HHS Announces Eight HIPAA Settlements
- The three largest settlements all relate to breaches from hackers who had access to ePHI (electronic protected health information) over an extended period of time.
- One of the settlements involves the second-largest HIPAA settlement amount in OCR’s history, amounting to $6.85 million.
- In addition to the three breach-related settlements, the OCR announced this past month that it had entered into five settlements related to patients’ access to their own health records.
The Bottom Line
Following a very quiet start to HIPAA settlement activity in 2020, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently announced eight settlements with covered entities and business associates.
The most recent of these announcements involves the second-largest HIPAA settlement amount in OCR’s history, amounting to $6.85 million. This settlement with Premera Blue Cross (PBC) pertains to an incident that occurred in May 2014 when hackers installed malware to access PBC’s IT system. The cyberattack went undetected until January 2015 and resulted in the disclosure of electronic Protected Health Information (ePHI) for more than 10.4 million individuals, including names, addresses, dates of birth, Social Security numbers, bank account information, and health plan clinical information. After PBC discovered and reported the breach, the OCR conducted an investigation and found potential violations, including failures to:
- conduct a thorough assessment of the potential risks and vulnerabilities surrounding ePHI;
- implement sufficient security measures to reduce risks and vulnerabilities and hardware, software and procedural mechanisms to record and examine activity; and
- prevent unauthorized access to the ePHI of millions of individuals.
The large cash settlement is accompanied by a requirement that PBC follow a Corrective Action Plan, which will be monitored by the OCR for a period of two years. The Corrective Action Plan requires PBC to conduct a risk analysis and develop and implement a risk management plan, revise its privacy and security policies, make the policies available to its workforce, and provide an annual report to the OCR that identifies any additional reportable events related to material violations of the revised policies.
Earlier in the same week, the OCR announced that it reached settlements with Athens Orthopedic Clinic, PA (AOC), a clinic providing services to approximately 138,000 patients, and CHSPSC, LLC, a business associate providing IT and health information management services to hospitals and physicians.
The AOC settlement arises from a complaint alleging that AOC failed to prevent patient information from being posted online. AOC discovered the breach in June 2016 when a journalist notified it that a database of patient records was posted online for sale. Two days after AOC received this information, a hacker group emailed AOC to demand money in exchange for the return of the patient records. It was later discovered that the hacker group had access to AOC’s system for over a month through the use of a vendor’s credentials. The information posted online included patients’ names, dates of birth, medical procedures, Social Security numbers, test results, and health insurance information. In notifying the OCR of the breach, AOC reported that over 200,000 individuals were affected. The OCR investigated and found that AOC may have violated HIPAA by failing to:
- provide appropriate training to employees;
- enter into business associate agreements with certain business associates;
- conduct a risk analysis;
- implement risk management and audit controls; and
- maintain HIPAA Policies and Procedures.
AOC entered into a Resolution Agreement and Corrective Action Plan, agreeing to pay $1.5 million in penalties. The corrective action plan requires it to revise its business associate agreements as necessary, conduct a risk analysis, develop a risk management plan, revise its privacy, security, and breach notification policies, and provide training to its workforce on those policies. AOC’s compliance with the corrective action plan will be subject to monitoring by HHS for a period of two years.
The settlement agreement between the OCR and CHSPSC, LLC (CHSPSC) similarly involves hackers accessing ePHI maintained by the company, which in this case was a business associate handling data for a wide range of customers. In April 2014, the FBI notified CHSPSC that hackers had accessed its information system. The hackers continued to access ePHI until August 2014 by relying on compromised administrative credentials. Ultimately, over six million individuals were affected, with Social Security numbers, names, ethnicities, and emergency contact information included in the information that was disclosed. The OCR’s investigation indicated that CHSPSC could potentially have violated HIPAA by failing to:
- implement technical policies and procedures to limit access to its software programs and more generally prevent unauthorized access to ePHI on its network;
- respond to a known security incident, mitigate its harmful effects, and document the incident and its outcome;
- implement procedures to regularly review its information system activity; and
- conduct accurate and thorough assessments of potential risks and vulnerabilities to the security of ePHI.
CHSPSC agreed to pay $2.3 million and entered into a Resolution Agreement and Corrective Action Plan. Similar to the corrective action plans discussed above, CHSPSC must develop a risk analysis and risk management plan, revise its policies and procedures regarding its security and network access, and provide training to its workforce with respect to these policies.
These settlements all relate to breaches from hackers who had access to ePHI over an extended period of time. Well-organized hacking groups have targeted entities in the health care and health benefit industries to gain access to sensitive data. The factual descriptions in the settlement agreements do not offer much detail, but the penalties and corrective action plans imposed by OCR demonstrate the importance of maintaining proper security safeguards to prevent inappropriate access to ePHI and responding promptly to incidents when they are discovered.
In addition to the settlements discussed above, the OCR announced this past month that it had entered into five settlements related to patients’ access to their own health records. Under the applicable HIPAA rules, health care providers generally must provide individuals with their medical records within 30 days of a request. Providers may charge only reasonable cost-based fees with respect to such requests. Last year, the OCR launched a Right of Access Initiative to enforce patients’ rights to receive copies of their medical records in a timely manner without excessive charges.
The five new settlements announced this month demonstrate the OCR’s ongoing commitment to this initiative. All five settlements involve a health care provider’s failure to provide a patient with his or her medical records in a timely manner after receiving a request from the patient or his or her personal representative. The settlement amounts range from $3,500 to $70,000 and require the organization to comply with a corrective action plan and monitoring by the OCR for a period of one-to-two years.
The recent settlement announcements are consistent with OCR’s past practice of announcing a majority of its settlements during the last few months of the year. We will continue monitoring OCR announcements in the event that there are more settlements announced before year-end.
Click here to visit our Health Care Reform Dashboard.
Copyright © 2020 by Ballard Spahr LLP.
(No claim to original U.S. government material.)
All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, including electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of the author and publisher.
This alert is a periodic publication of Ballard Spahr LLP and is intended to notify recipients of new developments in the law. It should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult your own attorney concerning your situation and specific legal questions you have.