Monthly Update: HIPAA Violations in November 2020Greg Garner
For healthcare data breaches involving 500 or more records, 2020 was a banner year. Unfortunately, 642 of these large breaches occurred this past year.
As it currently stands, hacking and other IT incidents tend to be the main cause for large breaches of healthcare data. In fact, hacking and other IT incidents accounted for nearly half of the breaches in November.
Besides these breaches, there have been various smaller instances of compromised patient data. HHS regulates these HIPAA violations. This stands for the US Department of Health and Human Services.
In fact, the Office for Civil Rights (OCR) within HHS has resolved ninety-eight percent of all complaints since the start of the Privacy Rule in 2003.
With such a disruption in the normal workflows of many clinicians, there has been an uptick in various HIPAA violations. While these are not excusable, it’s important for medical professionals to learn from these situations to avoid future occurrences.
For more information on the HIPAA violations specific to November 2020, keep reading.
What Is HIPAA?
HIPAA stands for the Health Insurance Portability and Accountability Act. It is a federal law passed in 1996, creating national standards to protect sensitive patient information. HIPAA ensures this data is not shared without the patient’s consent, other than in extreme circumstances.
The US Department of Health and Human Services oversees HIPAA implementation. This department created the HIPAA Privacy Rule. This specifically codifies requirements of HIPAA for medical professionals and other associated industries.
In particular, the Privacy Rule refers to “covered entities.” These are the medical professionals responsible for protecting patient data.
This goes beyond doctors and nurses. It also includes:
- Other healthcare providers
- Insurance agents
- Hospital administration and billing staff
- Nursing homes
The Privacy Rule also applies to subcontractors that have access to patient information. These are “business associates.”
Most patients know the HIPAA Privacy Rule protects them from data loss to unauthorized sources. But the rule also ensures proper access to a patient’s own information. Medical professionals must provide timely and affordable access to records upon request.
These federal regulations are deeply instilled in medical professionals throughout their training. There is no excuse for breaking this law—and the government carries this mentality into HIPAA violation penalties.
The State of HIPAA in November 2020
With such a tumultuous year for everyone, there was a lull in HIPAA settlements in the early part of the year. But compliance enforcement is back with a more consistent presence.
This is especially true for new initiatives. While circumstances are changing, the HIPAA Privacy Rule is not suspended during COVID.
As the country works to navigate our new normal, both providers and regulators continue to work towards compliance. But given the unique pandemic circumstances, this is much easier said than done.
This is especially true with such large numbers of remote workers and the use of telemedicine. With this, the idea of the traditional medical environment has fundamentally shifted.
While the number of healthcare data breaches dropped in November, the figures are still notable. This is especially true coming off the heels of a rocky October. In this time, cloud service provider Blackbaud was subject to a ransomware attack.
Turning to November, there were 47 data breaches in which 500 or more healthcare records were compromised. While this figure is lower than October’s total of 63, it is still significantly higher than the 12-month average of 41 monthly breaches.
Besides the lower occurrence of these breaches, the number of records exposed reduced, as well. In November 2020, there were 1,139,151 healthcare records exposed or disclosed inappropriately.
This is more than 54 percent lower than October’s tally. It is also below the 12-month average of 1,885,959 records per month.
HIPAA Violation Cases in November 2020
There are two categories of situations discussed below. Both show examples of failing to properly protect patient data.
On one hand, there are situations where offices that house patient data fail to properly protect their patients. These examples are on an individual patient basis. This may come in a variety of forms and can affect individual patients differently.
This type of activity tends to stem from negligence, rather than a purposeful attack on patient confidentiality.
On the other side, there are large-scale data breaches involving troves of patient records. Unlike the former, this usually stems from an orchestrated attack on a center for patient data.
For reference, the main type of breach in November 2020 was on network servers. Hackers and other experienced technologists locate vulnerabilities within the healthcare provider’s network. From there, they exploit these weak points to gain access to the servers and compromise large amounts of patient data.
Other common forms of attack include email scams. Healthcare staff may unknowingly provide access to secure servers by clicking phishing links. These often pose as coming from legitimate sources.
HIPAA Enforcement Actions
HIPAA enforcement actions are carried out by the HHS Office for Civil Rights. In November, OCR announced three enforcement actions—all within its new initiative.
The HIPAA Right of Access enforcement initiative began in 2019. The goal is to crack down on healthcare providers that do not provide their patients with appropriate access to their health records. This access should be timely, with a reasonable cost-based fee.
In the three cases OCR addressed in November, the healthcare providers failed to provide a timely copy of the patient records. They did not meet the 30-day window as mandated by the HIPAA Privacy Rule.
The University of Cincinnati Medical Center
The largest settlement of November 2020 came from The University of Cincinnati Medical Center, LLC (UCMC). This healthcare provider settled with OCR, agreeing to pay a penalty of $65,000.
This settlement followed a patient complaint to OCR in May 2019, in addition to a February 2019 complaint. The patient detached the lack of adherence to a request for her EHR records to be sent to her lawyer. After OCR investigation, the regulatory body found that UCMC was responsible for HIPAA violations.
Following the investigation, UCMC paid a fine of $65,000. Furthermore, the medical provider successfully delivered the requested records. UCMC must follow a corrective plan to avoid future occurrences of the same violations. To ensure compliance, OCR will watch this provider over the next two years.
This case is significant, as it demonstrates the tenets of the HIPAA Right of Access within the Privacy Rule. This regulation states that patients have the right to timely and affordable access to their own medical records. But in addition, they have the right to request electronic copies of their records to be sent to a third party of their choice under the same guidelines.
Riverside Psychiatric Medical Group
Riverside Psychiatric Medical Group also settled with OCR for a violation of HIPAA Right of Access. This healthcare provider in Riverside, California specializes in childhood and adolescent psychiatry.
The group agreed to pay a $25,000 penalty, after a March 2019 patient complaint. The complaint alleges that the patient requested records but did not receive them within the mandatory 30-day window.
Following this request, OCR worked with the group to resolve the situation. OCR provided technical assistance and closed the complaint. They looking forward to compliance moving forward.
Unfortunately, the same patient complained again in April 2019 for the same reason—the records had still not been delivered. Following this second complaint, OCR investigated. They ultimately settled with Riverside Psychiatric Medical Group.
The group paid HIPAA violation fines of $25,000. They also finally delivered the patient her records in October 2020. This was 18 months after her initial request.
On top of the fine, Riverside Psychiatric Medical Group must also follow a corrective plan. OCR will monitor them over the next two years to ensure compliance.
Dr. Rajendra Bhayani
Finally, Dr. Rajendra Bhayani paid HIPAA violation fines of $15,000 for failing to adhere to HIPAA Right of Access regulations. This private otolaryngology practitioner is based out of Regal Park, New York.
This fine was levied after a September 2018 patient complaint. The patient in question had not received medical records, despite requesting access in July of that year.
Like the preceding situation, OCR followed up on this initial complaint with technical assistance. The office hoped to improve compliance with the Right of Access initiative.
Despite this help, the same individual submitted yet another complaint in July 2019. The patient still had not received the requested record, one full year after the initial request.
OCR investigated the situation and ultimately settled with Dr. Bhayani for $15,000. Beyond the fine, Dr. Bhayani will also be required to follow a corrective plan. The office will be monitored over the next two years.
Large Data Breaches
Luckily, there were fewer HIPAA law violation instances for large patient data breaches throughout November 2020. But, there were a few examples of continuing data loss following the Blackbaud incident from the previous month.
In November, the Bayhealth Medical Center in Delaware was subject to a hacking/IT incident. This was directly related to the Blackbaud ransomware attack of September 2020. In the case of Bayhealth Medical Center, more than 78,000 individuals were affected.
Similarly, the Methodist Hospital of Southern California experienced a hacking/IT incident. This also stemmed from the Blackbaud attack. This Californian healthcare provider’s incident affected nearly 40,000 individuals.
Read on below for more examples of notable HIPAA violation reporting information from November 2020.
The month’s largest healthcare data breach came from AspenPointe, Inc. This Colorado healthcare provider also reported a hacking/IT incident. This resulted in data loss affecting 295,617 individuals.
The incident was due to a ransomware attack. Unfortunately, hackers were able to access large amounts of sensitive patient data. This included health, personal, and financial information.
Lawrence General Hospital
This Massachusetts healthcare provider also reported a hacking/IT incident in November. This resulted in 176,587 patients affected by the unspecified data security incident.
Alamance Skin Center
Another notable data breach came from the Alamance Skin Center in North Carolina. This data loss resulting from a ransomware attack affected 100,000 individuals.
Mercy Iowa City
Mercy Iowa City—a healthcare provider in Iowa—also reported a hacking/IT incident that resulted in 92,795 affected individuals. Unlike the others, this case was due to phishing.
On the large scale, network security will remain a top priority for any organization that houses patient data.
This is especially true as remote work and telemedicine will be around for the foreseeable future. With this comes the need for stronger network security and better data monitoring services.
On a smaller scale, it’s important for any healthcare providers or other offices that have access to patient data to stay informed. There are so many moving parts in our ever-changing global situation. But yet, protecting patient information must remain a top priority.
The HHS enforcement body OCR continues to track and act on instances of HIPAA violations. This is especially true for their new initiative for the Right of Access laid out in the Privacy Rule.
It’s critical that all healthcare-related offices understand the regulations in this law. They must understand how it applies to their practice, and correct any lacking areas.
To achieve this, all offices with patient data access must remain dedicated to HIPAA compliance. The easiest and most effective way to achieve this is with online courses focused on this topic.
Luckily, there are affordable resources available. These courses keep your office aligned with federal regulations in the evolving workplace.
Helping Your Team Avoid HIPAA Violations
November 2020 was a busy month for HIPAA violations. This occurred at the individual-provider level. It also took form as large-scale data breaches that compromised patient data. With this in mind, it’s important now more than ever to review your office’s compliance.
Thanks to HIPAA Exams, it’s easy to keep everyone on the same page for their legal obligations in protecting patient data. With their streamlined and affordable online courses, every office can benefit from a refresher in this area.
Contact an experienced representative for more information on the best courses for your office. Learn more about how you can keep your team compliant in our new normal.