Home About Blog Make Contact Put My HIPAA On Autopilot! Login

Planet HIPAA Blog

5 Lessons Learned From 5 HIPAA Fines In One Day

On September 15, 2020, the Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS) hit a NEW record – 5 HIPAA Fines with Corrective Action Plans in ONE day!  The HIPAA fines and corrective action plan had one main theme in common – not supplying patients with a copy of requested medical records in a timely fashion.  The other key item from the action of the OCR is that these were not large multi-million dollar fines that are based on data breaches.  These were fines that ranged from $3,500 - $70,000 and were all based on a patient making a complaint to the federal government, which upon investigation, lead to the findings of noncompliance with HIPAA and patient’s rights defined by HIPAA.

 

5 Lessons Learned:

 

  1. Patients Have a Right to File a Compliant – the common theme for these HIPAA fines is they were based on patient complaints to the Department of Health and Human Services.  Once the complaints...
Continue Reading...

A Solo Doctor Practice Received A $100,000 HIPAA Fine: What Steps Should You Take Now To Avoid Being Next?

Dr. Steven Porter has a gastroenterology practice that sees more than 3000 patients per year.  In 2013, Dr. Porter reported to the OCR that a business associate was impermissibly using his practices’ electronic protected health information and blocking the practice access to vital ePHI unless a monetary fee was paid by the practice.  The Office for Civil Rights (OCR) of the Department of Health and Human Services (DHHS) opened an investigation and found Dr. Porter’s practice to be significantly out of compliance with the HIPAA Privacy and Security regulations.  OCR offered technical assistance to Dr. Porter’s practice; however, no steps were taken to correct the areas of HIPAA non-compliance.  As a result, Dr. Steven Porter’s practice was fined $100,000.

What was Dr. Porter’s Practice Missing?

HIPAA Risk Analysis

Dr. Porter’s practice failed to conduct a thorough and complete HIPAA risk analysis before and after the...

Continue Reading...

How a Yelp Review Led to a $10K HIPAA Fine & How You Can Avoid A Similar Fate

Another HIPAA enforcement fine for 2019, another reality that the focus, investigations, and settlements of the Department of Health and Human Services’ Office for Civil Rights (OCR) attention is on protecting patient’s rights given under HIPAA. 

This time, a dental office in Texas was assessed a $10,000 HIPAA fine as information was improperly disclosed in response to a Yelp review.  I know it can be frustrating to have negative online reviews and you want to respond and support/protect your clinic – but unfortunately, there are items you cannot say, especially in the online world!  Like it or not – it is the REALITY!  Read more about responding to Yelp reviews in my Article “An Expert’s Guide to Patient Privacy and Online Reviews.

“It’ll Never Happen to my Organization”

In my many years of consulting in the healthcare privacy and security space, I hear it all the time:

  • “The OCR doesn’t...
Continue Reading...

What Do Dental Clinics, Prison & HIPAA Have In Common?

A receptionist from a New York Dental Practice was recently sentenced to a 2 – 6 year Jail Term for accessing and disclosing protected health information from the Dental Clinic where she worked. 

For a 6-month period of time, the dental receptionist accessed patient information from the dental practice and disclosed it to a third party via unsecured email.  The third party then used the information to steal identities of the patients. 

You don’t want to think that this scenario will ever happen to your practice or that your employees will ever go rogue. Unfotunately, something like this could happen again and if you don’t have the right processes established or safeguards implemented, your ability to quickly and appropriately respond can be delayed.

Employees snooping through patient medical records or stealing patient information is a big HIPAA risk that needs to be addressed within a practice.  Workforce members causing HIPAA violations is one...

Continue Reading...

HIPAA Data Breaches in 2017 – Another Record Breaking Year!

Unfortunately as promised, 2017 brought many challenges to properly protecting patient information in healthcare. We saw a record number of data breaches in 2016 with cybersecurity being on a fast and furious rise. In 2017, the trend continued with many healthcare organizations being hit with different cybersecurity attacks, resulting in data breaches. However, on top of the increase in cybersecurity issues, many other reasons for data breaches emerged. A total of 340 large data breaches (500+ individuals impacted) were reported in 2017 impacting 4,977,655 individuals!

Some key highlights from the 2017 HIPAA Data Breaches!

Healthcare providers continue to lead in the number of data breaches. This should come as no surprise as there are more healthcare providers than health plans and healthcare clearinghouses in the United States. Of the 340 large data breaches:

  • 274 were reported by covered entities (81%)
  • 49 were reported from health plans (14%)
  • 17 were reported from business...
Continue Reading...

5 Essential Steps to Ensure an Effective HIPAA Program

HIPAA Compliance is a term that is often thrown around the healthcare industry; however, I commonly ask myself – is the meaning of HIPAA Compliance the same throughout the industry? The answer is NO! Walking into a healthcare organization in the last month, the HIPAA Privacy Officer was excited to tell me that they are fully HIPAA compliant and don’t have any on-going concerns with meeting the regulations. A quick review of the documentation requirements and auditing practices indicated that there were many missing holes in their HIPAA Compliance Program. As I spoke with the HIPAA Privacy Officer, she provided me with the tool she used to get to their current state with HIPAA. Needless to say, the tools were missing core components of documentation requirements and didn’t have specific essentials for on-going maintenance for compliance. This left the organization at risk for a HIPAA data breach or unauthorized use or disclosure of health information!

Trying to...

Continue Reading...

Here’s A Quick Way To Check If Your Website Is HIPAA Compliant

Part of being successful with the HIPAA regulations is understanding what is needed for compliance. Definitely easier said than done. The HIPAA Protocol that was published in 2016 is a great tool to evaluate your HIPAA Compliance and understand the areas that you need to work on. The HIPAA audit protocol definitely is the answer key that you can use to take the HIPAA Compliance test!

In 2016, Planet HIPAA wrote a blog “Could Your Organization’s Website Reveal Your HIPAA Non-compliance?” This blog focused on the need to look at your website to determine if your Notice of Privacy Practices is posted and current. The response to that post was amazing and many organizations reached out for more guidance and additional information regarding the Notice of Privacy Practices.

For some fun, I recently did an audit of 18 different websites to determine how the Notice of Privacy Practices was coming along and if organizations were actually posting it on their website. The...

Continue Reading...

19 Days into 2017 and 2 HIPAA Fines Later…

Well, HIPAA enforcement is getting off to an active start in 2017. While 2016 saw a record year with 13 HIPAA Enforcement fines amounting to $23.5 Million! 19 days into the New Year, OCR has published 2 HIPAA Enforcement fines amounting to $2.7 Million. It is safe to assume that we are going to see another active year with HIPAA Fines and Enforcement!

2017 HIPAA Enforcement Fine #1 – Lack of Timely HIPAA Breach Notification – $475,000

Presence Health found out about missing operating room paper schedules containing 836 patient’s protected health information on October 22, 2013. Notification was made to the Department of Health and Human Services on January 31, 2014 – approximately 101 days later. This was definitely a flag and the Office for Civil Rights (OCR) went in to investigate the concerns. During the investigation, it was found that Presence Health failed to write timely notification to those affected by data breaches on multiple occasions. In...

Continue Reading...

Does the 2016 HIPAA Audit Protocol Set New Expectations for HIPAA Policies and Procedures?

The HIPAA Privacy, Security, and Breach Notification Regulations require healthcare organizations to establish and create policies and procedures to help demonstrate compliance with the regulations. An organization can have well-established security practices or appropriately provide a patient of a copy of medical records, but if the organization doesn’t have a policy and procedure written for that specific requirement, they can be found out of compliance with the HIPAA regulations. Why is that? Because the HIPAA regulations have specific requirements that mandate the creation of written policies and procedures.

The specific regulations are as follows:

  • Privacy Rule Documentation – 164.530(i) – A covered entity must develop and implement written privacy policies and procedures that are consistent with the Privacy Rule
  • Security Rule Documentation – 164.316(b)(1) – Maintain the policies and procedures implemented to comply with the regulations in written...
Continue Reading...

The Complete Guide To Reporting A Healthcare Data Breach The Right Way

Reporting a Data Breach to HHS – Collect All the Information the First time

As of today, there have been 1694 data breaches reported to The Department of Health and Human Services, which have impacted over 168 million individuals. The numbers continue to increase at a rapid pace with a clear concern for data breaches in 2016 and continuing forward into 2017. The final breach notification rule requires that healthcare organizations conduct a data breach investigation on each and every unauthorized use and disclosure of protected health information to determine if there is a “low probability that the information is compromised.” What does that actually mean and how do you prove “low probability?”

To start, a Breach risk assessment should be completed on each unauthorized use or disclosure of protected health information. As part of the breach risk assessment, four objectives questions must be asked and answered Every Time an investigation is...

Continue Reading...
1 2
Close

50% Complete

Two Step

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.