Medicare Compliance & Reimbursement

OCR settles a cornucopia of cases in mid-year sweep.

The first half of 2023 was relatively quiet on the HIPAA enforcement front, with much of the feds’ focus on proposals, announcements, and guidance in the wake of the COVID-19 public health emergency’s (PHE) end. But, since May 1, the HHS Office for Civil Rights (OCR) has settled five extremely diverse cases, suggesting that the second half of the year may be a doozy for covered entities (CEs) and their business associates (BAs).

During the pandemic, OCR naturally fixated on COVID-related issues and policymaking to ensure patients’ rights were protected and data sharing continued in the wake of efforts to circumvent the spread of the virus. As COVID cases began to recede, the lion's share of HIPAA violations fell under the Right of Access provision. The recent settlements cover an amalgam of violation types from unsecured servers to medical records mishaps — and of course, more Right of Access issues.

If you’re reorganizing your HIPAA compliance policies in the new healthcare landscape after COVID, consider reviewing these violations and settlements.

Right of Access: On May 8, OCR announced its 44th Right of Access settlement since instituting the Initiative in 2019 (see Medicare Compliance & Reimbursement, Vol. 45, No. 18). According to a December 2017 complaint, Pittsburgh-based counselor David Mente failed to hand over three minor patients’ medical records to their father in a timely manner when requested. The father made a second request, which went unresolved and he issued another complaint with OCR in 2018.

Mente agreed to pay OCR $15,000, enter into a corrective action plan (CAP), and hand over the requested records to resolve the HIPAA Privacy Rule violation. “It should not take an individual or their parent representative nearly six years and multiple complaints to gain access to patient records,” cautioned OCR Director Melanie Fontes Rainer in a release. “HIPAA regulated entities should be proactive and work to ensure patients and their representatives can access records.”

Review the OCR release, which includes additional links to the Right of Access provision and the CAP, at www.hhs.gov/about/news/2023/05/08/hhs-office-civil-rights-enters-settlement-resolving-potential-hipaa-violation-right-access-initiative.html.

Unlawful disclosure: One recent case is a reminder that business associate agreements are essential should your partners fail on HIPAA compliance. On May 16, OCR settled with MedEvolve Inc., an Arkansas-based IT and software vendor for CEs. After an investigation, OCR discovered that a data breach on a MedEvolve server left 230,572 individuals’ protected health information (PHI) unsecure and accessible on the internet, a release indicated.

Additionally, the software firm failed to run a risk analysis and didn’t have a BAA in place as a subcontractor — both requirements under the HIPAA Security Rule. MedEvolve agreed to pay $350,000 to settle the potential violation and enter into a CAP, which includes two years of OCR monitoring.

“Network servers are the largest category by location for breaches involving 500 or more individuals,” OCR reminded in the release. “It is critical that HIPAA covered entities and their business associates improve their efforts to identify, deter, protect against, detect, and respond to cybersecurity threats and malicious actors.”

See the case details and CAP at www.hhs.gov/about/news/2023/05/16/hhs-office-civil-rights-settles-hipaa-investigation-arkansas-business-associate-medevolve-following-unlawful-disclosure-phi-unsecured-server-350-000.html.

Social media: One healthcare provider learned the hard way that sometimes it’s better to ignore bad reviews on social media sites. On June 5, New Jersey psychiatric provider Manasa Health Center, LLC, agreed to settle a potential violation after the CE responded to a negative online review that spurred an OCR investigation after a complaint was filed. In April 2020, the patient complained that Manasa’s comments on the review revealed their private health data and diagnosis.

“OCR continues to receive complaints about health care providers disclosing their patients’ protected health information on social media or on the internet in response to negative reviews. Simply put, this is not allowed,” Fontes Rainer said in a release.

Manasa will enter into a two-year CAP with OCR monitoring and pay a $30,000 penalty.

Tip: What you post says a lot about you as a provider, so outlining your objectives is always a wise decision from both a marketing and compliance standpoint. And the reason this is critical is because it is very easy to cross the line during digital discourse.

“I think there is a residual level of ignorance about HIPAA among many providers, when it comes to everything from social media to simple provision of individual access to medical records,” informs HIPAA expert Jim Sheldon-Dean, founder and director of compliance services at Lewis Creek Systems LLC in Charlotte, Vermont. “Some just don’t seem to understand the rules until they’re faced with an enforcement investigation.”

Find the settlement specifics in the release at www.hhs.gov/about/news/2023/06/05/hhs-office-civil-rights-reaches-agreement-health-care-provider-new-jersey-disclosed-phi-response-negative-online-reviews.html.

Workforce: Insider threats are no joke as Yakima Valley Memorial Hospital in Yakima, Washington discovered after the not-for-profit hospital’s security guards were caught using their login credentials to access patients’ personal data and PHI. In 2018, with no purpose in mind other than to snoop, 23 security guards logged in and accessed information that “ included names, dates of birth, medical record numbers, addresses, certain notes related to treatment, and insurance information,” OCR said in a brief.

On June 15, the CE agreed to pay OCR $240,000 to settle the HIPAA violations and will be monitored by OCR for two years as part of its CAP. The hospital pledged to implement stronger compliance policies and better train its workforce, the release said.

Peruse the resolution agreement and CAP in the release at www.hhs.gov/about/news/2023/06/15/snooping-medical-records-by-hospital-security-guards-leads-240-000-hipaa-settlement.html.

Impermissible disclosure: In another case of server woes for BAs, a coding, billing, and IT vendor exposed 267 patients’ PHI on the internet when a server was breached. In August 2017, OCR investigated the Kentucky-based iHealth Solutions, LLC (dba Advantum Health) and discovered an unsecure server after the BA reported a breach.

“In addition to the impermissible disclosure of protected health information, OCR’s investigation found evidence of the potential failure by iHealth Solutions to have in place an analysis to determine risks and vulnerabilities to electronic protected health information across the organization,” the agency noted.

To resolve the violation, iHealth Solutions will enter into a CAP to ensure compliance with the HIPAA Security Rule, partake in two years of OCR monitoring, and pay the feds $75,000 as settlement.

Check out the case particulars at www.hhs.gov/about/news/2023/06/28/hhs-office-for-civil-rights-settles-hipaa-investigation-ihealth-solutions-regarding-disclosure-protected-health-information-unsecured-server-for-75-000.html.