At VanRein Compliance, we don’t like to scare people by focusing on stories of data breaches and things gone wrong… but when better to tell scary stories than around Halloween? (Don’t worry, we’ll bring it back around with some lessons and tips we can take away).
Last year, HHS and OCR received 32,770 cases. 25,089 of those cases originated as patient or customer complaints. This year, they expect to see 26,000 complaints. In good news though, HHS has said in most cases covered entities and business associates are able to show they’ve come into compliance.
A few of this year’s scary HIPAA stories
This case originated as a complaint and involved patient access to medical records. A new mother requested records related to the birth; she made two requests in October 2017. Even though she got an attorney involved, she did not receive full records until February 2019.
Bayfront agreed to an $85,000 settlement with a 1 year corrective action plan including monitoring by OCR.
OCR informed Touchstone they were able to see patient information online, including social security numbers due to a FTP server allowing uncontrolled access. Separately, the FBI contacted Touchstone as they had also found patient information online. Touchstone insisted there was nothing wrong, ignored both organizations, and did not investigate or notify their patients or the media until months later. Eventually it was found that over 300,000 people’s information was online.
It was also found that Touchstone had failed to conduct a thorough risk analysis, didn’t have BAAs in place with vendors, especially their IT and data providers, and didn’t have security incident procedures.
Touchstone agreed to a $3,000,000 settlement and a 2 year corrective action plan.
Hackers targeted Medical Informatics Engineering and used a compromised user ID and password to get ahold of the ePHI of 3.5 million patients. Patients filed a class action lawsuit and 12 state attorneys generals filed a multi-state federal lawsuit. Their settlement with HHS focused on risk analysis and a risk management plan.
Medical Informatics Engineering agreed to a $100,000 fine and a 2 year corrective action plan focused on performing proper risk analysis.
This case also started as a patient complaint. A patient posted a negative review on Yelp, and someone at the practice responded with the patient’s full name and details of their treatment, insurance, and treatment costs. When the OCR investigated, they found Elite Dental had done the same thing with multiple other patients and had no policies and procedures in place for social media conduct, nor a HIPAA compliant Notice of Privacy Practices.
Elite Dental agreed to a $10,000 fine and a 2 year corrective action plan focused on policies and procedures and training.
Pagosa Springs started as a complaint by a former employee. The employee saw they still had access to the hospital’s scheduling calendar for months after they left the hospital. OCR found that the hospital didn’t have sufficient policies and procedures in place, and had no BAA with Google, which hosted their scheduling calendar.
Pagosa Springs Medical Center agreed to a $111,400 fine and a 2 year corrective action plan focused on updating security management and BAAs, policies and procedures, and employee training.
Tips to Take Away
- Comply with OCR investigators and address any concerns they bring up.
- Conduct thorough yearly risk assessments.
- Have BAAs in place with all business associates if you’re a covered entity, or vice versa.
- Have policies and procedures in place to address social media conduct and security breaches.
- Delete user IDs and remove access for employees when they leave your organization.
- Make sure employees are trained on your policies and procedures.