Two HIPAA enforcement actions in 2021 were not because of HIPAA Right of Acess violations.
1. Excellus Health Plan paid $5,100,000 as settlement
Excellus Health Plan based in Rochester, New York is a member of the Blue Cross Blue Shield Association. It was investigated because of a potential issue in HIPAA compliance after a 2015 data breach involving 9,358,891 records was reported. That data breach was one of 3 mega data breaches that health plans reported that year. Anthem Inc and Premera Blue Cross reported other two mega data breaches. The two had resolved their cases by paying big penalties.
Excellus found out about the breach in August 2015. Investigation of the breach confirmed that hackers got access to its networks from December 23, 2013 to May 11, 2015. Excellus reported the breach to OCR on September 9, 2015. The hackers installed malware enabling them to exfiltrate the information of about 7 million Excellus Health Plan members and roughly 2.5 million Lifetime Healthcare members. The data included names, contact details, birth dates, Social Security numbers, claims information, financial account details, health plan ID numbers, and clinical treatment data.
OCR’s investigation revealed several HIPAA violations, which included
- the failure to perform a correct and complete company-wide risk analysis
- the failure to minimize ePHI risks and vulnerabilities to an acceptable and proper level
- an insufficiency of technical guidelines and procedures to restrict access to data and software programs to authorized individuals
Excellus decided to resolve the case and compensated a $5,100,000 fine and agreed to employ a complete Corrective Action Plan to deal with all sections of non-compliance.
2. Peachstate Health Management LLC, dba AEON Clinical Laboratories paid $25,000 as settlement
The enforcement action versus Peachstate Health Management is well known since this was the very first OCR investigation that ended in a financial penalty for HIPAA violations discovered in a firm that wasn’t the first issue of the investigation.
OCR started an investigation following the receipt of a report from the Department of Veteran Affairs in 2015 regarding a data breach of Authentidate Holding Corporation (AHC), its business associate. AHC handled the VA’s Telehealth Services Program and experienced a data breach. When investigating, OCR found out that on January 27, 2016, AHC had gotten into a reverse merger with Peachstate Health Management, which resulted in Peachstate being obtained by AHC. Peachstate is a CLIA-accredited lab that offers clinical and genetic testing services by means of its publicly traded parent firm, AEON Global Health Corporation (AGHC).
OCR subsequently started an investigation of Peachstate to evaluate its HIPAA Privacy and Security Rule compliance and discovered several HIPAA Rules violations. OCR discovered several HIPAA Security Rule problems, which include risk assessment, risk management, audit control problems, along with the failure to have HIPAA Security Rule policies and procedures documentation. AEON resolved the case by paying $25,000 and agreeing to a corrective action plan to mend its HIPAA violations.