Earlier this month, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) announced two (2) different settlements, one with a HIPAA business associate for $350,000 and one with a HIPAA-covered entity pursuant to the OCR Right of Access Initiative for $15,000. HIPAA compliance for covered entities and business associates remains important with long investigations and expensive consequences to settle allegations of non-compliance.
What You Need to Know:
- HIPAA-covered entities and business associates need to maintain HIPAA compliance.
- To reach a settlement with HHS OCR can take multiple years and be a costly endeavor for the affected parties.
In July 2018, OCR began an investigation of MedEvolve, Inc. ("MedEvolve") following its receipt of a breach notification report (with two subsequent addenda) that a MedEvolve file transfer protocol ("FTP") server containing PHI was unsecure and accessible on the internet since January 1st of that year. The PHI of more than 230,000 individuals from two different HIPAA-covered entities was available and included patient names, billing addresses, telephone numbers, and Social Security numbers. OCR's investigation of MedEvolve noted that it failed to enter into a business associate agreement with a subcontractor, and its assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by it as a business associate was not sufficiently accurate or thorough.
Although MedEvolve admitted no liability, it agreed to pay a settlement of $350,000 and enter into a two-year corrective action plan ("CAP") with OCR that requires MedEvolve do each of the following:
- conduct an accurate and thorough risk analysis to determine its risks and vulnerabilities;
- develop and implement a risk management plan;
- develop, maintain, and revise, as necessary, its written policies and procedures;
- augment its existing HIPAA training program for its workforce;
- report to HHS within 60 days when its workforce members fail to comply with its HIPAA policies and procedures; and
- provide annual implementation reports to HHS summarizing its efforts with respect to the CAP, including an attestation by a MedEvolve owner.
The MedEvolve Resolution Agreement and CAP can be reviewed here.
Separately, OCR announced it entered into a $15,000 settlement with a licensed counselor providing psychotherapy services. The settlement related to a potential violation by the provider for failing to provide a father with a copy of the medical records of his three (3) minor children. OCR initially received a complaint about the provider in December 2017, and OCR provided technical assistance to the provider relating to the HIPAA Privacy Rule's right of access requirements and then closed the complaint. The same parent again requested copies of his children's medical records in April 2018 and the provider failed to respond to this second request.
This provider admitted no wrongdoing as part of the settlement, but entered into a CAP with OCR requiring the provider to:
- review and revise its policies and procedures for individual access to PHI;
- provide training materials to OCR for OCR's review and approval regarding an individual's right of access to PHI and, once approved, train provider's staff;
- within 15 days after the effective date of the Settlement Agreement, provide the complainant access to the requested records; and
- for the duration of the CAP, submit to HHS a list of requests for access to PHI that the provider receives, including the date the request was received, the date the request was completed, the format requested and provided, and the number of pages and cost (excluding postage) for the requested records.
This Resolution Agreement and CAP can be reviewed here. This matter is the 44th settlement pursuant to the OCR Right of Access Initiative.
Large and small HIPAA-covered entities and business associates must remain HIPAA compliant with the Privacy Rule, the Security Rule, the breach notification requirements, and the OCR Right of Access Initiative – or potentially face the consequences.
Saul Ewing attorneys regularly assist covered entities and business associates with HIPAA compliance policies and procedures and training and breach response issues.
