Resources

Client Alerts, News Articles, Blog Posts, & Multimedia

Everything you need to know about BMD and the industry.

Recent HIPAA Breach Settlements - Lessons Learned

Client Alert
June 19, 2023

As a healthcare provider, you are likely familiar with the Health Insurance Portability and Accountability Act (HIPAA). But, do you know how serious the consequences could be for a breach of HIPAA? According to the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR), the consequences for providers may include settlements of $30,000 to $240,000. OCR recently released two settlements for improper breaches of protected health information (PHI) that are good examples of the major monetary penalties that can result from common HIPAA mistakes.

Disclosing PHI in Responses to Negative Reviews

In April 2020, a health care provider in New Jersey impermissibly disclosed the PHI (including information on diagnoses and treatment) of its patients in response to negative online reviews. OCR investigated following a complaint from the patient and found that the provider impermissibly disclosed patient PHI and failed to implement policies and procedures with respect to protected information. On June 5, 2023, the provider agreed to pay $30,000 to OCR to settle the complaint. Additionally, the provider agreed to implement a corrective action plan to resolve potential violations. The plan included a few of the following steps:

  • Train all members on the organization’s policies and procedures to comply with HIPAA Privacy;
  • Issue breach notices to all whose PHI was disclosed on any internet platform without valid authorization; and
  • Submit a breach report to HHS on individuals whose PHI was disclosed on any internet platform without valid authorization.

In response to the complaints, OCR Director Melanie Fontes Rainer stated, “OCR continues to receive complaints about health care providers disclosing their patients’ protected health information on social media or on the internet in response to negative reviews.” They added, “[s]imply put, this is not allowed.”

Snooping by Security Guards

On June 15, 2023, a Washington hospital paid $240,000 to settle its HIPAA breach affecting 419 individuals. Following a breach notification report filed by the hospital, OCR investigated and found that 23 of the hospital’s security guards impermissibly accessed the medical records of hundreds of patients without a job-related purpose. The guards accessed information including names, dates of birth, medical record numbers, addresses, certain notes related to the treatment, and insurance information.

In addition to a $240,000 settlement, the hospital was required to implement a plan to update its policies and procedures to safeguard PHI and prevent its workforce members from snooping in the future. Further, the hospital was to be monitored for two years by the OCR to ensure its compliance with the HIPAA Security Rule. The hospital agreed to take the following steps, among others, to bring it into HIPAA compliance:

  • Conduct a risk analysis to determine risks and vulnerabilities to electronic PHI;
  • Develop and implement a risk management plan to address and mitigate identified security risks and vulnerabilities identified in the risk analysis; and
  • Enhance its existing HIPAA and Security Training Program to provide workforce training on updated HIPAA policies and procedures.

“Data breaches caused by current and former workforce members impermissibly accessing patient records are a recurring issue across the healthcare industry. Healthcare organizations must ensure that workforce members can only access the patient information needed to do their jobs,” Fontes Rainer stated. “HIPAA covered entities must have robust policies and procedures in place to ensure patient health information is protected from identity theft and fraud.”

HIPAA breaches are to be taken very seriously. It is imperative for health care providers to have current HIPAA compliance plans, trainings, and breach protocols. For questions, or to update your HIPAA compliance plan, please reach out to attorney Ashley Watson at abwatson@bmdllc.com or any members of the BMD Healthcare Team.

HIPAAHIPAA ComplianceHealth Law
Client Alert

S.B. 263 Protects 340B Covered Entities from Predatory Practices in Ohio

January 14, 2021Just before the end of calendar year 2020 and at the end of its two-year legislative session, the Ohio General Assembly passed Senate Bill 263, which prohibits insurance companies and pharmacy benefit managers (“PBMs”) from imposing on 340B Covered Entities discriminatory pricing and other contract terms. This is a win for safety net providers and the people they serve, as 340B savings are crucial to their ability to provide high quality, affordable programs and services to patients.Client Alert

DOL Finalizes New Rule Regarding Independent Contractor Status, But Its Future Is In Jeopardy

January 11, 2021On January 6, 2021, the Department of Labor announced its final rule regarding independent contractor status under the Fair Labor Standards Act. As described in a prior BMD client alert, this new rule was fast-tracked by the Trump administration after its proposal in September 2020. The new rule is set to take effect on March 8, 2021, and contains several key developments related to the "economic reality" test used to determine whether an individual is an independent contractor or an employee under the FLSA.Client Alert

Bankruptcy Law Changes - 2020 Recap And What To Expect In 2021

January 11, 2021In a year of health challenges and financial distress to many individuals and businesses affected by the pandemic, the year 2020 brought some significant changes to the bankruptcy laws. Some of these changes were in place prior to the pandemic; others were a direct response to the pandemic with the goal of helping struggling businesses and individuals. Ahead, we can likely expect further changes to the Bankruptcy Code with the incoming Congress.Client Alert

UPDATE - SBA Releases Rules and Guidance for Second Round PPP Funding

January 7, 2021Late yesterday (January 6, 2021), the U.S. Small Business Administration released rules and guidance for businesses wishing to take part in the long awaited second round of Paycheck Protection Program (“PPP”) funding. As most businesses are aware, the rules governing PPP loans have been updated as part of The Economic Aid to Hard-Hit Small Businesses, Nonprofits, and Venues Act (“Act”). The Act was just one section of the massive 2021 Consolidated Appropriations Act that was passed by Congress and signed into law by the President on December 27, 2020. To combat the ongoing disruptions caused by the COVID-19 pandemic, the Act generally provides (a) first time PPP loans for businesses that did not obtain a loan in the first instance, (b) PPP second draw loans for businesses that already obtained a loan but need additional funding, and (c) additional funding for businesses that returned their first PPP loan or did not get the full amount for which they qualified.Client Alert

UPDATE - Vaccine Policy Considerations for Employers

January 4, 2021If you read our post from November, you’re already an informed employer. This first post of 2021 is to share good news, give a few updates, and answer some other common questions. Q: What’s the Good News? First, the EEOC confirmed that employers may require employees receive the COVID-19 vaccine. Second, polling indicates that the number of Americans who said they will receive a vaccine has increased from around 63% to over 71%. The number of Americans who are strongly opposed to a vaccine is about 27%. Third, initial returns show that the efficacy rate for certain vaccines is as high as 95% for some at-risk recipients.
Older posts
Newer posts