Return to the Blog Home Page

Common Findings in OCR’s Record Year of HIPAA Enforcement

Friday, February 8th, 2019

2018 ended up being a record year for HIPAA enforcement actions!  According to the Office for Civil Rights (OCR) 10 cases were settled and one case granted summary judgment in a case before an Administrative Law Judge totaling over $28 million from enforcement actions! This far surpassed the previous record of just over $23 million in 2016.

As part of recent announcement OCR provided a HIPAA summary of 2018 settlements and judgments. The summary was broken down by the actual months the enforcement action occurred.

  • In January 2018, OCR settled for $100,000 with Filefax, Inc., and for $3.5 million with Fresenius Medical Care North America. Both were required to adopt a corrective action plan.
  • In June 2018, an HHS Administrative Law Judge ruled in favor of OCR and required the University of Texas MD Anderson Cancer Center to pay $4.3 million in civil money penalties and adopt a corrective action plan for HIPAA violations.
  • In September 2018, OCR announced that it has reached separate settlements totaling $999,000 with Boston Medical Center, Brigham and Women’s Hospital, and Massachusetts General Hospital (this was the privacy of patients’ PHI violation resulting from filming of an ABC television network documentary). OCR also settled with Advanced Care Hospitalists for $500,000 in a separate and unrelated enforcement action.
  • In October 2018, OCR settled with Allergy Associates, for $125,000 – which was a small amount – compared to the largest settlement to date that occurred with Anthem, Inc. who paid $16 million to OCR after a series of cyberattacks led to the largest U.S. health data breach in history!
  • In November 2018, Pagosa Springs Medical Center paid $111,400 to OCR to settle potential HIPAA violations.
  • And in December 2018, OCR Cottage Health agreed to pay $3 million to OCR and to adopt a substantial corrective action plan to settle potential violations of the HIPAA Rules

Common Finding in Each Enforcement Activity

There is a common finding for each enforcement activity in 2018.  The majority or organizations OCR settled with failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of the ePHI. In other words, they did not perform a Security Risk Analysis (SRA) at all or failed to complete one that was sufficient for HIPAA regulations. Another key finding was failure to obtain a written business associate agreement with contractors who performed business associate functions on behalf on their behalf.

Therefore, we recommend that an initial SRA and subsequent reviews thereafter not ever be considered optional. In fact, a HIPAA Complaint SRA may be a healthcare organization’s best defense in the event of an OCR investigation. We also recommend covered entities know who their business associates are, and business associates know who their subcontractors are, who perform business function activities. If they do, make sure you have an executed agreement in place.

Healthcare Compliance Pros can help your organization make sure you are in compliance with both of these very important HIPAA requirements. Contact us by phone: 855-427-0427 or by email: [email protected].

OSHA Announces Decline in Workplace Fatalities

Friday, February 8th, 2019

In December 2018, OSHA (Occupational Safety and Health Administration), issued a statement regarding a decline in workplace fatalities for 2017. According to the Bureau of Labor Statistics’ National Census of Fatal Occupational Injuries in 2017, there were 43 fewer workplace fatalities in 2017 than the previous year.  

“While today’s report shows a decline in the number of workplace fatalities, the loss of even one worker is too many,” said Loren Sweatt, Acting Assistant Secretary for the Occupational Safety and Health Administration (OSHA). “Through comprehensive enforcement and compliance assistance that includes educating job creators about their responsibilities under the law, and providing robust education opportunities to workers, OSHA is committed to ensuring the health and safety of the American workforce.”

A Statement About Opioid Addiction

According to Assistant Secretary Sweett, “the scourge of opioid addiction unfortunately continues to take its toll on workers across the country, demonstrating the importance of this Administration’s efforts to tackle this crisis.”

The number of unintentional overdoses due to the non-medical use of drugs or alcohol while at work increased by 25 percent! For the fifth consecutive year overdose deaths rose by at least 25 percent.

Healthcare Compliance Pros believes education is one the best forms of prevention. Our opioid crisis training course answers the following questions and more:

  • How did the opioid crisis begin?
  • How do opioids work?
  • What are the signs of an overdose?
  • What are the signs of an addiction?
  • What treatments should be used?
  • What response is being done at the federal and state levels?
  • Is there a guideline for the prescribing opioids?

If you are interested in adding the Opioid Crisis Training to your compliance program, please contact us by email: [email protected] or by phone: 855-427-0427.


Don’t SRA it Alone.. We Have the Security Risk Analysis Tools to Guide You!

Tuesday, February 5th, 2019

The last few weeks we have been educating you with our recent articles about spoofing and phishing that threaten your cyber-security!  Healthcare organizations are always going to be a target from malicious characters because of the endless amount of personal and financial information that could be stolen, used, sold and dispersed. In fact, just last year the largest medical health data breach in history happened from cyber attacks!  Don’t let this be your organization!

One of the ways to ensure you are protected from these types of malicious cyber security threats and other threats is by completing an initial Security Risk Analysis (SRA), then reviewing and updating on an annual basis thereafter (or more frequently if needed). Performing an  SRA on an annual basis will not only ensure you are fulfilling your HIPAA requirements, but it will also provide the information you’ll need to have an action plan so that you organization can be better protected throughout the year.

Some questions to consider when thinking about your current SRA process: Does it outline your organization’s vulnerabilities?  If your SRA is a generic checklist found on the internet and is it comprehensive enough for your organization? How long should an initial SRA take? Our article, 5 Best Practices for your Security Risk Analysis  can help answer these questions.

Did you know that HCP offers a SRA tool to our clients?

Our SRA tool does the following and more!

  • Provides a thorough list of the areas for analysis.
  • Our compliance department each year will review, provide feedback and make follow-up appointments throughout the year.
  • Provides corrective action plans.
  • Examines your personnel for exclusions and vulnerabilities.
  • Reviews your existing policies and procedures and examines their effectiveness.
  • Most importantly- we offer one on one support from our compliance experts!

Running a safe and secure organization is an ongoing process of having sufficient safeguards, policies and procedures in place all year, 24/7 protection! With our tool you will have support throughout the entire process of completing, reviewing and creating your own customized Security Risk Analysis. In the event that a possible breach were to happen, we are there to support you throughout it as well!

Interested in adding our SRA tool to your services? Or questions about your current SRA?

Please contact us here for more information [email protected] or by phone: 855-427-0427. 

How Would You Improve HIPAA? Let OCR Know!

Wednesday, January 30th, 2019

Reminder for Comments on Improving Care Coordination and HIPAA Rules

The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), sent out a reminder for input from the public on how the Health Insurance Portability and Accountability Act (HIPAA) Rules, especially the HIPAA Privacy Rule, could be modified to further the HHS Secretary’s goal of promoting coordinated, value-based healthcare.

In addition to requesting broad input on the HIPAA Rules, the OCR is also seeking comments on specific areas of the HIPAA Privacy Rule, including:

  • Encouraging information-sharing for treatment and care coordination.
  • Facilitating parental involvement in care.
  • Addressing the opioid crisis and serious mental illness.
  • Accounting for disclosures of PHI for treatment, payment, and health care operations as required by the HITECH Act.
  • Changing the current requirement for certain providers to make a good faith effort to obtain an acknowledgment of receipt of the Notice of Privacy Practices.

As we discussed in our December article, public comments are due by February 12, 2019.

The Request for Information is available for review at:

What is Phishing and How Common is it?

Wednesday, January 30th, 2019

What is Phishing and How Common is it?

Phishing is an attempt to acquire personal information such as usernames, passwords or financial information via impersonation or by spoofing. Despite how simple they are, phishing attacks continue to become a larger threat every year. Information is power and healthcare organizations have a great amount of both personal and financial data at their disposal. This make healthcare organizations a target for many phishing attacks. While emails continue to be a major source of phishing scams, social media lures are on the rise. In just seven short years ago, social media was used in 8.3% of phishing attacks; now they are used in 84.5% of attacks!

How Does Phishing Work?

Phishing is a common method of online identity theft and virus spreading, using platforms such as social media or email to acquire personal information, including login credentials or account information. They often masquerade as a reputable entity, using stolen or fake identities. Phishers use fake website addresses to lure victims into entering their credentials. Once you enter your login detail on this fake page, the phisher has the information they need to access your account. A hijacked account can be used to extort money from your contacts, scam you, collect information, stalk victims and spread malware.  And not just from you. With your hijacked account, they will have greater access to your contacts. People tend to follow people they know and trust and will be more likely to accept a message or file from your account.

What is Spear Phishing?

Spear phishing is a more advanced version of phishing that aims at specific groups, organizations or people. Instead of vague messages blasted to thousands of people, criminals design messages to target a specific entity to ensure a greater chance that the scan succeeds. Criminals will research your organization to identify ways in which your organization is vulnerable, often identifying staff, management business associates, patients etc. They will then use that information to gain your trust and access.

How to Protect Yourself!

The online threats we are at risk for can be overwhelming, but the good news is there are steps you can take to protect yourself, your network and your organization from phishing scams!

  1. Do not respond to unsolicited messages, emails or text messages. Do not click on links or download files contained within messages because those links may contain viruses or malicious software (including ransomware) that could steal information and/or harm your computer.
  2. Make sure your computer is protected by anti-virus software that is up to date. Your antivirus should run automatic updates, scan all incoming emails and perform regularly scheduled system screenings.
  3. Become familiar with the privacy features of the social media platforms you use. Each is designed to protect users from malicious attacks. Set your privacy settings as high as functionally possible for your organization.

Lastly, beware of the following:

  • Messages with misspelled words, typos, multiple fonts and oddly-placed accents.
  • Mismatched links. When you hover over a link, the address should match the link shown on the page or message.
  • Messages asking for personal information. Most companies will never ask you for account passwords, social security numbers, tax identification numbers or credit cards numbers.
  • Report any suspected phishing attempts to your social media platform as soon as possible. They can use the information you provide to investigate and take action if possible.
  • Train your staff on how to safely navigate social media on behalf of your organization.

HCP offers a Cyber Security course that provides essential information and training for your organization. If you do not have access to this course, please contact us today.


Spoof-Don’t Be Tricked! How to Be Cyber Secure and Protect Yourself from Scams!

Tuesday, January 22nd, 2019

Spoofing is a serious type of scam that unfortunately happens all the time! Unsuspecting victims are tricked into confirming or releasing personal information, sending money or scammed into various fraudulent activities. Spoofing presents challenges because victims are often convinced that the access to, or the release of information is permitted – when in fact it is not! When you are “spoofed” you are tricked by the culprit as they misrepresent themselves to be from a trusted source.

It wasn’t too long ago, when even the Office of Inspector General’s (OIG) hotline was spoofed! According to the OIG, the criminals used spoofing to make the OIG’s phone number falsely appear on caller ID’s in order to obtain confidential information. Thousands of calls using the spoofed number were made to people across the nation, only a handful of people apparently sent money to the perpetrators.

As part of the OIG’s announcement, the following steps were recommended to ensure you are being “Cyber Secure” and protecting yourself from any telephone, e-mail or internet scams.

Add a Cyber Check-up to Your Own Annual To-Do List!

Your own personal online posts, comments, tags and followers can create a wealth of personal information that bad actors can use to steal your identity and manipulate you into giving up even more confidential information.

  • Check your social media privacy settings to make sure you’re sharing information only with friends.
  • Adjust privacy settings on your smart watches or health trackers.
  • Check out social sites you visit, including ones where you may have left reviews for restaurants, stores or other services, and delete any of your PHI (Personally Identifiable Information.)

It is also important not to be fooled by a caller’s knowledge of their name and other personal information. Callers may use a variety of tactics, to obtain some initial personal information, including by working for otherwise legitimate marketing centers. It is important to know that OIG and other government agencies will never initiate contact with the public through the hotline to request or confirm personal information.

Protect Yourself from Telephone or Email Scams

No matter how authoritative a caller may sound, do not give or confirm your name or provide any personal information to unknown individuals, including such details as your:

  • Social Security number
  • Date of birth
  • Credit card or bank account information
  • Mother’s maiden name

If you are going to release any personal information, it is critical to make sure you know who you are communicating with. Failure to do so, can be costly and may result in identity theft.