HIPAA Violations Reported in the Past Month

Hipaa Training
0 0
Read Time:8 Minute, 18 Second

HIPAA training and Cyberattacks against healthcare providers cost healthcare organizations $5.6 billion in 2020. This includes both the cost of resources lost due to shutdowns and the burden of fines. 

The Department of Health and Human Services’ Officer for Civil Rights holds healthcare providers liable for negligence. The OCR imposes fines and other penalties for HIPAA violations.

It doesn’t matter whether the organization violated HIPAA for malicious reasons or not. An organization may neglect its responsibility to its patients. Either way, violations put patient privacy at risk.   

This month, two significant HIPAA cases made headlines. The HIPAA news this month also underscores the importance of abiding by state-level patient privacy laws. 

First, Dominion National finally settled a 2019 class-action lawsuit for $2 million. The harmed class filed the suit in Virginia after hackers breached the health plan’s security system. Attackers compromised 2.9 million patients’ data over the course of ten years. 

Second, the OCR is now investigating the Lake County Health Department and Community Health Center. The investigation explores the impact of a security breach. It compromised 705 individuals’ private information. 

What Is HIPAA?

HIPAA is the Health Insurance Portability and Accountability Act of 1996. There are five types of organizations and institutions that must abide by HIPAA.

HIPAA Regulates Healthcare Organizations

HIPAA applies to private healthcare companies, non-profit healthcare-adjacent organizations, and public organizations. The Department of Health and Human Services enforces HIPAA.

It establishes which organizations must meet HIPAA standards. HIPAA is a federal law that regulates:

  • Healthcare providers
  • Medical practices
  • Government and private health insurance groups
  • Local and regional public health departments
  • Clearinghouses and tech companies that work with private patient information

HIPAA maintains patients’ privacy and access in healthcare settings.

In essence, HIPAA protects patients’ private health information (PHI). It mandates high, precise security standards and practices. These practices concern how organizations store and transfer patient data. 

The HHS updates these mandates as technology changes and cybersecurity threats evolve. These mandates include processes that maintain patients’ anonymity when necessary.

HIPAA Mandates and Regulations

HIPAA also stipulates the circumstances when an organization may legally share or transfer PHI. Healthcare organizations may share or transfer PHI only with a patient’s explicit authorization.

There are rare emergencies where patients cannot authorize an organization to share their PHI. Yet, transferring this data is critical to saving their lives. HIPAA also codifies reasonable safeguards an organization must apply in these contexts.

Lastly, HIPAA codifies regulations that make sure patients have fair, timely access to health plans and to their own PHI. The mandate also stipulates tax regulations that apply to healthcare organizations.  

Dominion Health Settlement 

Dominion National is a health plan organization that encompasses a dental health service. In 2019, Dominion National notified patients of a data breach. It compromised patients’ personal health information.

Investigators determined that hackers had breached patient data repeatedly since 2010. Dominion National leaders only discovered the security breach in 2019. In that time, the breach affected 2.9 million patients.

Hackers broke into Dominion National’s data storage system. They stole or held for ransom personal data. This included patients’ Social Security Numbers and diagnostic information.

As a result, anonymous buyers stole some patients’ identities. The breach and the resulting identity thefts caused financial losses. They also caused psychological distress for many of the affected patients.  

This distress led the affected patients to file a class-action lawsuit against Dominion National. Dominion National violated both HIPAA regulations and patient privacy laws in the state of Virginia and Oregon. 

Private Cause of Action

Typically, an individual or harmed class cannot file a lawsuit against a healthcare organization. Even when it violated HIPAA regulations. Instead, patients must file a complaint with the Department of Health and Human Services’ Office for Civil Rights. 

Then, the OCR investigates. It will choose to impose fines or penalties against an organization that violates HIPAA. 

But, in this case, harmed patients were able to file a class-action lawsuit with the United States District Court. They filed in the Eastern District of Virginia. This is because Dominion National also violated patient privacy laws in the state of Virginia. 

$2 Million Settlement

The United States District Court ruled that Dominion National violated patient privacy laws. The court found Dominion National negligent in its maintenance of data security.

Dominion National had not updated its cybersecurity system. Nor did it check on the security status in almost nine years. 

This neglect led to the long-term breach of patient data. The United States District Court ordered Dominion National to pay a $2 million settlement to the harmed class.

Individual harmed patients can claim reimbursement for damages until October 2021. Patients may claim up to $7500 for damages caused by identity theft. They may also submit a claim for up to $300 to cover out-of-pocket expenses for credit monitoring services and $100 for lost time. 

If every affected patient filed a claim for reimbursement, Dominion National would have to pay over $2 million in settlements.

But, there is a legal cap on settlement payments in this case. So, in practice, Dominion National will not have to pay over $2 million.  

OCR Investigates Lake County Health

This month, the OCR opened an investigation into a security breach in Lake County, Nebraska. The Lake County Health Department and Community Health Center reported a security breach. This breach may have compromised the PHI of 705 patients. 

The Nebraska department notified patients of the breach within 60 days, per HIPAA regulations. It seems that no patients have suffered damages. 

The security breach was allegedly due to a “software error,” rather than a cyberattack. The error caused the Lake County Health Department and Community Health Center to send PHI to a third party.

This was without patients’ authorization. The PHI included patient Social Security Numbers. 

The regional HHS says LCHD fixed the error. HHS officials from the state of Nebraska encourage affected patients to file reports with police. They may also file reports with credit bureaus, to put out a potential fraud alert. 

HIPAA Challenges Rural Health Departments

Rural health departments and community health organizations face extra barriers to HIPAA compliance. These departments face more budget restrictions than larger organizations do. This limits rural health departments’ access to software security upgrades. 

Covid-19 has also stretched Lake County Health Department’s budget. Officials must make careful choices to follow HIPAA, Covid regulations and deal with patient access issues. Affordable HIPAA training is critical in this context. 

Patients in rural communities also face barriers when someone violates their privacy. Some patients affected by the Lake County Health Department breach cannot access a phone or internet. This makes it harder to protect themselves from identity theft and other types of potential fallout from the breach. 

OCR’s investigation is ongoing. OCR may choose to not impose fines over a HIPAA violation if it determines no patients actually came to harm. 

What Is HIPAA Training?

HIPAA training is a series of classes that teach organizations the ins and outs of HIPAA regulations. Healthcare organizations can sign up for HIPAA training classes to earn HIPAA certification. A good example of HIPAA training especially important during this pandemic is the bloodborne pathogens training

HIPAA training empowers healthcare organizations to abide by HIPAA regulations. Training prevents HIPAA violations by teaching all employees the current HIPAA standards.

It also provides checklists and strategies. An organization can install these strategies to secure, maintain, and transfer PHI within the bounds of the law.

Trained healthcare organizations provide patients timely access to their own PHI. They don’t impose unreasonable barriers. Training empowers institutions to create policies that are in line with federal and state guidelines. 

HIPAA Training Differences

Healthcare organizations can also prevent violations of state privacy laws. A trained organization can avoid a class-action lawsuit filed for violating state law. Thus, many HIPAA training programs also offer integrated lessons on meeting state regulations.

Healthcare organizations can choose HIPAA training classes based on their medical sub-field. All classes cover the strategies and resources an organization needs to stay compliant.

But, some HIPAA training is specific. It emphasizes practices that prevent common pitfalls in specific healthcare contexts.

For example, a business that maintains patients’ dental records will face certain challenges. These challenges differ from a rural county community health center. Medical coders have different tasks using patient data than hospital administrators do. 

While both must abide by HIPAA regulations, each organization will find different HIPAA classes useful. Different classes tackle the hurdles of abiding by HIPAA mandates with different solutions. 

What Is HIPAA Certification?

The HHS’ OCR does not certify organizations as HIPAA-compliant. Instead, organizations can earn HIPAA certification through third parties. 

HIPAA certification tells patients that a healthcare organization takes their privacy seriously. HIPAA-certified institutions earn patients’ trust. They do this by showing that their policies and procedures are in line with federal guidelines.

Organizations that offer HIPAA training also frequently offer evaluations. These training organizations can certify an organization as HIPAA-compliant. The healthcare practice must meet the regulatory standards.

Meet HIPAA Compliance Standards Today

Meeting HIPAA standards builds patients’ trust in your organization. It also protects your practice from fines and penalties. These add up if your institution violates HIPAA. 

Your organization is more likely to inadvertently run afoul of HIPAA when:

  • Employees are ignorant of HIPAA regulations
  • Your HIPAA-compliance practices or policies are out of date
  • Your organization lacks the technology to effectively protect patient data

Any healthcare organization can avoid these missteps. You don’t need to wait for an OCR investigation to shore up your organization’s HIPAA compliance practices. Prevent HIPAA violations before they happen. 

Look into HIPPA training and certification today. Choose from among dozens of classes and bundles. Integrate HIPAA compliance into your organization.  

For Further reading: buzztum.com

Happy
Happy
0 %
Sad
Sad
0 %
Excited
Excited
0 %
Sleepy
Sleepy
0 %
Angry
Angry
0 %
Surprise
Surprise
0 %
Previous post Why You Should Hire a Locksmith in Stamford Connecticut
Deep-Clean-Your-Carpet Next post Tips & Tricks: How To Deep Clean Your Carpet

Average Rating

5 Star
0%
4 Star
0%
3 Star
0%
2 Star
0%
1 Star
0%

Leave a Reply

Your email address will not be published.