Before September, the HHS’ Office for Civil Rights only issued three financial penalties on covered entities and business associates over HIPAA violations. Yet, in September, there was a squall of notices regarding HIPAA settlements when OCR announced 8 financial penalties.
The biggest settlement was with Premera Blue Cross resolving its HIPAA violations associated with the investigation of its data breach in 2014 that impacted its 10.4 million members. OCR discovered non-compliance issues associated to risk analyses, management of risks, and security controls of hardware and software. Premera consented to pay $6,850,000 financial penalty to take care of the case. This case was the second biggest HIPAA penalty ever charged on a covered entity.
CHSPSC LLC, which is a Community Health Systems business associate, consented to a settlement deal worth $2,300,000 paid to OCR to take care of its HIPAA violation case associated with a breach in 2014 that exposed the PHI of 6 million people. OCR discovered non-compliance problems associated with risk analyses, an audit of information system activity, security incident processes, and access controls.
Athens Orthopedic Clinic PA paid a $1,500,000 financial penalty to settle its case with OCR that was linked to an attack on its systems conducted by TheDarkOverlord hacking group. The attack resulted in the compromise of the PHI of 208,557 patients. OCR’s investigation revealed multiple non-compliance issues covering HIPAA policies and procedures, risk analyses, risk management, business associate agreements, audit controls, and employee training on the HIPAA Privacy Rule.
Five of the resolved cases in September were related to OCR’s HIPAA Right of Access enforcement initiative. The entities failed to deliver to patients prompt access to their healthcare records.
The Entities and Their Settlement Deal
- King MD paid $3,500
- Wise Psychiatry, PC paid $10,000
- All Inclusive Medical Services, Inc. paid $15,000
- Housing Works, Inc. paid $38,000
- Beth Israel Lahey Health Behavioral Services paid $70,000
One settlement deal involved a multistate investigation conducted by several state attorneys general. Anthem Inc. agreed to pay $48.2 million of financial penalty to resolve its violation of multiple HIPAA laws and state laws in connection with the 2015 breach that affected 78.8 million records. This was in addition to the $16 million financial penalty Anthem Inc. paid OCR in October 2018.