OCR recently announced the resolution of 12 investigations. Eleven were for patient right of access violations and one was a big dollar settlement of a security incident at Oklahoma State University Center for Health Services. Lots to cover and learn in this episode. So, pay attention, folks.
In this episode:
OCR Mic Drops With 12 Cases – Ep 366
Today’s Episode is brought to you by:
Kardon
and
HIPAA for MSPs with Security First IT
Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity.
The Privacy and Security Boot Camp
3.5 day In Person Event
Sep 12, 13, 14 and 15
PriSecBootCamp.com
Great idea! Share Help Me With HIPAA with one person this week!
Learn about offerings from the Kardon Club
and HIPAA for MSPs!
Thanks to our donors. We appreciate your support!
If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com
Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA
If you see a couple of numbers on the left side you can click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!
Thanks to our donors.
HIPAA Say What!?!
[08:27] The HIPAA Security Rule 45 CFR 164.306(a)(2) says: Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.Often people don’t quite understand what “reasonably anticipated threats” means. Basically, it’s security threats, alerts, notices, etc that you may hear or read about in the news or online or even hear on podcasts like ours. Here are two recent examples, one is a CISA joint cybersecurity advisory bulletin and the other is an article published by SecurityWeek.
North Korean State-Sponsored Cyber Actors Use Maui Ransomware to Target the Healthcare and Public Health Sector | CISA – This is a joint bulletin from the FBI, CISA, and the US Treasury Department.
Microsoft: North Korean Hackers Target SMBs With H0lyGh0st Ransomware | SecurityWeek.Com
Microsoft this week sounded the alarm on a North Korean threat actor using the H0lyGh0st ransomware in attacks targeting small and midsize businesses worldwide.
If you are a SMB anywhere in the world or you are in the Healthcare and Public Health Sector, pay attention to these alerts.
If you are an SMB in the Healthcare and Public Health Sector of the US, you should definitely consider North Korean cyberattacks a reasonably anticipated threat and evaluate your protections in place based on the details of these announcements.
405(d) Tip of the Week
[15:19] New 405(d) Awareness Product How to Implement Patching.If you are not sure where to start? We’ve got you covered! We have created three “How-to” resources-one for small, one for medium, and one for large organizations so that you can start protecting your patients from cyber threats right now!
For more information and resources visit our website at 405d.hhs.gov!
OCR Mic Drops With 11 Patient Right of Access Cases
[20:36] Eleven Enforcement Actions Uphold Patients’ Rights Under HIPAA – July 15, 2022Yes, all 11 announced at the same time. They weren’t all resolved on the same day but they definitely seem to save them up to make a big splash to get your attention.
Before we get to those 11, let’s cover the single case with a much bigger settlement amount announced the day before these 11 right of access enforcement actions. Oklahoma State University – Center for Health Services Pays $875,000 to Settle Hacking Breach | HHS.gov
Oklahoma State – Center for Health Services Data Breach
OSU-CHS filed a breach report Jan 5, 2018 saying an “unauthorized third party gained access to a web server that contained electronic protected health information (ePHI)”. There was malware installed “on a web server” that resulted in the disclosure of the ePHI of 279,865 individuals, including their names, Medicaid numbers, healthcare provider names, dates of service, dates of birth, addresses, and treatment information.
Wow, $875k for a web server breach you may think to yourself, or not. The reason we are learning about this case is because they had to come back to the well and make an updated deposit on this one. They found out they messed this up over a year before this one and no one did anything about it.
At the time of the 2016 incident, OSU-CHS reported that it was not aware that there was electronic PHI stored on that server.
I have to say I worry about this happening a lot. While looking into a current event you learn that over a year ago this same server was hit before. At the time, someone said it was not a big deal – there was no PHI on there. Well… what had happened was… it appears that no one actually looked, ever, if there was PHI on that server.
While the 2018 case seems to have been managed properly, the incident with notifications to HHS and the patients, turns out there is something in the closet that jumps out once someone starts asking questions.
[29:20]The OSU resolution agreement includes a “robust” 2-year CAP.
The CAP includes all the normal parts we expect for a security rule case like this one. But, this is the 2nd or 3rd time we have seen monitoring added to the program.
The Monitor and OSU-CHS must retain every kind of document created for this program, including draft reports between the two of them, and supply them to HHS for inspection and copying. All must be retained for 6 years.
The monitor reviews must address and analyze the compliance with the CAP. They will also assist in conducting assessments to make sure that they are compliant with the requirements of the CAP. Basically, the monitor will do what we do for our clients on a regular basis. But, and here is the big difference in what we do and what this requires, quarterly reports of the Monitor’s reviews must be submitted to the HHS and OSU-CHS detailing the status of the CAP requirements. And, even bigger deal, any “significant violations of the CAP” must be reported immediately by the Monitor to HHS.
Even tougher, is that OSU can’t terminate any Monitor during the engagement period without submitting notice to HHS and explaining why they intend to terminate the engagement “prior to the termination, unless exigent circumstances require immediate termination”.
If they do terminate any Monitor they must replace them within 30 days of the termination with a Monitor that HHS approves just like in the original engagement. If HHS doesn’t like who you hire you will just need to keep trying until you get someone they approve of before you get in a big mess with HHS.
Oh, and all you folks wanting to be a Monitor, make sure you understand this part:
Plus, don’t think that the Monitor reports replace any other reports required in a normal CAP. They do not. These are in addition to the implementation reports that must have an attestation signed by an owner or officer each time they are submitted.
Right of Access Mic Drop
[38:37] All but 1 case is a resolution settlement. One is a CMP. Total amount is $646k for these 11. CAPs all look to be 1 year.| Entity | Amount | Issue |
| ACPM Podiatry, Peoria, IL | $100,000 | Patient asked for records beginning in 9/2018 many times to appeal insurance denial. 11/18 was written
12/18 We are “too busy” at year end 1/19 per Dr “Until ins pays bill no recs will be released” 4/8/19 filed complaint, OCR tells ACPM to give the patient the records 4/24/19 “We still have your request and we have your number” Another complaint filed in May 2019 ACPM ignores OCR finally gives incomplete records to patient July 23, 2020 (618 days) ACPM has not provided a response yet |
| Associated Retina Specialists NY, NY | $22,500 | 2/18/2021 complaint. OCR notified them of investigation and 3 days later patient got their records almost 5 months after initial ask |
| Lawrence Bell, Jr., DDS, Baltimore, MD | $5,000 | 10/15/19 complaint
patient requested records 7/15/19 and had not gotten them. CAP requires them to provide them within 15 days of agreement |
| Coastal ENT Ormond Beach, FL | $20,000 | Patient requested records 12/15/20 and 1/8/21
Filed complaints 1/27/21 and 4/20/21 Patient got records 5/20/21 |
| Danbury Psychiatric MA | $3,500 | Request 3/24/20 records not provided on basis of outstanding balance and required a signed request or authorization request
Complaint file 3/27/20 records provided 9/14/20 |
| Erie County Medical Center Buffalo, NY | $50,000 | 12/26/19 complaint filed. Records provided eventually. |
| Fallbrook Family Health NE | $30,000 | Patient made 3 written requests and filed a complaint. Got records 6/19/2020 – FFHC said it was because a workforce member misunderstood the right of access. |
| Hillcrest Nursing and Rehab MA | $55,000 | 3/22/20 mother requested son’s records
7/13/2020 complaint 10/10/20 records provided |
| MelroseWakefield MA | $55,000 | 6/12/20 request by personal rep for mother’s records
Denied because durable power of attorney wasn’t enough to provide access 7/20/20 complaint filed 10/20/20 records provided |
| Memorial Hermann SE TX health system | $240,000 | 6/19 – 1/20 patient made 5 requests for recs
8/31/20 complaint filed 3/26/21 records provided |
| Southwest Surgical Houston, TX | $65,000 | 12/12/20 complaint filed
2/16/21 OCR notification of investigation 3/5/21 records provided |
Total right of access cases now up to 38 with a total amount levied one way or another of $2,268,650 with a median amount of $44k per case.
Please make sure this is being done right in your offices!
As usual, you can learn a lot from the CAPs OCR hands down to businesses who’ve had privacy and/or security violations. The newest addition to the CAP is this designation of a monitor to review an entity’s compliance with the OCR CAP. Following a normal CAP is hard enough with all of the documentation and reports you have to file within specific time frames with OCR. It’s not going to get any easier, folks.
Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!
HIPAA is not about compliance,
it’s about patient care.TM
Special thanks to our sponsors Security First IT and Kardon.
