From January 2021 through April 2021, the Department of Health and Human Services, Office for Civil Rights (OCR) announced six settlement agreements to resolve allegations of Health Insurance Portability and Accountability Act (HIPAA) violations. Five of these settlements were in relation to OCR’s HIPAA Right of Access Initiative. One settlement thus far in 2021 centers around risks resulting from cybersecurity incidents and improper internal processes.
Settlement Following Data Breach
On January 15, 2021, HHS announced a $5.1 million settlement with Excellus Health Plan, Inc. for potential violations of the HIPAA Privacy and Security Rules related to a breach affecting over 9.3 million people. In September 2015, Excellus Health Plan filed a breach report stating that cyber-attackers had gained unauthorized access to its information technology systems. Excellus Health Plan reported that the breach began on or before December 23, 2013 and ended on May 11, 2015. The hackers installed malware and conducted reconnaissance activities that ultimately resulted in the impermissible disclosure of the protected health information of more than 9.3 million individuals, including their names, addresses, dates of birth, email addresses, social security numbers, bank account information, health plan claims, and clinical treatment information. OCR’s investigation found potential violations of the HIPAA Rules including failure to conduct an enterprise-wide risk analysis and failures to implement risk management, information system activity review, and access controls.
In its press release announcing the settlement, OCR expressed particular concern with its finding that hackers roamed inside the Excellus health record system undetected for over a year. OCR emphasized that “[h]acking continues to be the greatest threat to the privacy and security of individuals’ health information” and covered entities must “step up their game” to protect the privacy of people’s health information from sophisticated hackers.
Settlements for Rights of Access Violations
In 2019, OCR announced the creation of its Right of Access Initiative, intended to support individuals’ right of timely access to their health records. OCR has settled 18 investigations related to its Right of Access Initiative. Since the beginning of 2021 through the end of April 2021, five of the six OCR announced settlements have been in relation to the HIPAA Right of Access Initiative, and include as follows: