your Virtual Cybersecurity Awareness Month a Success flyer. Remember to share using #BeCyberSmart on social media too.

A somber note about the importance of an incident response plan. 

A hospital in Germany was hit by a ransomware attack. They were so overwhelmed they turned away ambulances and sent them miles away. One patient died before they could reach the second hospital. The important reason we need to have a plan to address patient care even if there is a ransomware attack. More on this is coming episodes.

5 New Settlements – 1 Announcement

[34:10] I just told a group last Thursday that they needed to audit their right of access policies and procedures to make sure everything was in line with the right of access rules.  Also, make sure those policies and procedures are being followed and documented properly. The enforcement initiative started last year and there were a couple announcements but I expected more soon. Literally, 5 days later this announcement comes out: OCR Settles Five More Investigations in HIPAA Right of Access Initiative

All five cases involve a CAP and some amount of cash paid out. None of the investigations appear to have pushed into dealing with issues on the Security Rule which OCR could have done. It sounds like some of these folks are lucky they didn’t. Hopefully, they will address more than what the CAP includes because one more visit by OCR about security breaches probably will not be a good thing for any of them.

I think it is important to include the exact wording included in one section of the press release to make sure no one misses it:

Sending a Message about the Importance of Access to Health Records

OCR’s enforcement actions are designed to send a message to the health care industry about the importance and necessity of compliance with the HIPAA Rules. OCR considers a variety of factors in determining the amount of a settlement including the nature and extent of the potential HIPAA violation; the nature and extent of the harm resulting from the potential HIPAA violation; the entity’s history with respect to compliance with the HIPAA Rules; the financial condition of the entity, including its size and the impact of the COVID-19 public health emergency; and other matters as justice may require.

“Patients can’t take charge of their health care decisions, without timely access to their own medical information,” said OCR Director Roger Severino. “Today’s announcement is about empowering patients and holding health care providers accountable for failing to take their HIPAA obligations seriously enough,” Severino added.OCR

Let’s do a quick review of each of the cases.

[32:57] 1- Housing Works Community Healthcare. A NYC non-profit provides health care, advocacy, job training, reentry services, and legal aid support for patients dealing with homelessness and HIV. In July 2019, OCR received a complaint that records requested in June had not been received. OCR called them up and did their “technical assistance” explaining that this should be corrected and to start following the rules. But guess what…..

On August 13, 2019, OCR received a second complaint from the same patient saying the records STILL hadn’t been supplied. The patient finally received his medical records in November 2019 with OCRs involvement.

So, that is easy, OCR said we played nice and you did not participate. Pay us $38,000 and go on this 2-year CAP that focuses on making sure you have proper policies and procedures with staff trained to provide patient access to records within the guidelines of HIPAA requirements. The press release says it is a 1 year CAP but the resolution agreement says 2 so we will go with that number.

2 – All Inclusive Medical Services, Inc. A Carmichael, California, is a multi-specialty family medicine clinic that provides a variety of services to patients in the area. In their case, they agreed to pay $15,000 plus go on a 2-year CAP. Their CAP sounds like it is focused on some other parts of the privacy rule also. This story has an odd gap in it but here is what the press release said:

In April 2018, OCR received a complaint alleging that in January 2018, AIMS refused to give a patient access to her medical records when it denied her requests to inspect and receive a copy of her records. OCR initiated an investigation and determined that AIMS’s actions were potential violations of the HIPAA right of access standard. As a result of OCR’s investigation, AIMS sent the patient her medical records in August 2020.OCR Press Release

Their CAP included things like updates to their NPP requirements and notice plus Documentation policies among others. There were 8 in total.

3 – Beth Israel Lahey Health Behavioral Services who is the largest network of mental health and substance use disorder services in eastern Massachusetts joins the group next. They agreed to pay $70,000 and the 1-year CAP.

In April 2019, OCR received a complaint that the CE failed to respond to a February 2019 request from a personal representative seeking access to her father’s medical records. As a result of OCR’s investigation, they finally sent the personal representative her father’s medical records in October 2019 as requested in February.

This CAP included the policies and procedures you would expect but it also included making sure their sanction policy addressed these failures and the workforce was trained that they would be sanction if they didn’t follow the updated policies and procedures

4 – Patricia King MD & Associates (King MD) A small health care provider of psychiatric services in Virginia is next up after agreeing to pay $3,500 and start a 2-year CAP that is focused only on the patient access requirements policies and procedures being handled properly.

In an October 2018 complaint a patient alleged that King MD failed to respond to their August 2018 request for access to her medical records. OCR did the “technical assistance” thing again trying to get things on track nicely. In February 2019, OCR received a second complaint saying that the practice still had not provided the individual with access to her medical records. King MD finally sent the individual her medical records in July 2020 after OCR had to step in again but with a bigger presence this time.

5 – Wise Psychiatry, PC agreed to pay $10,000 to OCR and to adopt a 1-year CAP, as well. Wise Psychiatry is a small health care provider that provides psychiatric services in Colorado.

In February 2018, OCR received a complaint that Wise Psychiatry failed to provide a personal representative with access to his minor son’s medical records. The complainant requested access in November 2017. OCR provided Wise Psychiatry with “technical assistance” on the HIPAA right of access requirements and closed that complaint in April 2018. In October 2018, OCR received a second complaint that the records had still not been provided. Wise Psychiatry finally sent the personal representative his son’s medical records in May 2019.

This CAP is a bit different than the others. It mentions a bit more about the policies, procedures, and training including pointing out that your BAs should know what your policies and procedures say about these things if they are involved.

Wise Psychiatry recently adopted written policies and procedures titled, “Patients Request for Records” which comply with the Federal standards that govern the privacy of individually identifiable health information (45 C.F.R. Part 160 and Subparts A and E of Part 164, the “Privacy Rule”). Wise Psychiatry’s policies and procedures address, but are not limited to, the Covered Conduct specified in paragraph I.2 of the Agreement.OCR Resolution Agreement

Looks like these guys jumped on it and started trying to fix things, which is great to see. Their CAP says they have to actually implement them, though. That means training the workforce and necessary BAs which it points out should be done whenever the policies and procedures change.

The total result

The total amount paid out for the five cases is $136,500. It isn’t about the money here. They want them on that CAP so they can make sure that patient rights are protected. Directing them for that long should embed that culture of privacy and security we are always talking about. At least, we know that is what OCR is hoping that everyone would do.

With these 5 that brings the total number of enforcement actions announced to 8 for 2020. The total amount of those settlements is just a little over $1.3m so again we say do not let all the talk about the scary fines and penalties be your motivation. Be motivated because your patients deserve to have their rights respected and protected. Oh, and another thing, your reputation literally depends on it.

A wide variation of topics for today. Hopefully, there was a little something for everyone. As David just said today, the rabbit holes we chase often have the best nuggets of information.

Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word.  As always, send in your questions and ideas!

HIPAA is not about compliance,

it’s about patient care.TM

Special thanks to our sponsors Security First IT and Kardon.