3 recent HIPAA enforcement actions.

© profit_Image - stock.adobe.com

Between Nov. 26 and Dec. 5, the U.S. Department of Health and Human Services – Office of Civil Rights (HHS-OCR) announced three settlements involving Privacy Rule and Security Rule violations. There are take-aways from each enforcement action that covered entities and business associates alike can utilize to educate themselves and verify that their practices are compliant.

Nov. 26 –HIPAA Privacy Rule violation including reproductive health information

At the core of this enforcement action which resulted in a two-year corrective action plan (CAP) and a payment of $35,581, was the disclosure of a female patient’s protected health information (PHI) by a hospital located in Pennsylvania. The situation at issue here is particularly troubling because instead of sending a single test result to a prospective employer, which she did authorize to be sent, the hospital sent her entire medical record, which included past diagnoses and treatment related to reproductive healthcare. As HHS OCR stated, “her surgical history, gynecological history, obstetric history, and other sensitive health information concerning reproductive health care [were sent to the prospective employer].”

Additionally, “OCR’s investigation found that Holy Redeemer disclosed the patient’s full medical record, including protected health information concerning her reproductive health care, that it did not have the patient’s authorization for the broad disclosure of her protected health information, and that there otherwise was no applicable requirement or permission under the Privacy Rule for such a broad release of her medical records.”

Take-aways

1. Requests for the disclosure of any PHI should be read carefully.
2. Only disclose the “minimum necessary.” The "minimum necessary" standard is outlined in 45 CFR Part 164.502, which essentially states that covered entities must make reasonable efforts to only use, disclose, or request the minimum amount of protected health information (PHI) needed to accomplish the intended purpose; this means limiting access to only the necessary information and not accessing more than what is required for a specific task.
3. In light of the Dec. 23 compliance date of most aspects of the HIPAA Reproductive Privacy Rule, care should be taken to update policies and procedures, engage in training, and ensure that appropriate staff know when to utilize the required (45 CFR § 164.509) Attestation Form.

Dec. 3 – HIPAA Security Rule Violations

A $1,190,000 civil monetary penalty and CAP were imposed on a medical practice that utilized a contractor (business associate), who in-turn unlawfully accessed patient records to use for downstream healthcare fraud purposes. According to HHS OCR,

Gulf Coast Pain Consultants, which reported that a former contractor had impermissibly accessed Gulf Coast’s electronic medical record system to retrieve PHI for use in potential fraudulent Medicare claims. OCR’s investigation determined that the impermissible access occurred on three occasions, affecting approximately 34,310 individuals. The compromised PHI included patient names, addresses, phone numbers, email addresses, dates of birth, Social Security numbers, chart numbers, insurance information, and primary care information.

Additionally, OCR noted areas of failure, which unfortunately are common.

Take-aways

1. Conduct an annual HIPAA risk analysis to identify and correct gaps in technical, administrative and physical safeguards.
2. Use role-based access controls.
3. Implement regular access activity log reviews.

Dec. 5 – HIPAA Privacy Rule and Security Rule violations involving a children’s hospital

As every covered entity and business associate should appreciate, the Security Rule requires that technical, administrative and physical safeguards are implemented to ensure the confidentiality, integrity and availability of the PHI. Notably, the $548,265 civil monetary penalty was assessed against a children’s hospital for not having adequate safeguards.

Here, a phishing attack resulted in an exploitation of a vulnerability, which led to a significant breach. As HHS OCR stated,

The phishing attack that compromised an email account containing 3,370 individuals’ PHI and another after three email accounts were breached, containing 10,840 individuals’ PHI. OCR’s investigation determined that the first reported breach occurred because multi-factor authentication was disabled on an email account. The second breaches occurred, in part, when workforce members gave permission to unknown third parties to access their email accounts. OCR also found violations of the HIPAA Privacy Rule for failure to train workforce members on the HIPAA Privacy Rule, and the HIPAA Security Rule requirement to conduct a compliant risk analysis to determine the potential risks and vulnerabilities to ePHI in its systems.

Take-aways

1. Training should be ongoing throughout the year and can include highlighting enforcement actions as reminders.
2. Multi-factor authentication (MFA) needs to be vetted to ensure that it is secure. Once this is done, MFA needs to be utilized in practice.
3. During the Holiday Season, which is known to be a high-target time for cybercriminals to execute phishing attacks, people should take the time to think before clicking a link.

In sum, these enforcement actions underscore all facets of HIPAA Privacy Rule and Security Rule violations. “Cybersecurity is patient safety” and the continued downstream implications for the use of PHI for other unlawful purposes including insurance fraud and predatory practices targeted at minors are significant. The best place to start is to put a HIPAA Risk Analysis high on one’s New Year’s Resolutions at the beginning of 2025.

Rachel V. Rose, JD, MBA, advises clients on compliance, transactions, government administrative actions, and litigation involving healthcare, cybersecurity, corporate and securities law, as well as False Claims Act and Dodd-Frank whistleblower cases. She also teaches bioethics at Baylor College of Medicine in Houston. Rachel can be reached through her website, www.rvrose.com.