Texas Cancer Center Fined $4.3 Million by OCR

Texas cancer center to pay $4.3 million in penalties for HIPAA violations after half-hearted and incomplete efforts at encryption

The University of Texas MD Anderson Cancer Center (MD Anderson) did not follow its own encryption policies or the HIPAA Rules and is ordered to pay $4,348,000 in civil money penalties to the Office of Civil Rights (OCR) for HIPAA violations.

During 2012 and 2013 an unencrypted laptop was stolen and two flash drives were lost. The devices contained the electronic personal health information of over 33,500 individuals.

OCR Serious About PHI

Despite creating policies for encryption, the center failed to follow these or to quickly pursue its implementation after the 2012 and 2013 breaches.  “OCR is serious about protecting health information privacy and will pursue litigation, if necessary, to hold entities responsible for HIPAA violations,” said OCR Director Roger Severino.  The $4.3 million is the fourth largest amount ever awarded to the OCR.

The Notice of Proposed Determination by OCR

SaveSave

SaveSave

SaveSave

SaveSave

SaveSave

SaveSave

Healthcare Data Breaches

Increase in Number of Breaches

The Office of Civil Rights has reported a consistent increase in the number of breaches over the last few months.  There was a total of 41 breaches in April affecting a greater number of people than previous months.  The breaches affected a total of 894,874 records

Unauthorized Access a Cause of Breaches

The healthcare industry continues to be a big target for hackers.  Despite this the biggest cause of breaches was unauthorized access/disclosure incidents.  It is likely that cyber security defenses have been effective in preventing hackers from gaining access to data.

Phishing is a Problem

One main cause of healthcare breaches in the month of April was due to phishing attacks.  It appears that in April nine cases of successful phishing attack related breaches were reported.  It will be important in the future to improve technology to prevent emails from being delivered to inboxes of healthcare workers.

For more OCR Breaches

SaveSave

SaveSave

SaveSave

SaveSave

SaveSave

SaveSave

Failure to Perform a Risk Analysis

Kidney Failure Service Provider Settles for $3.5 Million

Failure to Perform a Risk Analysis Fresenius Medical Care North America (FMCNA) agreed to pay a $3.5 million fee to the U.S. Department of Health and Human Services Office for Civil Rights to settle potential HIPAA violations.

EPHI Breaches

The potential violations stemmed from five EPHI breaches at five separate FMCNA owned covered entities. The investigation uncovered FMCNA’s failure to perform the necessary risk analyses at each of the five locations.

Settle Potential HIPAA Violations

In addition to the $3.5 million settlement FMCNA was ordered to:

  • complete a risk analysis and risk management plan,
  • revise policies and procedures on device and media controls as well as facility access controls,
  • develop an encryption report,
  • and educate its workforce members on its policies and procedures.

This is an excellent reminder that the risk analysis must be performed, used to address gaps, and updated on a regular basis.

See more from HHS

SaveSave

HIPAA and the Right to Access

 

The Right to Access

 

Healthcare providers are frequently unsure how to handle an access to protected health information (PHI) request, that cites HITECH and the right of a patient to access a copy of their records electronically at a reasonable fee.   While its common to deal with authorizations to disclose copies of the designated record set, the access requests weren’t received on a regular basis until recently.

Delivering Records

When a covered entity is capable of readily producing records in an electronic format it must do so. If it is unable, it must deliver in a format mutually agreed upon by the parties within the 30-day deadline. There is an exception that permits an extension if the paper records must be retrieved from storage.

The right of a patient to access their records in an electronic format, or to direct a that a copy is provided to a third party remains a problem area.  The access request must be in writing and signed by the patient.  It does not require an additional authorization.  A third party, at the patient request may send the access request on their behalf and it must be complied with in the same manner as if personally requested by the patient.

Permissible Fees

The permissible fee for the records produced for an access request is limited to the cost to cover: labor for copying the PHI requested, whether in paper or electronic form; supplies for creating the paper or electronic copy; and postage. State fees that exceed this amount cannot be charged for access requests.

When a third-party submits a request for records on its own behalf with an authorization and cites HITECH fees as the highest that may be charged, they are in error.  The access fee limits don’t apply.

Guidance from OCR

SaveSave

SaveSave

SaveSave

SaveSave

SaveSave

SaveSave

SaveSave

SaveSave

SaveSave

HIPAA Omnibus Bill Is Here

Anesthesia Compliance Consultants has summarized the major provisions of the HIPAA Omnibus Rule, which will be effective March 26, 2013 with a compliance date of September 23, 2013. This will affect anesthesia practices in many ways.

 

1.  Final modifications to HIPAA

  •   Make business associates of covered entities directly liable for compliance with HIPAA Privacy and Security Rules’ requirements.
  •   Strengthen the limitations on the use and disclosure of protected health information (PHI) for marketing and fundraising purposes, and prohibit the sale of PHI without individual authorization.
  •   Expand individuals’ rights to receive electronic copies of their health information and to restrict disclosures to a health plan concerning treatment for which the individual has paid out of pocket in full.
  •   Require modifications to, and redistribution of, a covered entity’s notice of privacy practices.
  •   Modify the individual authorization and other requirements to facilitate research and disclosure of child immunization proof to schools, and to enable access to decedent information by family members or others.
  •   Adopt the additional HITECH Act enhancements to the Enforcement Rule such as the provisions addressing enforcement of noncompliance with the HIPAA Rules due to willful neglect. Continue reading “HIPAA Omnibus Bill Is Here”

Lack of HIPAA Policies is Expensive

The Office for Civil Rights announced a settlement of potential violations of the HIPAA and Breach Notification Rules on December 27, 2013 with Adult & Pediatric Dermatology, P.C., of Concord, Mass., (AP Derm).

AP Derm settled potential violations with the OCR for a $150,000 payment and a corrective action plan. AP Derm is a private dermatology practice with four locations in Massachusetts and two in New Hampshire.

Continue reading “Lack of HIPAA Policies is Expensive”