OCR Imposes $2.15 Million Penalty Against Hospital System for Alleged HIPAA Violations – On October 23, 2019, the Office for Civil Rights (OCR) at HHS announced the imposition of a $2,154,000 civil monetary penalty against a Florida hospital system (Hospital System) for alleged violations of the HIPAA Security and Breach Notification Rules between 2013 and 2016. The underlying incidents include the loss of paper records containing protected health information (PHI), sharing on social media a photograph of the operating room screen, and an employee’s inappropriate access to thousands of patient records for the purpose of selling patient information. OCR concluded that the Hospital System failed to provide timely and accurate breach notification to OCR, conduct a risk analysis, manage risk to a reasonable and appropriate level, regularly review information system activity records, and restrict authorization of its workforce members’ access to patient PHI to the minimum necessary to accomplish job duties.
The allegations contained in OCR’s Notice of Proposed Determination include the following:
- In 2013, the Hospital System submitted a breach report to OCR stating that it lost paper records containing the PHI of 756 patients. Although an internal investigation by the Hospital System revealed that three additional boxes of records were missing, this additional loss was not reported to OCR until 2016.
- In 2015, a reporter shared on social media a photograph of an operating room screen containing a patient’s medical information, prompting an investigation by OCR. The Hospital System determined then that two employees had accessed this patient’s medical record without a job-related purpose.
- In 2016, the Hospital System submitted a breach report to OCR, reporting that an employee had been selling patient PHI, and had accessed the records of over 24,000 patients since 2011.
In the Notice of Proposed Determination, OCR alleges deficiencies in the Hospital System’s compliance efforts, and specifically, the conduct of risk analyses by third parties and the follow-up on such analyses by the Hospital System. According to the Notice, one risk analysis failed to include all of the relevant electronic PHI and did not identify the totality of threats and vulnerabilities that exist in its system; another risk analysis concluded that the Security Rule was “not applicable” to the Hospital System; and another was not system-wide. Additionally, according to the Notice, the Hospital System did not provide evidence that it acted on the findings in the risk analyses.
OCR’s press release, the Notice of Proposed Determination, and the Notice of Final Determination are available here.
Reporter, Igor Gorlach, Houston, +1 713 276 7326, email@example.com.
OIG’s Interactive Map Displaying Details on Nursing Home Complaint Trends Has Been Updated with Data from 2016, 2017, and 2018 – OIG recently updated its interactive map that displays details on nursing home complaint trends to incorporate data from 2016 through 2018. OIG had previously conducted a study and published an interactive map showing nursing home complaint trends between 2011 and 2015. The report from the prior study, issued in September 2017, analyzed the 2011-2015 data and found that “a few states fell short in timely investigation of the most serious nursing home complaints” during this timeframe.
The interactive map, which has now been updated to include 2016-2018 data, displays “details on nursing home complaint trends between 2016 and 2018 for each State, including the number of complaints received and the number of the most serious complaints that a State investigated late.” OIG states that it “is continuing to analyze nursing home complaint and investigations data and trends” and “will share the results of this work in a forthcoming report.” The updated interactive map can be found here.
Reporter, Amy L. O’Neill, Sacramento, +1 916 321 4812, firstname.lastname@example.org.
Also in the News
King & Spalding Roundtable – Recalculating: Are the Major Stark, Anti-Kickback and CMP Proposed Rule Changes Taking Us in a New Direction?
Thursday, November 7, 2019
1:00 P.M. – 2:30 P.M. ET
Wednesday, November 20, 2019
1:00 P.M. – 2:30 P.M. ET
CMS and OIG recently proposed the most significant changes to the Stark Law rules, the Anti-Kickback Statute (AKS) safe harbors and the Beneficiary Inducements CMP regulations that the agencies have offered in recent years. The proposed rules address value-based arrangements, introduce major changes to other key Stark Law concepts and definitions, address the donation of cybersecurity technology and services, and create flexibility to provide patient incentives in value-based arrangements and with respect to telehealth. Click here to read King & Spalding’s Client Alert highlighting the key proposals.
We are hosting a two-part webinar series to discuss these proposals in greater detail, described below. We will cover the opportunities raised by these proposals, as well as how they may impact enterprise risk and future enforcement actions. Our goal is to stimulate thinking about the submission to CMS and OIG of comments on these proposed rules, which are due on December 31, 2019.
- In Part One, we will discuss proposed changes other than those relating to value-based arrangements and patient incentives. The topics will include the proposed changes to fundamental Stark Law concepts such as taking into account the volume or value of referrals or other business generated, fair market value, commercial reasonableness and the definition of indirect compensation arrangements. We also will address proposed changes to the writing requirements, proposed changes to several commonly used compensation exceptions and proposals related to cybersecurity technology and related services.
- In Part Two, we will discuss proposals related to value-based arrangements and patient incentives. This will include the newly proposed AKS safe harbors and Stark Law exception for value-based arrangements, modifications to existing AKS safe harbors and Stark Law exceptions to address value-based arrangements, newly proposed AKS safe harbors for patient incentives, revisions to the local transportation safe harbor and a proposed telehealth exception to the Beneficiary Inducements CMP.
You do not have to be a client to attend, and there is no charge. To register, please click here. Your registration will allow you to attend Part One and Part Two.
King & Spalding Will Host 12th Annual Pharmaceutical University in Philadelphia – On November 12, 2019, King & Spalding will host more than 300 guests at its annual Pharmaceutical University at the Westin in Philadelphia. For more than a decade, attendees of Pharma U have raved about the breadth and quality of the programming and have embraced the many opportunities to network with hundreds of attendees from the world’s most sophisticated pharmaceutical and biotechnology companies.
This year’s curriculum will include four concurrent tracks and more than 20 different interactive presentations from which to choose. Lawyers from across the firm will deliver courses on cutting-edge issues critical to pharmaceutical and biotechnology lawyers, executives, and managers. This year’s sessions will address regulatory, enforcement, litigation, commercial, corporate, intellectual property, international trade, and political issues, among many other cutting-edge issues.