Monthly Update: October 2020 HIPAA ViolationsGreg Garner
The amount of information that we give employers, insurance companies, and our medical professionals can seem invasive.
Oftentimes we want to cling to our privacy and dread the rather intimidate questionnaire that can come from a simple doctor’s office visit. To reduce a lot of the discomfort that may come from sharing private information, the federal government has implemented a firm set of guidelines which the privacy of private information.
Although these privacy measures are in place, HIPAA violations continue to take place. The creation of new methods of information acquisition and transference led to the development of new laws.
What Is HIPAA
In 1996 Congress established HIPAA, the Health Insurance Portability and Accountability Act. This law was enacted to protect patient privacy. HIPAA guidelines and regulations have expanded to increase security around sensitive patient information.
HIPAA governs the privacy and security of patients’ personal health information. HIPAA works across various sectors of the health industry. This law encompasses all aspects of patient information. It covers health insurance companies, providers, and any group which has access to private information. HIPAA is an industry law protecting patients’ information in every step of healthcare.
HIPAA enforces the protection of medical information created or received by:
- Healthcare providers
- Health plan authority
- Life Insurance
- Schools or Universities
People who work at any of these locations could have access to private information. They need to be educated on HIPAA and are accountable for the mishandling of information.
Information Protected by HIPAA
HIPAA protects all “individually identifiable health information”. It covers different entities and organizations which have access to this information. The private health information (PHI) included in HIPAA must meet certain guidelines.
HIPAA-protected PHI includes medical information or correspondence specific to an individual or party. Information such as an individual’s health condition or test results receives protection. This information is identifiable because it has the patient’s name, social security number, date of birth, or other identifying factors.
The use of unidentifiable information lets hospitals and medical professionals share their findings. This can be beneficial for research and publication of de-identified health information.
PHI can be de-identified for distribution. This can be done by stripping the records of any identifiable information. In the medical field, there are many opportunities for publishing research. Making the ability to de-identify health information beneficial. It allows companies to publish their finding.
HIPAA compliance training and certification is used to educate people who handle PHI. Any business connected to a patient’s private medical information needs an understanding of HIPAA. This way they can know how to follow the rules and regulations set forth by HIPAA.
HIPAA training not only secures people’s private medical information. It also helps improve the efficiency of the industry as a whole. By allowing the secure use of this database of information medical professionals can work seeing the whole picture. This is only possible as long as entities can maintain patient’s right to privacy.
Organizations must provide evidence that individuals who were working with sensitive and private information can keep it secure. All employees need to both understand and follow the mandated HIPAA guidelines.
HIPAA Violations Reporting
HIPAA relies on the federal complaint filing system to uncover entities. This filing system allows reports on groups violating individuals’ health information privacy rights. Health care providers and health care users are able to file HIPAA violations online.
It is important that healthcare consumers are aware of the different reporting systems. Consumers should be educated on their right to privacy to best aid in the reporting process. The Department of Health and Human Services Office of Civil Rights (OCR) investigates filed complaints.
This office is primarily responsible for launching investigations and enforcing HIPAA regulations. Depending on the severity and motive of the breach the investigation may expand. Different entities such as the State Attorney’s office, U.S. Food and Drug Administration, Federal Communications Commission, and the Centers for Medicare and Medicaid Services may play a role in the enforcement process.
HIPAA Penalties and HIPAA Violation Fines
Following the submission of a claim, OCR will begin to conduct a comprehensive investigation. They will collect evidence and define a list of potential corrective measures. For some HIPAA violation cases, OCR will determine are not eligible for enforcement.
Sometimes the OCR receives a violation for investigation even before disclosure of PHI or breach takes place. They run systems checks to ensure that standard operating procedure keeps information safe. The OCR ensures that all health information is secure and can investigate a lack of safeguards in place even before an incident occurs.
OCR Violation of HIPAA laws can result in both criminal and civil penalties. As HIPAA violations can come from both negligence as well as malicious intent and can result in a wide variety of penalties. When medical information is knowingly disclosed punishment is more severe. OCR will refer the case to the Department of Justice to complete the investigation.
HIPAA strives to increase the level of transparency between patients and healthcare entities. HIPAA requires that anytime PHI is breached that the patient is informed.
Breaches of information can be from a single file or even an entire database and files being accessed. As a result, cyber securities have become a growing arm of the healthcare industry. In order to further ensure file protection and privacy.
A lot of protected information disclosures for not from negligence. The medical provider may have not been acting maliciously. Many breaches come from cyberattacks. In a cyberattack, a hacker or outside entity is wanting to illegally get PHI.
Over the past decade, we’ve seen a spike in the amount of phishing and ransomware attacks on PHI. Large criminal digital data breaches are usually referred to by other investigative organizations. This is when groups such as the Federal Bureau of Investigation, the Cybersecurity, and Infrastructure Security Agency, or the Department of Health and Human Services take lead on the investigation.
The increase in cyberattacks on the healthcare industry has resulted in mass breaches of PHI. Sometimes these cyber-attacks involve leaks on various digital servers. It can be necessary to use outside specialist groups are brought in to complete risk assessments on cyber attacks
Ransomware is an attack on your computer software or digital database. This malware usually involves criminal activity. Typically groups collect personal information to then sell this information for profit. This is a high tech form of hacking that has been causing large data breaches in the field of healthcare.
- Luxottica of America Inc., a prescription sunglass company underwent a ransomware attack. This attack resulted in a breach of 829,454 individuals’ private information
- AdventHealth Orlando’s ransomware attack resulted in the breach of 315,811 individuals’ PHI
- Sisters of Charity of St. Augustine Health System also had a ransomware attack. This attack breached 118,874 individuals’ PHI
With the increases in cyberattacks, the medical industry has had to diversify. They have had to seek help from leaders in cybersecurity to help keep their patients and client’s PHI protected.
Phishing attacks may be one of the more common ways of illegally soliciting PHI. Phishing is a fraudulent attempt to access information by pretending to be a different group.
The Presbyterian Healthcare Services healthcare provider recently suffered a data breach. This breach affected 193,223 individuals as a result of a mass phishing attack.
Emails are a heavily used tool in phishing attacks. Emails often display identifying features to seem legitimate. This false sense of legitimacy is used to help criminals obtain falsified documents.
HIPAA Regulations Shifts Under COVID-19
Because of the coronavirus in-person paperwork and healthcare have shifted. With this shift, HIPAA regulation had to be flexible. This has been necessary to ensure the safety of healthcare workers and patients. The expectations set by HIPAA during this pandemic is that all PHI would remain “reasonably private”.
These changed lowered a lot of HIPAA submissions as COVID-19 required some sharing of information. This has resulted in fewer COVID-19 related HIPAA violations. The definition of a “reasonable expectation of privacy” ranges with the CDC involved.
Because of the increased use of telemedicine, there has been more use of non-public facing platforms. Platforms such as iMessage, Zoom, or Skype allow private interactions between users. Personalized links and host-admittance features allow a reasonable level of privacy.
The adaptability of health care professionals in the age of covid has significantly reduced the amount of non-covid related in-patient care needed. .
COVID-19 made sharing health information important for national safety. Contact tracing and notifying individuals who may have been infected was very important. This resulted in a downward shift in 2020 of OCR resolutions being made. State law allowed hospitals to disclose PHI about COVID-19 positive patients.
The freedom of private information flow was enabled due to the need for contact tracing. As things have normalized we have seen an increase in violations being filed.
The increase in violations of patient privacy through a lack of HIPAA compliance can result in long term investigations. These investigations led to the administration of penalties. In October we saw several HIPAA violation cases under investigation be resolved.
St. Joseph’s Hospital and Medical Center
A growing trend in HIPAA cases is right of access. HIPAA recognizes one’s right to keep their information private and individuals’ ability to access their own medical records. Individuals have sought their right to gain access to their own PHI. It is important to access your own information in a reasonable amount of time.
The argument is that getting access to your own medical records should not be stalled. Bureaucratic paperwork, inefficiency, and unnecessary delays are why information access is often delayed. OCR has recently set a precedent in this as they have made strides in better serving patients.
One of the largest Right of Access settlements came in October 2020 through Saint Joseph’s Hospital and Medical Center. This Phoenix-based facility reached a settlement for $160,000 on a case that was filed back in 2018. Dignity Health, the acting part of Saint Joseph’s Hospital and Medical Center, lost this case. They lost because they failed to disclose medical information in a reasonable amount of time.
A mother filed for access to her son’s personal medical records. She failed to receive these upon request. She submitted a request on January 24th, March 22nd, April 3rd, and May 2nd of 2018. These four requests were deemed unreasonable steps to take to receive access to medical records.
She was granted access to several of the records. But she was not granted all the medical records she requested in a reasonable amount of time. It wasn’t until December 19th of 2019 that all four requested records were disclosed.
The Saint John’s Hospital and Medical Center was found guilty. They were given a sizable fine. and had to enter a corrective action plan and undergo monitoring over the course of the next two years. This plan is designed to streamline the medical paperwork release process.
New York Spine
The NY Spine Medicine is a neurology and pain management practice based out of New York and Miami. This private practice reached a resolution in the OCR in October of 2020. NY Spine also received a sizable fine and corrective actions to implement. As a result of their failure to disclose information in a timely manner, they endured these penalties.
The OCR announced that the Right of Access clause as an enforcement priority in 2019. Failure to provide individuals with timely access to their health records at a reasonable cost is a violation of HIPAA privacy law. Since this is a new priority of enforcement it is understandable that 2020 has brought up some of the largest litigations and Right of Access suits.
In July 2019 the complaint filed against NY Spine indicated that the patient lacked access to fully requested documents. The request included diagnostic films, although some requested documentation was provided. As a result of making a patient wait over a year to receive access to their own medical records, NY Spine was guilty. They were required to implement a corrective plan and be monitored. In addition to reformation practices, NY Spine had to pay y a $100,000 settlement.
Aetna Life Insurance Payouts
The Aetna Life Insurance Company has been reaching several settlements in the past month. This life insurance company is one of the largest health insurance in the United States as it is the commonly used CVS Health Company. Many if not all these cases a result of a serious level of negligence on half of the company. All these breaches which have recently reached resolution were filed in 2017 within a 6-month period.
Breaches of large insurance companies such as Aetna are very serious as they typically involve a leak of thousands of client’s PHI. These cases were often accompanied by class-action lawsuits so the financial penalties for Atena’s negligence exceeded that of the HIPAA violation fines imposed by OCR.
Unlocked Web Access
In April of 2017, a complaint was filed with OCR for too much web access. Because users could access private documents without the use of private log-in credentials the website was not secure. This error resulted in 5,002 individuals PHI being accessible without personalized credentials.
Mailing out HIV Statuses
In July of 2017 Atena mailed out benefit notices to 11,887 individuals. This mail came in a “window envelop” meaning that the recipients’ mailing information could be seen through a clear piece of plastic on the outside of the envelope. But, what was also visible was the recipients’ HIV medication. Over 11,000 individuals were affected by the mailing error which shared HIV status.
A class-action lawsuit was filed against Atena for the lack of protection of PHI where Atena paid out $17 million dollars to be distributed amongst plaintiffs who were apart of the suit. As a result of the mailing mishap, Atena also was fined $650,000 by several cities following an investigation by the state’s attorney general’s office.
Mailing out Research Studies
Even after the HIV mailing breach, there was another mailing breach due to the use of window envelopes. Information breaches due to mailing or other routine practices are important to be flagged in order to reduce repeat offenses. Repeated incidents are very possible if an organization does not alter its protocols.
In September 2017, another PHI breach occurred. This time 1,600 people were affected by and mailing error that showed the logo of a research study. By making this logo visible led to the distribution of patients’ private information as big participates of the research study were protected information under HIPAA.
By having the same issue in mailing there was an overall lack of care being put into Atena operations. This negligence was made clear through repeat offenses.
OCR Repercussions for Atena
As a result of these three breaches affecting almost 20,000 individuals over the course of 6 months of OCR’s investigation was very in-depth. Through running a full system risk assessment OCR found that Atena had been failing to implement necessary security. This level of negligence was easily avoidable if standard operating procedures were followed.
The fact that three incidents occurred within a short period of time we saw a lack of responsibility. Atena was not performing proper evaluations of the organizations’ PHI safety and security practices. There’s your resolution lead to a $1 million settlement, and the implementation of an action corrective plan, and two years of monitoring.
Atena not only agreed to complete internal periodic PHI security checks. They agreed to run internal risk assessments on information distribution. They also required that all employees with access to PHI complete training.
Atena Life Insurance Company insured an estimated 39 million people. A company of this size needs to be able to assure the highest level of privacy and basic PHI protection to its members.
City Health Violations
In January 2017 the New Haven Health Department filed a breach. A former employee kept access to the PHI of 498 individuals after he left his position.
The reporting on the New Haven case was heavily delayed. Even after the discovery of the delay in the reporting process evidence was able to be easily collected. The former employee was fired in July 2016 and kept access to private information.
The former employee kept access to people’s addresses, STD test results, date of birth, and name. This was not a one-time offense. The individual kept login credentials for a long time, even after termination. The login information was routinely used by an intern as well.
OCR administered punishment to the New Haven Health Department as a result of their reckless behavior. The Health Department paid a sizable fine. Additionally, they had to undergo monitoring and implement a Corrective Action Plan.
The New Haven Health Department was not acting out of bad intent. By failing to remove an individual from the system who was fired they acted recklessly. Yet, this careless behavior affected hundreds of individuals. Because personal information was no longer secure.
Protected by HIPAA
HIPAA has been working to ensure patient privacy for the past 25 years. In that time it has launched many investigations through OCR. They have also implemented reform on groups that have inadequately protected personal privacy.
By using corrective action plans institutions are constantly improving. These changes work to ensure that the healthcare industry is reliable and secure. The investigation of HIPAA violations and litigation takes an extended period of time to be through. HIPAA law strives to keep you end your personal information safe.
To educate yourself on HIPAA and how to best safeguard PHI in the medical field get connected.