OCR imposed more financial penalties on HIPAA covered entities and business associates this 2020 than any year since OCR got authorized by the HIPAA Enforcement Rule to issue financial penalties on non-complying entities. As of October 30, 2020, OCR already reported 15 settlements to deal with HIPAA violation cases, which include the following 4 financial penalties for October.
1. The health insurance company Aetna paid $1,000,000 as a penalty for multiple HIPAA violations that resulted in the visibility of HIV medications details in a mailing. Investigators of OCR found the following problems:
- technical and non-technical assessment in response to environmental or operational modifications impacting PHI security
- failure in checking the identity
- failure in requiring minimum information
- lack of administrative, physical and technical safety measures
- impermissible disclosure of 18,849 people’s PHI
2. The City of New Haven, CT paid OCR $202,400 as a penalty for its HIPAA case that was linked to its inability to immediately limit access to systems that contain ePHI after an employee is terminated. That failure led to an impermissible disclosure of 498 persons’ ePHI. OCR additionally discovered the organization’s failure to conduct a risk analysis and to create unique IDs to enable tracking of system activity.
3-4. Two of the penalties issued by OCR were part of its HIPAA Right of Access enforcement initiative. The fines were imposed because the entities failed to deliver to patients in a timely manner the copies of their medical records at a fair fee. Dignity Health, also known as St. Joseph’s Hospital and Medical Center, paid OCR $160,000 to settle its violation and NY Spine paid $100,000 to settle its case.
State attorneys general likewise carry out a part in enforcing HIPAA compliance. In October, Community Health Systems based in Franklin, TN and its subsidiary CHSPCS LLC had paid $5 million to settle a multi-state action associated with a breach of 6.1 million persons’ ePHI in 2014. The investigators discovered that Community Health Systems had failed to put in place and keep good security practices.