Dinsmore & Shohl LLP
  January 29, 2020 - Louisville, Kentucky

OCR Announces Recent Enforcement Actions and Settlements for Noncompliance with HIPAA Rules and Section 1557 of the Affordable Care Act
  by Matthew S. Arend, Jared M. Bruce

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has announced several enforcement actions and settlements for violations of Health Insurance Portability and Accountability Act (HIPAA) rules.

OCR Secures Voluntary Resolution with Hospital to Settle Provision of Auxiliary Aids and Services to Deaf or Hard-of-Hearing Individuals

On Jan. 16, 2020, CHRISTUS Trinity Mother Frances Health System (CHRISTUS TMF) agreed to enter into a voluntary resolution agreement with OCR to ensure patients who are deaf or hard of hearing receive effective communication. The voluntary resolution agreement was the result of a compliance review conducted by OCR in response to a complaint CHRISTUS TMF failed to provide adequate or timely interpreter services despite multiple requests from patients to do so.

Under Section 504 of the Rehabilitation Act of 1973 (Section 504) and Section 1557 of the Affordable Care Act (Section 1557), heath care providers who receive federal financial assistance through their participation in Medicare and Medicaid are required to provide appropriate auxiliary aids and services to persons who are deaf or hard of hearing.

As a result of OCR's investigation and review, CHRISTUS TMF and OCR have agreed CHRISTUS TMF will take steps to strengthen the provision of auxiliary aids and services, including:

  • Performing communication assessments at patient intake and reassessing communication effectiveness regularly;
  • Improving and upgrading its review, assessment, and provision of qualified interpreters, including in-person and video-remote interpreting;
  • Providing annual staff training on effective communication;
  • Submitting reports to OCR regarding CHRISTUS TMF's ongoing compliance activities, on which OCR will provide CHRISTUS TMF with substantive technical assistance and feedback; and
  • Conducting outreach to local disability groups on the available auxiliary aids and services CHRISTUS TMF provides to individuals who are deaf or hard of hearing.

The OCR press release is available here.  The voluntary resolution agreement is available here.

Ambulance Company Pays $65,000 to Settle Allegations of Long-Standing HIPAA Noncompliance

On Dec. 30, 2019, West Georgia Ambulance, Inc. (West Georgia) agreed to pay OCR $65,000 to adopt a corrective action plan to settle potential violations of the HIPAA Security Rule.[1] West Georgia is an ambulance company that provides emergency and non-emergency ambulance services in Carroll County, Georgia.

OCR began its investigation after West Georgia filed a breach report in 2013 concerning the loss of an unencrypted laptop containing the protected health information (PHI) of 500 individuals. OCR’s investigation uncovered long-standing noncompliance with the HIPAA Rules, including failures to conduct a risk analysis, provide a security awareness and training program, and implement HIPAA Security Rule policies and procedures. Moreover, OCR alleged that despite OCR’s investigation and technical assistance, West Georgia did not take meaningful steps to address its systemic failures.

The HHS press release is available here.  The resolution agreement is available here.

OCR Settles Second Case in HIPAA Right of Access Initiative

On Dec. 12, 2019, OCR announced its second enforcement action and settlement under its HIPAA Right of Access Initiative. OCR announced this initiative in 2019 and promised to enforce the rights of patients to get access to their medical records promptly, without being overcharged, and in the readily producible format of their choice. Korunda Medical, LLC (Korunda) has agreed to take corrective actions and pay $85,000 to settle a potential violation of HIPAA's right of access provision. Korunda is a Florida-based company that provides comprehensive primary care and interventional pain management to approximately 2,000 patients annually.

According to OCR, in March of 2019, OCR received a complaint concerning a Korunda patient alleging, despite repeatedly asking, Korunda failed to forward a patient's medical records in electronic format to a third party. Not only did Korunda fail to timely provide the records to the third party, but Korunda also failed to provide them in the requested electronic format and charged more than the reasonably cost-based fees allowed under HIPAA. According to OCR, Korunda was provided with technical assistance on how to correct these matters and closed the complaint. Further, OCR suggested Korunda continued to fail to provide the requested records, resulting in another complaint to OCR. As a result of the second intervention, OCR stated the requested records were provided for free in May 2019 and in the format requested.

The HHS press release is available here.  The resolution agreement is available here.

OCR Secures $2.175 Million HIPAA Settlement after Hospitals Failed to Properly Notify HHS of a Breach of Unsecured Protected Health Information

On Nov. 30, 2019, OCR announced an agreement with Sentara Hospitals (Sentara) in which Sentara agreed to take corrective actions and pay $2.175 million to settle potential violations of the HIPAA Breach Notification[2] and Privacy Rules[3].  Sentara is comprised of 12 acute care hospitals with more than 300 sites of care throughout Virginia and North Carolina.

In April of 2017, HHS received a complaint alleging Sentara sent a bill to an individual containing another patient’s PHI. According to OCR, the investigation determined Sentara mailed 577 patients’ PHI to wrong addresses that included patient names, account numbers, and dates of services. OCR stated Sentara reported this incident as a breach affecting eight individuals, because Sentara concluded, incorrectly, that unless the disclosure included patient diagnosis, treatment information, or other medical information, no reportable breach of PHI had occurred. Sentara persisted in its refusal to properly report the breach, even after being explicitly advised of their duty to do so by OCR. OCR also determined Sentara failed to have a business associate agreement in place with Sentara Healthcare, an entity that performed business associate services for Sentara.

The HHS press release is available here.  The resolution agreement is available here.

 

[1] 45 CFR Part 160 and Subparts A and C of Part 164.

[2] 45 CFR §§ 164.400-414

 

[3] 45 CFR Part 160 and Subparts A and E of Part 164.




Read full article at: https://www.dinsmore.com/publications/ocr-announce