Paubox blog: HIPAA compliant email made easy

A look at 2023 HIPAA violation fines

Written by Farah Amod | February 12, 2024

In 2023, the Office for Civil Rights (OCR) settled numerous cases with healthcare organizations for potential HIPAA violations. These violations resulted in hefty fines and corrective action plans. 

 

HIPAA privacy rule

The HIPAA right of access grants individuals the right to access their protected health information (PHI) and transmit it to a designated person or entity of their choice. 

Optum Medical Care

Optum Medical Care, a multi-specialty physician group, received multiple complaints regarding their failure to provide timely access to requested medical records. Patients had to wait between 84 and 231 days to receive their records, well beyond the 30-day period mandated by HIPAA. To avoid potential civil monetary penalties, Optum settled with OCR for $160,000 and committed to implementing a corrective action plan.

To protect your practice from OCR investigations for right of access violations, consider implementing the following measures:

  • Train staff: Educate your staff on the practice's right of access policies and procedures.
  • Adhere to deadlines: Honor the 30-day deadline for providing access to medical records. If more time is needed, communicate the reason for the delay to the patient.
  • Follow OCR's technical assistance: If OCR provides technical assistance, ensure that you follow it. Failure to comply may lead to additional enforcement actions.
  • Learn from fines: Stay updated on the fines and settlements related to HIPAA violations to understand the consequences and learn from others' mistakes.

In addition to the right of access violations, OCR continued to enforce other aspects of the HIPAA privacy rule in 2023:

 

Joseph's Medical Center

St. Joseph's Medical Center faced a potential HIPAA violation for disclosing patients' protected health information to the Associated Press without obtaining written authorization. The disclosure included sensitive information related to the patients' COVID-19 diagnoses and treatment plans. St. Joseph's settled with OCR for $80,000 and committed to amending its policies and procedures.

To protect your practice from privacy violations in 2024, consider the following measures:

  • Review policies and procedures: Ensure that your policies and procedures cover how to respond to online reviews and when disclosures to media outlets are permissible.
  • Stay informed: Use the resources the Department of Health and Human Services (HHS) provides to prevent privacy violations.
  • Train your workforce: Conduct regular training specific to your organization and job responsibilities to reinforce the importance of privacy and security.

 

HIPAA security rule 

In 2023, OCR vigorously enforced the HIPAA security rule. Let's explore two cases:

Lafourche Medical Group

Lafourche Medical Group experienced a data breach when a hacker gained access to an employee's email account through a phishing attack. The breach potentially exposed the PHI of approximately 34,862 patients. OCR's investigation found that Lafourche had insufficient security measures in place, including a failure to conduct a security risk assessment and a lack of policies and procedures for reviewing information system activity. Lafourche settled with OCR for $480,000 and agreed to a two-year corrective action plan.

To mitigate or prevent cyber threats and ensure compliance with the HIPAA security rule, consider implementing the following best practices:

  • Vendor and contractor oversight: Review all vendor and contractor relationships to ensure business associate agreements are in place and address breach and security incident obligations.
  • Risk analysis and management: Incorporate risk analysis and management into your business processes, conducting regular assessments and considering new technologies and business operations.
  • Audit controls and monitoring: Implement audit controls to record and examine information system activity and regularly review this activity.
  • Authentication and encryption: Utilize multi-factor authentication to ensure authorized access to ePHI and encrypt ePHI to guard against unauthorized access.
  • Training and awareness: Provide regular training to your workforce, emphasizing their critical role in protecting privacy and security.

 

LA Care Health Plan

LA Care Health Plan, the largest publicly operated health plan in the United States, settled with OCR for $1.3 million. The settlement resulted from potential HIPAA violations related to the failure to conduct a risk analysis, implement sufficient security measures, and regularly review information system activity.

To avoid potential violations of the HIPAA security rule, ensure that your organization:

  • Conducts accurate risk assessments: Perform regular risk assessments to identify vulnerabilities and implement appropriate security measures.
  • Develops and revises policies: Maintains up-to-date policies and procedures that comply with privacy and security rules.
  • Reviews vendor relationships: Ensure business associate agreements are in place and address security obligations.
  • Trains the workforce: Provide comprehensive training to your workforce on HIPAA policies and procedures, emphasizing privacy and security.

See also: HIPAA Compliant Email: The Definitive Guide

 

FAQs

Is there a database for HIPAA violations?

All information on HIPAA violation cases is provided by the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) on their HIPAA Resolution Agreements overview. For the full list of HIPAA breaches and fines, you can visit OCR's Breach Portal.

 

What is an example of a HIPAA violation email?

  • Failing to use an email encryption service. 
  • Not having patient authorization for email communications, but sending them an email anyway. 
  • Including PHI in the subject line of your email. 
  • Sending an email with PHI to the wrong patient.

 

What is the most common violation of HIPAA?

The HHS (Department of Health and Human Services) and state attorney generals cite “failure to implement proper access controls” for protecting patient information as one of the most common HIPAA violations by healthcare services.