MJH News March 2019

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . HR INSIGHTS: “Leaving [for] Las Vegas” and other scenarios illustrating the challenges of managing employee leaves, see page 4

The Leading Source for Healthcare Business News

Legal Affairs

March 2019 • Volume 15, Issue 12 • $3.50

Record-breaking year for HIPAA enforcement



ALLISON SHELTON, Brown & Fortunato, P.C. The U.S. Department of Health and Human Services Office for Civil Rights (OCR) ended 2018 with a bang by announcing a total $28.7 million collected in enforcement actions and settlements with healthcare

Inpatient EHR Vendors by Market Share see page 8


Financial Perspectives.......3

providers under the Health Insurance Portability and Accountability Act (HIPAA). The most recent settlement announced at the beginning of February (but negotiated in December 2018) was with Cottage Health, which operates four hospitals in California. This settlement came on the heels of eight other settlements and one judgment in 2018, resulting in overall collections of almost $29 million for OCR. Cottage Health’s $3 million settlement with OCR resulted from two data breaches in December 2013 and December 2015. The first breach of electronic protected health information (ePHI) resulted from a misconfiguration in Cottage Health’s operating system’s security settings. The error allowed access to ePHI, including patient names, addresses, dates of birth, Social Security numbers, and treatment information, contained on Cottage Health’s server from the internet without requiring necessary log-in credentials. Then another system misconfiguration occurred in 2015, when Cottage Health’s IT department attempted to fix a reported technological issue. The “fix” resulted in internet users being able to access to ePHI

HR Insights......................4

Integrative Medicine.......6

without a username or password. OCR investigated the breaches and determined that Cottage Health had failed to conduct accurate and thorough assessments of risks to confidentiality of ePHI and had failed to implement appropriate security measures or to perform necessary assessments of the security of ePHI. Additionally, Cottage Health failed to enter into a written business associate agreement with a contractor maintaining ePHI on its behalf. Along with the financial penalty, Cottage Health entered into a three-year corrective action plan requiring system-wide risk analyses to assess all risks and for the company to develop a risk management plan. Prior to the Cottage Health settlement, OCR entered into several settlement agreements in 2018 with big-names in the healthcare industry, including Anthem, Inc. (Anthem), Brigham and Women’s Hospital, and University of Texas MD Anderson Cancer Center (MD Anderson). The largest HIPAA related settlement in history was reported in October 2018 with Anthem. The $16 million deal was reached with Anthem as a result of a data breach involving almost 79 million patients. The breach was caused by hackers who stole personal information of patients, including names, dates of birth, Social Security numbers, and addresses. The Anthem settlement itself was three times OCR’s prior record settlement of $5.5 million with Advocate Health in 2016.

Interestingly, in June 2018, an administrative law judge awarded OCR $4.3 million in a suit against MD Anderson. This was only the second time that OCR has won a summary judgment motion in a HIPAA enforcement action. The judgment resulted from three breaches of ePHI in 2012 and 2013 related to unencrypted electronic devices. OCR levied fines, which were upheld by the administrative law judge, against MD Anderson for each day it was not HIPAA-compliant and for each individual record breached as a result of the lack of encryption. Then in September 2018, OCR settled with Brigham and Women’s Hospital, along with Boston Medical Center and Massachusetts General Hpspital for almost $1 million as a result of HIPAA breaches occurring during the filming of a television documentary for a major television network. According to the settlement documents, the hospitals inappropriately disclosed protected health information of their patients by allowing media crews onsite to film a documentary series without obtaining authorizations from the patients. As the number of settlements and the amounts of those settlements continue to increase year over year, it is vital that both covered entities and business associates ensure that their practices are HIPAA-

Top Ten List....................8


Moving On Up.............11

Book Review: Integrative Addiction and

Recovery see page 6

. . . . . . . . . . . .

Please see LEGAL AFFAIRS page 10

Made with FlippingBook - professional solution for displaying marketing and sales documents online