The U.S. Department of Health and Human Services, Office for Civil Rights (OCR) issued a number of resolution agreements during the summer of 2023. These resolution agreements are diverse in the types of entities involved, as well as the identified issues of HIPAA noncompliance. There are several takeaways from the resolution agreements, as well as the corresponding corrective action plans (CAPs), that remind HIPAA-regulated entities of important compliance obligations.
Access restrictions provide fundamental security protection.
On June 15, 2023, OCR entered into a resolution agreement with Yakima Valley Memorial Hospital, a not-for-profit community hospital in Yakima, Washington, to resolve allegations that workforce members violated HIPAA by “snooping” in patients’ medical records.
In February 2018, the hospital notified OCR of a HIPAA breach involving security guards using their electronic health record login credentials to access patient records without a job-related purpose, allegedly impermissibly accessing the protected health information (PHI) of 419 individuals. OCR initiated an investigation and determined that Yakima Valley Memorial Hospital did not have adequate policies and procedures in place to comply with the HIPAA Security Rule.
In addition to paying $240,000, OCR required Yakima Valley Memorial Hospital to enter into a two-year CAP. The CAP requires the hospital to conduct a security risk analysis and implement a risk management plan, as well as to develop, maintain, and revise its written HIPAA policies and procedures and enhance its existing HIPAA and security training.
In its summary of the enforcement action, OCR emphasizes the need for a HIPAA-regulated entity to comply with the HIPAA Security Rule requirement of restricting access to patient information and providing workforce members only with the access necessary to perform their job duties. Covered entities and business associates also need to ensure that their HIPAA compliance program covers the entirety of their organization, from the front-line clinical staff to the CEO to janitors and other support staff, and that HIPAA training is provided to each workforce member.
An enterprise-wide security risk analysis remains a key component of HIPAA compliance.
In resolution agreements released in May and June 2023, OCR entered into settlement agreements with two business associates following investigations of HIPAA breaches, with OCR concluding that both organizations lacked sufficient enterprise-wide security risk analyses.
In August 2017, OCR received a breach notification report from iHealth Solutions, Inc., stating that the PHI of 267 individuals was exfiltrated from an unsecured server by an unauthorized person. iHealth Solutions is a Kentucky-based business associate that provides billing, coding, and information technology services to healthcare providers. OCR’s investigation revealed that iHealth Solutions failed to conduct an adequate security risk analysis to determine risks and vulnerabilities to electronic PHI across the organization. In a settlement announced on June 28, 2023, iHealth Solution agreed to pay $75,000 and implement a two-year CAP.
Similarly, in May 2023, OCR announced a settlement with MedEvolve, Inc., also a HIPAA business associate that provides practice management, revenue cycle management, and practice analytics software services. In July 2018, OCR received a breach notification report stating that a file transfer protocol (FTP) server containing the PHI of 230,572 individuals had been openly accessible on the internet since January 1, 2018. OCR found that MedEvolve did not conduct a “sufficiently accurate or thorough” risk analysis. Pursuant to its settlement with OCR, MedEvolve agreed to pay $350,000 and enter into a two-year CAP.
While the lack of an enterprise-wide risk analysis is a common element of HIPAA noncompliance, it is also a key enforcement point for OCR. Covered entities, business associates, and subcontractor business associates who have not yet conducted a risk analysis or whose existing analysis is not broad enough to assess all of the risks and vulnerabilities to electronic PHI held by the organization should take steps to conduct a thorough and complete risk analysis.
“Small” breaches may bring enforcement.
It is also important to note that the investigations of both Yakima Valley Memorial Hospital and iHealth Solutions followed OCR’s receipt of breach notifications for “small” breaches—those affecting less than 500 individuals. While “small” breaches do not automatically trigger an OCR investigation, OCR has the discretion to commence an investigation of any HIPAA breach; it is important for covered entities and business associates to remember that breaches, no matter how small, can trigger an investigation, which may lead to findings of HIPAA noncompliance.
HIPAA-regulated entities must use caution when responding to online reviews.
OCR announced a settlement with Manasa Health Center, LLC on June 5, 2023, to resolve allegations that the psychiatric practice impermissibly disclosed PHI in its response to a patient’s online review.
In April 2020, OCR received a complaint alleging that the Manasa Health Center impermissibly disclosed the PHI of a patient when the entity posted a response to the patient’s negative Google review. The health center’s response allegedly included information about the individual’s diagnosis and treatment of their mental health condition. OCR’s subsequent investigation revealed potential HIPAA violations, including impermissible disclosures of PHI of four patients in response to negative Google reviews and the failure of the entity to implement HIPAA Privacy Rule policies and procedures. Manasa Health Center agreed to pay $30,000 and entered into a two-year CAP.
Through this enforcement action, OCR emphasizes to HIPAA-regulated entities that disclosures of information on social media and through internet posts must not impermissibly contain PHI. Covered entities and business associates should take care in their responses, as even confirmation of facts posted online by a patient may raise compliance issues under HIPAA. Entities should ensure that their public relations, social media, and administrative teams are trained on acceptable online responses and what content may result in a HIPAA breach.
OCR’s Right of Access Initiative remains an enforcement priority.
In the last settlement released during the summer of 2023, OCR published its 45th HIPAA Right of Access Initiative settlement and its first with a health plan. UnitedHealthcare Insurance Company agreed to pay $80,000 and enter into a one-year CAP to resolve allegations that the health plan did provide an individual with a copy of their records until six months after the initial request.
The right of access is a fundamental patient right under the HIPAA Privacy Rule. Healthcare providers, health plans, and any business associates assisting with the provision of access to records must ensure that they are following the requirements of the HIPAA Privacy Rule with respect to the provision of access. A HIPAA covered entity must provide patient access within 30 days of a request unless it has a reason to deny the request, as permissible under the Privacy Rule, or it has a valid reason to extend its response time by no more than 30 days. Previous OCR guidance indicates that this 30-day requirement is an “outer limit,” encouraging covered entities to provide access as soon as possible. Health plans and other HIPAA-regulated entities should take care to ensure that their workforce, particularly the administrative staff and medical records personnel who receive records requests, have a comprehensive understanding of this HIPAA requirement.
The OCR resolution agreements released in the summer of 2023 provide HIPAA covered entities and business associates with a roadmap of some key compliance considerations. Entities can use these examples to ensure that they have adopted robust compliance policies and procedures and to enhance workforce training to better inform their teams of HIPAA compliance obligations.