October 2020 OCR Resolution Agreements Roundup
After a quiet first half of the year due to COVID-19 and related factors, the Office of Civil Rights (OCR) within Health and Human Services (HHS) is picking back up speed with settling resolution agreements for HIPAA privacy and security violations. The month of September saw eight separate resolutions, which is likely a new record, however they continued to settle these important issues throughout this past month of October.
This month the settlements include a large not-for-profit hospital, a small private practice and one of the largest health insurers in the country. Here is a summary of the OCR settlements for the month of October 2020:
Two More Right of Access Initiative Settlements
The theme of the past year of HIPAA Resolution Agreements has continued to be the Right of Access Initiative, which was announced in 2019. The HIPAA Right of Access is an initiative by the OCR that is intended to promote an individual’s rights to gain access to their own protected health information (PHI) within a reasonable amount of time.
September was filled with settlements specifically addressing this initiative and October continued to carry that goal forward. With the two Right of Access initiative settlements this month, the OCR has now enforced nine total with seven of them occurring within 2020. The Director of the OCR, Roger Severino, was quoted this year saying that “OCR has many right of access investigations open across the country and will continue to vigorously enforce this right to better empower patients.
St. Joseph’s Hospital and Medical Center
Dignity Health, which operates as St. Joseph’s Hospital and Medical Center is a large Phoenix-based acute care facilities.They reached a $160,000 settlement following a Right of Access compliant dating back from 2018. This settlement amount is now the highest dollar value settlement that has been reached underneath the Right of Access initiative.
Part of the reason for the high fine amount in the case was that a mother made a multitude of continuous requests to gain access to her son’s records but was not provided with the complete record following any of these attempts. As a result of the settlement, St. Joseph’s Hospital and Medical Center will now implement a corrective plan which includes two years of monitoring by the OCR.
NY Spine Medicine
A private neurology and pain management practice, NY Spine, operates in NYC and Miami Beach and was the ninth organization to reach a settlement with the OCR under the right of access initiative. This $100,000 settlement follows a patient’s complaints that despite multiple attempts to request their records, they did not receive the diagnostic films they specifically asked for.
The OCR’s investigation found that this incident was a violation of the standard to provide access to all of that individual’s requested medical records in a timely manner. This investigation helped that patient obtain all of their record, just over a year after the initial request. NY Spine will now be required to follow this resolution, implement the corrective plan and be monitored for the next two years.
A Million Dollar Fine for Multiple Breaches within Six Months
In the most interesting settlement for the month, Aetna Life Insurance Company reached a $1,000,000 resolution with the OCR following three separate breaches that occurred in 2017. Aetna, a CVS Health Company, is one of the largest health insurers in the United States as it sells both consumer-driven and traditional healthcare plans.
Back in 2017, three separate complaints were filed against Aetna within just a 6-month period. The first breach occurred in April 2017 when it was discovered that a web service was allowing users to access documents without the credentials that should have been required. According to Aetna’s breach report, 5,002 individuals were affected by this incident.
The second and third breach were both mailing errors on behalf of Aetna. The second of these three incidents is one of the highest profile HIPAA violations that has occurred in recent years. In July 2017, benefit notices were mailed to 11,887 individuals using window envelopes. It was later reported by many members that “HIV medication” could be seen through those windows in addition to the intended name and address.
As this mailing error revealed the HIV status of over 11,000 individuals, it was involved in a series of settlements outside the HIPAA resolution. Aetna paid over $17 million in a class-action lawsuit where the money will be distributed amongst the plaintiffs whose HIV status privacy was violated. In addition, Aetna has been required to pay just about $650,000 in fines to the states of Connecticut, Washington, New Jersey and the District of Columbia. This fine follows an investigation by each of these state’s attorneys general regarding the incident.
The final breach that was a part of this settlement was a September 2017 mailing error where the logo of a research study for atrial fibrillation was visible through the window envelope. This incident was almost a direct repeat of the previous breach, however it affected just 1,600 people.
The OCR’s investigation of Aetna found that they failed to implement the necessary security and privacy procedures and safeguards in place in the first place. Plus with three significant incidents occurring within a 6-month period, it is clear that Aetna was not performing the proper evaluations of their organization in order to better protect their patient’s health information after the first incident. All of these factors led to a $1,000,000 settlement, a significant corrective plan, and 2 years of close monitoring.
Improper Employee Termination led to Breach of PHI
The City of New Haven, Connecticut reached a settlement of $202,400 with the OCR regarding a breach of almost 500 individual’s PHI. The New Haven Health Department discovered that a former employee, after termination, had returned to the office and used their log-in credentials, which were still active, to access the health department database. At that point the employee was able to download the information of 498 patient’s onto a USB drive. The copied information included the individual’s full names, addresses, dates of birth, race/ethnicity, gender and STD test results.
Even after this initial breach incident, the terminated employee shared her credentials with an intern who was still actively employed, and that person continued to use said log-in information to access PHI on the network. The OCR found that these incidents were evidence of the New Haven Health Department’s failure to implement sufficient off-boarding procedures for the protection of PHI as well as a lack of an enterprise-wide risk analysis process. New Haven will pay this fine as well as follow the corrective plan including two years of monitoring.