21st Century Oncology agreed to pay the Department of Health and Human Services’ Office for Civil Rights (OCR) a settlement fee to resolve its HIPAA violations which was discovered when a 2015 PHI breach involving 2.2 million patients was investigated. It was the Federal Bureau of Investigation (FBI) that discovered the breach and informed 21st Century Oncology about it. Allegedly, an unauthorized person accessed and stole the data of one patient database on November 13 and December 13, 2015.
21st Century Oncology asked a third-party forensics company to help with the investigation. They discovered that the first potential access of the network SQL database was on October 3, 2015. The information contained in the database included the PHI of 2,213,59 patients. Access was done using Remote Desktop Protocol from an Exchange Server within 21st Century Oncology’s network.
OCR conducted an investigation of the breach because it impacted more than 500 individuals, which led to the uncovering of multiple HIPAA Rules violations. OCR reported that 21st Century Oncology failed to do what is required by:
· 45 CFR § 164.308(a)(1)(ii)(A), which is to conduct a comprehensive, organization-wide risk assessment to know if there are potential risks to the confidentiality, integrity and availability of ePHI.
· 45 CFR § 164.306(A), which is to implement enough measures to lessen the risks to an appropriate and acceptable level.
· 45 CFR §164.308(a)(1)(ii)(D) , which is to perform regular reviews of logs of system activity, such as access logs, audit logs and security incident tracking reports.
· Sign a HIPAA-compliant Business Associate Agreement (BAA) first before disclosing the PHI of patients to business associates.
To take care of all the violations, 21st Century Oncology agreed to a financial settlement amounting to $2.3 million. Its insurance policy will take care of the HIPAA fine since the organization’s bankruptcy proceedings are already ongoing. In addition, the 21st Century Oncology agreed to implement a comprehensive corrective action plan (CAP) to make sure that its policies and procedures comply with HIPAA standards. The CAP required, just to name a few, appointing a compliance officer, revising policies and procedures to include system activity reviews, conducting an organization-wide risk assessment and training the staff concerning the new policies.
21st Century Oncology is also set to pay the Department of Justice a settlement fee of $26 million. This is to resolve its Stark Law, Meaningful Use and False Claims Act violations. Allegedly, 21st Century Oncology submitted false or inflated Meaningful Use attestations to get incentive payments. The employees falsely submitted EHR reports to avoid downward payment adjustments. And there was a submission of claims involving kickbacks for physician self-referrals, which violates the Stark Law.