The OCR enforcement announcements keep coming. Our reviews of not only the new announcements but news on some of the older ones are the topic for today. Did you know one from 2018 is still being reviewed in the courts while we get new ones already in 2021?
Today’s Episode is brought to you by:
Kardon
and
HIPAA for MSPs with Security First IT
Remember to subscribe on your favorite podcasting app, share us on Social Media, and rate us wherever you find the opportunity.
The HIPAA Boot Camp
Virtual Edition Feb 23-25, 2021
More info at TheHIPAABootCamp.com
Great idea! Share Help Me With HIPAA with one person this week!
Thanks to our donors. We appreciate your support!
If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com
Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA
If you see a couple of numbers on the left side you can click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!
HIPAA Say What!?!
[07:37] Let’s talk about a specific case back in the news.
MD Anderson Case
Judge Vacates $4.3M OCR Penalty Against MD Anderson Over Data Loss
The ruling says enforcement against the healthcare system can be done but they made note that the penalty structure was changed after this settlement. While the case is being sent back to the two parties and lower courts to work out the major change, it looks like the amount will be reduced from over $4 million to $450,000. That is a big difference!
One cool thing about the ruling is we got to learn a new word! Transmogrify: transform in a surprising or magical manner.: “the cucumbers that were ultimately transmogrified into pickles”.
“Maybe so, maybe not. But that’s precisely the sort of policy argument that HHS could vet in a rulemaking proceeding,” it added.”It’s not an acceptable basis for urging us to transmogrify the regulation HHS wrote into a broader one.”
Notably, HHS OCR did move to reduce the annual limit of civil penalties applied to HIPAA violations for three of its four penalty tiers in April 2019, very shortly after MD Anderson filed its third appeal.
The judge ruled the HHS decision to levy the multi-million dollar fine against MD Anderson was “arbitrary, capricious, and contrary to law.” Apparently during the hearing HHS conceded that it could not defend that huge fine now it would be no more than $450,000.
OCR Enforcement News
That covers the older ones, now let’s get into some of the ones from we just got in 2021. Of course, we have to have another patient right of access deal.
Banner Right of Access
OCR Settles Fourteenth Investigation in HIPAA Right of Access Initiative
[20:06]Banner Health, on behalf of the Banner Health affiliated covered entities (Banner Health ACE), has agreed to take corrective actions and pay $200,000 to settle potential violations of the HIPAA Privacy Rule’s right of access standard. Banner Health is a non-profit health system based in Phoenix, Arizona. Banner Health operates 30 hospitals and numerous primary care, urgent care, and specialty care facilities and is one of the largest healthcare systems in the United States.
OCR received two complaints filed against Banner Health ACE entities alleging violations of the HIPAA Right of Access standard. The first complaint alleged that the individual requested access to her medical records in December 2017, and did not receive the records until May 2018.
The second complaint alleged that the individual requested access to an electronic copy of his records in September 2019, and the records were not sent until February 2020. OCR’s investigations determined that Banner Health ACE entities’ failure to provide timely access to the requested medical records were potential violations of the HIPAA right of access standard.
Excellus Health Plan
Health Insurer Pays $5.1 Million to Settle Data Breach Affecting Over 9.3 Million People
[24:14]On September 9, 2015, Excellus Health Plan filed a breach report stating that cyber-attackers had gained unauthorized access to its information technology systems. Excellus Health Plan reported that the breach began on or before December 23, 2013, and ended on May 11, 2015. The hackers installed malware and conducted reconnaissance activities that ultimately resulted in the impermissible disclosure of the protected health information of more than 9.3 million individuals, including their names, addresses, dates of birth, email addresses, Social Security numbers, bank account information, health plan claims, and clinical treatment information.
OCR’s investigation found potential violations of the HIPAA Rules including failure to conduct an enterprise-wide risk analysis, and failures to implement risk management, information system activity review, and access controls.
CAP language continues to show us what should be in a SRA.
“Prior to conducting the Risk Analysis, EHP shall develop a complete inventory of all of its facilities, electronic equipment, data systems, and applications that contain or store ePHI that will then be incorporated into its Risk Analysis.”
We continue to see this sort of statement included in the CAPs. I think it is a welcome addition.
To close out his tenure Severino completed some enforcement cases that had been in the works for a while. It will be interesting to see what happens while we wait for a new appointment to the role.
Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!
HIPAA is not about compliance,
it’s about patient care.TM
Special thanks to our sponsors Security First IT and Kardon.
