2020 has been a busy year with HHS’ Office for Civil Rights, from Premera Blue Cross’ $6.85 million settlement, the second largest in OCR history, to numerous right of access case resolutions.
Here are 17 hospitals, health systems and health plans that have agreed to HIPAA settlements so far this year.
1. Steven Porter, MD, a gastroenterologist in Ogden, Utah, agreed in March to pay OCR $100,000 to settle a potential HIPAA violation related to a data breach stemming from a dispute with a business associate. OCR determined that Dr. Porter failed to conduct a risk analysis when the breach was reported.
2. Providence, R.I.-based Lifespan agreed in July to settle a potential HIPAA violation related to a stolen laptop for just over $1 million. Lifespan reported the breach in April 2017 as affecting 20,431 individuals, and OCR found that the health system had systemic noncompliance with HIPAA rules, including failure to encrypt electronic protected health information as well as a lack of device and media controls.
3. Doing business as Washington, N.C.-based Agape Health Services, Metropolitan Community Health Services agreed in July to pay OCR $25,000 to settle potential HIPAA violations stemming from a June 2011 data breach. OCR said the organization did not conduct any risk analyses or provide staff security awareness training to prevent security incidents.
4. Premera Blue Cross agreed to pay OCR $6.85 million in September to settle potential violations related to a HIPAA breach that affected more than 10.4 million people. The settlement is the second largest payment to resolve a HIPAA investigation, which centered on a 2014 email phishing attack on Premera’s systems that lasted for nine months and exposed 10.4 million individuals’ protected health information.
5. A Community Hospital Systems’ entity that provides business associate services to hospitals and clinics in September agreed to settle violations related to a potential HIPAA breach for $2.3 million. The company provides IT, health information management and other services to the hospitals and clinics owned by Franklin, Tenn.-based CHS.
6. Athens (Ga.) Orthopedic in September agreed to pay $1.5 million to settle HIPAA noncompliance related to a 2016 EHR hacking incident that exposed 208,557 individuals’ information. The patient records were posted online for sale by the hackers.
7. Beth Israel Lahey Health Behavioral Services in September agreed to pay $70,000 to settle potential HIPAA violations related to an April 2019 complaint that an individual was unable to access her father’s medical records.
8. Housing Works, a New York City-based nonprofit organization providing healthcare and other services to in-need individuals, agreed to pay $38,000 in September after a June 2019 complaint alleged the organization failed to provide an individual a copy of his medical records. A second complaint was filed against the organization in August by the same individual, who eventually received his medical records in November 2019.
9. All Inclusive Medical Services, a multispecialty family medicine clinic based in Carmichael, Calif., in September agreed to pay $15,000 after a January 2018 complaint alleged it refused to give a patient her medical records. The patient received her records in August 2020.
10. Wise Psychiatry, a Colorado-based psychiatric services provider, agreed to pay $10,000 in September after not providing a personal representative of a minor patient access to her son’s medical records in 2017. That complaint was eventually closed in April 2018, but the OCR received a second complaint in October 2018 that the individual still did not receive access to her son’s medical records; she eventually received the records in May 2019.
11. King MD, a psychiatric services provider in Virginia, agreed to pay $3,500 in September after the OCR received a complaint in October 2018 that it did not respond to a patient’s request for medical records access. The agency received another complaint in February 2019 that the individual still didn’t have access to the medical records; the medical records were eventually received in July 2020.
12. Dignity Health, doing business as St. Joseph’s Hospital and Medical Center, in October agreed to pay $160,000 for violating the HIPAA Right of Access rule. On April 25, 2018, OCR received a complaint from a mother claiming that she made multiple requests to SJHMC starting in January 2018 for a copy of her son’s medical records. She didn’t receive all the records until December 2019.
13. NY Spine Medicine in New York City in October agreed to pay $100,000 for violating the HIPAA Right of Access rule. In July 2019, OCR received a complaint from an individual who claimed she made multiple requests to NY Spine Medicine for a copy of her medical records that June. While the medical practice provided some of the patient’s records, it did not give her the diagnostic films she specifically requested; the patient received her medical records this October.
14. Aetna agreed to pay $1 million in October to settle three separate HIPAA violations that all took place within a six-month period in 2017 and affected nearly 18,500 members.
15. The New Haven (Conn.) Health Department in October agreed to pay $202,400 for a 2017 HIPAA breach related to improper termination of a former employee’s access to patient medical records. The former employee returned to the health department eight days after being fired in 2016 and logged onto her old computer using still-active user account information. She then downloaded PHI including names, addresses and dates of birth on a USB drive.
16. Riverside (Calif.) Psychiatric Medical Group in November agreed to pay $25,000 to settle HIPAA Right of Access violation allegations. OCR received a complaint in March 2019 from a patient claiming the medical group did not provide her a copy of her records after several requests. OCR then received a second complaint on the matter in April 2019; the records were eventually provided to the patient in October.
17. Rajendra Bhayani, MD, who operates a private otolaryngology practice in Regal Park, N.Y., agreed in November to pay $15,000 after the OCR received a complaint in September 2018 that he did not respond to a patient’s request for medical records access. The agency received another complaint in July 2019 about Dr. Bhayani that the individual still didn’t have access to the medical records; the records were eventually received in September 2020.