The Department of Health and Human Services (HHS), Office for Civil Rights (OCR) has announced several recent enforcement actions and settlements for violations of Health Insurance Portability and Accountability Act (HIPAA) rules.
Ambulance Company Pays $65,000 to Settle Allegations of Long-Standing HIPAA Noncompliance
On Dec. 30, 2019, West Georgia Ambulance, Inc. (West Georgia) agreed to pay OCR $65,000 to adopt a corrective action plan to settle potential violations of the HIPAA Security Rule.[1] West Georgia is an ambulance company that provides emergency and non-emergency ambulance services in Carroll County, Georgia.
OCR began its investigation after West Georgia filed a breach report in 2013 concerning the loss of an unencrypted laptop containing the protected health information (PHI) of 500 individuals. OCR’s investigation uncovered long-standing noncompliance with the HIPAA Rules, including failures to conduct a risk analysis, provide a security awareness and training program, and implement HIPAA Security Rule policies and procedures. Moreover, OCR alleged that despite OCR’s investigation and technical assistance, West Georgia did not take meaningful steps to address its systemic failures.
The HHS press release is available here. The resolution agreement is available here.
OCR Settles Second Case in HIPAA Right of Access Initiative
On Dec. 12, 2019, OCR announced its second enforcement action and settlement under its HIPAA Right of Access Initiative. OCR announced this initiative in 2019 and promised to enforce the rights of patients to get access to their medical records promptly, without being overcharged, and in the readily producible format of their choice. Korunda Medical, LLC (Korunda) has agreed to take corrective actions and pay $85,000 to settle a potential violation of HIPAA's right of access provision. Korunda is a Florida-based company that provides comprehensive primary care and interventional pain management to approximately 2,000 patients annually.
According to OCR, in March of 2019, OCR received a complaint concerning a Korunda patient alleging, despite repeatedly asking, Korunda failed to forward a patient's medical records in electronic format to a third party. Not only did Korunda fail to timely provide the records to the third party, but Korunda also failed to provide them in the requested electronic format and charged more than the reasonably cost-based fees allowed under HIPAA. According to OCR, Korunda was provided with technical assistance on how to correct these matters and closed the complaint. Further, OCR suggested Korunda continued to fail to provide the requested records, resulting in another complaint to OCR. As a result of the second intervention, OCR stated the requested records were provided for free in May 2019 and in the format requested.
The HHS press release is available here. The resolution agreement is available here.
OCR Secures $2.175 Million HIPAA Settlement after Hospitals Failed to Properly Notify HHS of a Breach of Unsecured Protected Health Information
On Nov. 30, 2019, OCR announced an agreement with Sentara Hospitals (Sentara) in which Sentara agreed to take corrective actions and pay $2.175 million to settle potential violations of the HIPAA Breach Notification[2] and Privacy Rules.[3] Sentara is comprised of 12 acute care hospitals with more than 300 sites of care throughout Virginia and North Carolina.
In April of 2017, HHS received a complaint alleging Sentara sent a bill to an individual containing another patient’s PHI. According to OCR, the investigation determined Sentara mailed 577 patients’ PHI to wrong addresses that included patient names, account numbers, and dates of services. OCR stated Sentara reported this incident as a breach affecting eight individuals, because Sentara concluded, incorrectly, that unless the disclosure included patient diagnosis, treatment information, or other medical information, no reportable breach of PHI had occurred. Sentara persisted in its refusal to properly report the breach, even after being explicitly advised of their duty to do so by OCR. OCR also determined Sentara failed to have a business associate agreement in place with Sentara Healthcare, an entity that performed business associate services for Sentara.
The HHS press release is available here. The resolution agreement is available here.
[1] 45 CFR Part 160 and Subparts A and C of Part 164.
[2] 45 CFR §§ 164.400-414
[3] 45 CFR Part 160 and Subparts A and E of Part 164.