OSHA Explores More Aggressive Position on OSH Act Noncompliance and Banner Health’s HIPAA Violation Settlement

At the end of January, the U.S. Department of Labor Occupational Safety and Health Administration (OSHA) issued new enforcement guidance that lets the agency take a more aggressive position on critical violations of the Occupational Safety and Health Act (OSH Act) in order to boost OSH Act compliance.

OSHA will be increasing its enforcement actions and will be issuing considerably more civil monetary penalties to employers that do not give a secure workspace for their staff members. As per OSHA, the new guidance was meant to make penalties more efficient at preventing employers from frequently exposing employees to deadly risks or not complying with selected work safety and wellness prerequisites.

The guidance for its Regional and Area Offices addresses instance-by-instance (IBI) citations for serious violations of OSHA standards associated with falls, trenching, machine guarding, respiratory safety, permit-required restricted areas, and lockout tagout, in addition to other-than-serious violations of OSHA requirements associated with recordkeeping. The new guidance particularly concerns the basic industry, construction, agriculture, and maritime industries.

The present OSHA policy is set up since 1990 and pertains to willful citations; nevertheless, OSHA thinks the use of IBI citations must be expanded so as to incentivize companies to make safety a priority over profit and act to stop workplace accidents and deaths. The more aggressive method of enforcement will make employers more accountable for health and safety problems at work and will improve work conditions for the U.S. labor force.

The new enforcement guidance will be in effect within 60 days of its issuance, which means employers have up to March 27, 2023 to make sure they fully comply with their responsibilities with the OSH Act. From then on, OSHA Regional and Area Offices could implement the complete authority allowed by the OSH Act. The choice to utilize IBI citations will most likely be depending on at least one of these factors:

  • The employer has obtained a willful, repeat, or inability to decrease the violation in the last five years where that group is existing.
  • The employer was unable to report a death, amputation, in-patient hospitalization, or damage of an eye as specified in 29 CFR 1904.39.
  • The suggested citations are associated with a death/catastrophe.
  • The suggested recordkeeping citations are associated with injuries or illness(es) caused by a critical risk.

IBI citations may be used when appropriate standards allow, which include per equipment, area, entry, or staff, and different penalties are issued per violation. Inspectors are urged not to group citations because OSHA thinks issuing specific citations could be more effective at motivating employers to adhere to every provision of the OSH Act. Inspectors are, nonetheless, allowed to help use their discernment and could use IBI citations for certain, but not all, violations discovered in a similar inspection; nevertheless, all violations should be completely recorded.

The new enforcement strategy will ensure that employers with repetitive violations of health and safety rules are given more comprehensive and aggressive inspections, and will be issued bigger financial penalties. There was a 7.7% increase in penalties for OSH Act violations on January 17, 2023, according to the Inflation Adjustment Act.

OSH Act violations in 2023 and the corresponding financial penalties are as follows:

$156,259 per willful and repeated violations
$15,625 per serious or other-than-serious violations

Banner Health Pays $1.25 Million for Alleged HIPAA Security Rule Violations

The HHS’ Office for Civil Rights has issued this 2023’s second financial penalty to settle alleged Health Insurance Portability and Accountability Act (HIPAA) violations. Besides paying OCR a $1,250,000 financial penalty, Banner Health will implement a corrective action plan to address its HIPAA Security Rule violations.

Banner Health is one of the biggest U.S. non-profit health systems in Phoenix, AZ. It has 30 hospitals and over 69 affiliated healthcare centers located in 6 U.S. states with over 50,000 employees. On July 13, 2016, Banner Health discovered a security breach. The succeeding investigation confirmed that hackers acquired access to its network on June 17, 2016. The attackers accessed systems that contained 2.81 million individuals’ protected health information (PHI). Compromised PHI includes names, addresses, birth dates, Social Security numbers, claims details, laboratory results, prescription drugs, diagnoses, and medical insurance data. After receiving information regarding the impermissible disclosure of PHI, OCR started to evaluate Banner Health’s HIPAA Security Rule compliance to find out whether noncompliance contributed to the occurrence of the data breach.

OCR’s investigators confirmed that Banner Health did not carry out a precise and comprehensive analysis of risks and vulnerabilities to ePHI integrity, confidentiality and availability. The administrative safety measures of the HIPAA Security Rule consist of a requirement to perform routine audits of information system activity to spot unauthorized PHI access. OCR confirmed that Banner Health did not implement enough procedures to carry out routine audits.

The HIPAA Security Rule calls for covered entities to apply technical safety measures to protect the integrity, confidentiality, and availability of ePHI. Banner Health did not undertake adequate procedures to confirm the identity of those wanting access to ePHI to make sure they are legit, and not enough technical security measures were put in place to secure against unauthorized ePHI access, which may then be to an electronic communications network.

OCR stated its investigators discovered proof of extensive, pervasive noncompliance with the HIPAA Security Regulation throughout the Banner Health organization. This concern was serious considering how big the covered entity is. The HIPAA violations were quite serious to justify a financial penalty. Besides having to pay a financial penalty, Banner Health has consented to undertake a corrective action plan (CAP) including the need to carry out a proper and comprehensive risk analysis to find risks and vulnerabilities to electronic patient/system information throughout the organization and create a risk management plan to deal with any vulnerabilities discovered by the risk evaluation. Policies and procedures ought to be created, applied, and sent out to the employees to cover risk analyses, risk control, system activity audits, authentication procedures, and security steps to secure against unauthorized access of PHI. For 2 years, OCR will keep track of Banner Health’s compliance with the CAP.

Hackers still endanger the privacy and security of patient data kept by healthcare companies, such as U.S. hospitals, as stated by OCR Director Melanie Fontes Rainer. It is crucial that hospitals as well as other covered entities and business associates are heedful in taking solid steps to safeguard their systems, information, and records. This starts with knowing their risks and doing something to stop, respond to, and fight these cyber-attacks. The Office for Civil Rights offers help and assistance to healthcare companies to secure against threats in cyber security and adhere to their responsibilities with the HIPAA Security Rule.

About Christine Garcia 1295 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at https://twitter.com/ChrisCalHIPAA