In a remarkable transaction for the combination of the payment amount and the type of supplier concerned, the OCR announced on 21 September 2020 an agreement with the Athens Orthopedic Clinic PA („Athens Orthopedic“). The settlement agreement resolved the alleged HIPAA violations that were discovered after Athens Orthopedic, a covered company, suffered a data breach. Patient access to their PHI has been a central concern and focus for OCRs over the past two years, so it is appropriate for these colonies to reflect this. Each of these five resolution agreements came from patient complaints to the OCR when individuals did not have access to their PPH as they wished. These five HIPAA offences have been charged for relatively small fines, but they send a message that the OCR appreciates compliance with HIPAA rules, including an individual`s right of access. Comparison of $1.55 million highlights the importance of implementing HIPAA Business Associate Agreements – March 16, 2016 Obviously, the majority of OCR comparisons this month have been related to the Right of Access initiative. However, three other resolution agreements are important, in particular the second largest fine ever imposed by the OCR. In all three cases, the OCR found that the organizations violated HIPAA rules and, in addition to fines, implemented two years of close monitoring corrective action plans for each of them. If anyone doubts about the application of HIPAA, the Office for Civil Rights (OCR), which oversees HIPAA compliance, has made it clear over the past two weeks that they are serious. In its recent announcements of resolution and monetary settlement agreements, OCR has provided examples among eight companies and counterparties of all kinds and sizes. The resolution agreement resolves two separate complaints filed with the OCR on behalf of two prominent patients treated at UCLAHS.
The complaints submitted that UCLAHS staff repeatedly and without admissible reasons reviewed the health information of these electronically protected patients. The HhS Office for Civil Rights (OCR) announced a $6.85 million resolution agreement with a health insurer to address possible violations of HIPAA data protection and security rules that have led to a violation of protected health information (PHI), which affects more than 10 million people. The underlying violation was attributed to cyber-attackers who used a phishing mail campaign to install malware that gave them access to the insurer`s computer system. The attack, which was not detected for nearly nine months, endangered people`s names and contact information, dates of birth, social security numbers, bank account information, clinical information and other PIs. The OCR investigation showed that HIPAA rules were not systematically followed, including failures in conducting an enterprise-wide risk analysis, the implementation of sufficient security measures for risk management, and the implementation of audit controls for the collection and analysis of information system activities. These fines for these transactions ranged from $3,500 million to $6.85 million, the latter being the second-largest HIPAA penalty on record. The eight agreements were concluded not only in terms of price, but also in the type of organization, with the companies covered and counterparties included in the summary this month. The U.S. Department of Health and Human Services(HHS) Office of Civil Rights (ROC) has announced eight resolutions since September 15, 2020.
These settlement agreements resolve alleged HIPAA violations committed by a number of organizations, from small psychiatric care providers to large health insurers, and have similarly affected covered businesses and business partners.