Banner Health settlement is largest so far in the OCR’s Right of Access initiative

Details

Published: 18 January 2021 18 January 2021

• HIPAA
• HIPAA patient rights

On January 12, 2021, the Department of Health & Human Services Office for Civil Rights (OCR) reported that it had reached a $200,000 settlement with Banner Health. This is the fourteenth settlement in OCR’s Right of Access initiative, which investigates claims of patients and related parties that they have been denied access to their health records. Under the Health Insurance Portability and Accountability Act (HIPAA), HIPAA covered entities, including health care providers, are required to respond to a request for access to records within thirty days.

The Banner Health settlement is the third six-figure settlement, following settlements in October 2020 with Dignity Health ($160,000) and NY Spine ($100,000). The remaining eleven settlements have been for less than $100,000, with five $25,000 or less. However, the ongoing compliance reporting required by the settlement agreements may be a more substantial burden than the upfront settlement payment, especially for smaller providers. Generally, the settlement agreements require the provider to revise its policies and procedures, train employees, and provide reports to OCR for a two-year period.

Appeals Court overturns $4 million penalty imposed on MD Anderson Cancer Center

Details

Published: 15 January 2021 15 January 2021

• HIPAA
• HIPAA Privacy Rule
• HIPAA Security Rule

The Fifth Circuit Court of Appeals ruled that the Department of Health and Human Services (HHS) violated the Administrative Procedure Act in imposing a $4 million civil monetary penalty on M.D. Anderson Cancer Center. The case arose out of three incidents in 2012 and 2013, in which an unencrypted laptop was stolen, and two unencrypted USB thumb drives were lost. 

HHS had determined that M.D. Anderson violated the requirement under the Health Insurance Portability and Accountability Act (HIPAA) Security Rule requiring HIPAA covered entities to implement a mechanism to encrypt electronic protected health information (ePHI) or adopt another appropriate method to limit access. HHS also determined that the hospital violated the HIPAA Privacy Rule prohibition on unpermitted disclosure of PHI. Finally, HHS found that the hospital had reasonable cause to know that it had violated these rules and assessed daily penalties of $1,348,000 for the Security Rule violation and $3,000,000 for the Privacy Rule violation.  The court ruled that HHS was arbitrary and capricious in applying its regulations and calculating the penalty amounts.

Read more ...

ONC proposes expanding core data for interoperability

Details

Published: 13 January 2021 13 January 2021

• health information technology
• information blocking
• 21st Century Cures Act

The Office of the National Coordinator for Health Information Technology (ONC) has published a draft version 2 of the United States Core Data for Interoperability (USCDI). The USCDI establishes a baseline set of data to be exchanged across care settings. Version 1 of the USCDI was adopted as part of the ONC’s 21st Century Cures Act final rule published on May 1, 2020. The USCDI is incorporated into the certification standards for electronic health technology, and also is significant for application of the information blocking prohibition. Information blocking is a practice of a developer of certified health information technology, a health care provider, or health information exchange that interferes with access, exchange or use of electronic health information (EHI). Before October 6, 2022, EHI covered by the information blocking prohibition is limited to the data elements included in the USCDI.

Read more ...