Monthly Update: HIPAA Violations in December 2020
2020 was a bad year for healthcare data privacy. In fact, 2020 saw more data breaches than any other year since the OCR began publishing online breach reports. Not only that, but December was the second-worst month for the number of breached records. When data breaches occur, it's usually because of HIPAA violations. And the breaches this year were no exception. If you manage a healthcare facility, avoiding HIPAA violation penalties is paramount. That means having a staff that's well-informed to the ways data breaches happen. And of course, part of staying informed means knowing about recent data breaches. This article will get you up-to-date on the major HIPAA violation cases from December. We'll also explain proposed and coming changes to HIPAA Rules announced in December. This way you and your staff can stay informed and prepared for the future. From recent data breaches and recent settlements to changing laws, keep reading to learn all about the most significant recent updates regarding HIPAA law violation.
HIPAA Violations in 2020
By the end of 2020, healthcare data breaches were being reported at a rate of two per day. That's twice the rate of data breaches reported in last January. Throughout 2020, healthcare data breaches increased by 31.9% month over month. Surprisingly, that may not be the entire story. There might be more breaches from 2020 that aren't yet added to OCR's breach portal. But as it stands now, 2020 had 642 healthcare data breaches of 500 or more records. This means there were more breaches in 2020 than in any other year since the HITECH Act required OCR to publish data breach summaries publicly.
Healthcare Data Breaches Reported in December
While 2020 as a whole saw many breached healthcare records, December was the second-worst month. A total of 62 data breach reports occurred for the month. Those breaches affected 4,241,603 different healthcare records. Compared to November of the same year, December saw a 272.35% increase in breaches. Compared to the monthly average for 2020, there was a 92.25% increase. For context, in December 2019, there were only 41 reported healthcare data breaches. And during that month, only 397,862 records got breached in total.
Largest Data Breaches in December
Among the data breaches reported in December, two of them impacted more than one million individuals each. The largest data breach was a phishing attack on MEDNAX Services, Inc. Based in Florida, MEDNAX is a business associate for physician practice groups. It offers revenue cycle management, as well as other administrative services. In the attack, hackers sent phishing emails to MEDNAX's employees. Some of the employees responded to the phishing emails. This allowed the hackers to access to the company's Microsoft Office 365 email system. The compromised accounts contained protected health information from patients of MEDNAX's clients. In total, 1,290,670 individual patients had their data compromised as a result. Another large data breach from December involved Dental Care Alliance in Sarasota, Florida. It's a dental support organization with more than 320 affiliates, in 20 different states. Hackers were able to gain access to the organization's systems. This allowed them to view files that contained patient information. However, there's little information available about the nature of the attack.
Causes of Healthcare Data Breaches in December
HIPAA law violations can result from many types of breaches, not all of them digital. But healthcare data breaches are most often the result of cyberattacks by hackers. Ransomware gangs often target healthcare organizations protecting patients' privacy. Their attacks have increased significantly in recent months. In fact, five of the worst data breaches reported in December involved ransomware. Many of the smaller breaches did as well. Several healthcare providers recently reported affects from the same attack. All the way back in May 2020, Blackbaud Inc. reported a ransomware attack. Blackbaud is a cloud service provider, and multiple facilities were ultimately impacted. Phishing continues to be another major cause of healthcare data breaches. As we saw, this was the type of attack used in the biggest breach in December. There were 13 data breaches in December that involved unauthorized access of email accounts. Usually, phishing was used to acquire these credentials and access email accounts. Most, but not all, of the breaches for the month involved electronic access of PHI. However, 17.75% of breaches involved paper records and films. This fact highlights the importance of also safeguarding physical records and data. Overall, 33 hacking/IT incidents were reported in December. These incidents alone accounted for 98.39% of breached records for the month. A total of 4,173,519 records were compromised as a result of these incidents. There were also 21 unauthorized access/disclosure incidents reported. These reports involved 57,837 different records. Finally, there were seven theft and loss incidents reported. There was also one incident reported involving improper disposal of 501 records.
Entities Reporting Data Breaches in December
With 39 breaches reported, healthcare providers were the worst affected entity in December. However, there was a big increase in health plans reporting data breaches. Specifically, 17 different health plans reported breaches of 500 or more records. That's an increase of 183% from November. Additionally, there were only six data breaches reported by business associates. However, a full 40% of breaches (25 in total) involved business associates in some way. In several cases, covered entities reported breaches that associates experienced.
December Data Breaches by State
In all, 58% of U.S. states reported data breaches throughout December. Out of the 29 states, Florida was the worst affected with nine data breach reports. Pennsylvania also had a bad month with a total of seven breaches. Texas followed with four. Illinois, Tennessee, and North Carolina each made three data breach reports. The following states each reported two breaches: Wisconsin, Ohio, Minnesota, Massachusetts, Georgia, Connecticut, and Arizona. Finally, the following states each reported a single breach: West Virginia, Virginia, Utah, Oregon, Nebraska, Mississippi, Maine, Louisiana, Kentucky, Iowa, Indiana, Delaware, Colorado, California, and Arkansas.
HIPAA Enforcement in December
Where HIPAA enforcement is involved, 2020 has been a very busy year. More HIPAA violation penalties were imposed in 2020 than in any year since HHS started enforcing HIPAA compliance. Given that 2020 was such a big year for HIPAA violation reporting, this is unsurprising. In total, there were 19 settlements reached to resolve HIPAA violation cases.
Patient Waits Over a Year for Requested Medical Records
One of the settlements reached in December involved a particularly interesting case. It involved the failure of a healthcare provider to give timely access to healthcare records. All the way back in April 2019, the Office for Civil Rights received a complaint regarding a facility in Georgia. A patient of Elite Primary Care had requested their medical records, but the request went unfulfilled. That May, the OCR stepped in to give technical assistance to Elite Primary Care. This assistance should have helped them better handle Right of Access incidents in the future. After providing their assistance, the OCR closed the complaint. However, by October 2019, the patient had still not received access to their records. They filed a second complaint with the OCR, which launched an investigation. As a result of the investigation, the OCR determined that Elite Primary Care had potentially violated the Right of Access Standard. Even after the investigation, the patient had to wait for their records until May 2020. This was just over one year from their initial request. After the investigation, Elite Primary Care agreed to follow a corrective plan. The plan involves two full years of monitoring for future potential violations. The patient's physician, Dr. Peter Wroble, also faced a monetary penalty of $36,000. The settlement became the thirteenth financial penalty given under the HIPAA Right of Access initiative. It was also the eleventh such penalty to be given in 2020 alone.
New and Proposed Changes to HIPAA Law in December
December wasn't just a big month for HIPAA enforcement. It also saw significant new and proposed changes to HIPAA law. One of the changes involved a bill intended to mitigate penalties for potential violations. Additionally, several significant changes to the HIPAA Privacy Rule were proposed. Keep reading to find out what these are and stay informed.
New Bill Passed by Congress on December 19
On December 9, the House of Representatives passed H.R.7898. The Senate followed on December 19, passing the bill into law. The new law amends the Health Information Technology for Economic and Clinical Health Act. It requires the Secretary of Health and Human Services to consider "recognized security practices of HIPAA-covered entities and business associates whenever they make determinations to issue fines or penalties. The bill should benefit covered entities and associates dealing with a security incident when they take steps to document their compliance with the HIPAA Security Rule. In this way, it hopes to promote better compliance and practices following potential data breaches and HIPAA violations. This law is a welcome sign to covered businesses that have taken steps to record their security compliance. Companies will also need to consider the impact of the law on any ongoing investigations.
Changes to HIPAA Privacy Rule Proposed in December
The new security bill introduces considerable changes to HIPAA law. However, new changes proposed by the HHS are even more significant. On December 10, the Department of Health and Human Services proposed revisions to the HIPAA Privacy Rule. According to the HHS, the revisions would "address standards that may impede the transition to value-based health care. This will be done "by limiting or discouraging care coordination and case management communications among individuals and covered entities (including hospitals, physicians, and other health care providers, payors, and insurers) or posing other unnecessary burdens. Basically, the revisions would make things better for patients by changing how their PHI is used and provided. Among other things, the revisions would strengthen patients' right of access rules. For example, patients will be allowed to take notes or capture images of their own PHI. This would usually apply when patients review their health records with their doctor. Also, the time care providers are given to respond to data requests would be shortened. Currently, providers must respond to requests in no more than 30 days. They can also create an extension of another 30 days. Under the proposed rule, providers would have 15 days to respond and be allowed just a 15-day extension. In what might appear to be a trend reversal, identify verification requirements would be reduced. Reducing verification requirements should prevent a covered entity from imposing unreasonable demands on individuals exercising their right to their health data. Another security requirement would be eliminated by the revisions to further improve patient convenience. Specifically, it would no longer be necessary for care providers to obtain a patient's written acknowledgment of receipt of medical data. Together, the new and proposed changes could significantly benefit both providers and patients.
Avoid HIPAA Violations and Protect Your Patients in 2021
As you can see, HIPAA violations can get very serious. Data breaches put patients and caregivers alike at serious risk. Meanwhile, HIPAA violation fines can leave a healthcare facility literally bankrupt. Protecting healthcare data isn't limited to what you do inside the facility, either. The services you hire and businesses you partner with can also put data at risk. Even the personal conversations you and your staff have outside of work can be a factor. Avoiding breaches goes a lot further than protecting and disposing of data safely. In fact, that's just the beginning. To avoid HIPAA violation reporting that targets your facility, your staff needs training. Fortunately, we have what you need in our HIPAA courses and exams. Check out our "Compliance, Ethics, and Fraud for Health Care Professionals course. Don't delay get started now to protect your staff and patients from data breaches.