From 5000 to 800000 Days Apart OCR Security Settlements Show Puzzling Math Health Care Compliance Association HCCA JDSupra

pppReport on Patient Privacy 25 no 6 June 2025ppA single incident that may have started as a personal vendetta or an extortion threat seven years ago has cost a Florida health care system 800000 and comes on the heels of an unrelated breach suffered by a different hospital in the same organization just last yearppThe payment by Clearwater Flabased BayCare Health System which the HHS Office for Civil Rights OCR announced May 151 was the third priciest of 2025 following a 3 million settlement with a diabetes supply firm and a 15 million fine OCR imposed on eyewear vendor Warby Parker2ppBayCares was one of three OCR enforcement actions the agency made public in May all were accompanied by twoyear corrective action plans CAPsppOn May 30 two days after the BayCare announcement OCR said a business associate BA in Rowley Mass agreed to a 75000 settlement stemming from a 2022 ransomware attack that encrypted the protected health information PHI of nearly 560000 patients of 70 covered entities CEs it served3ppAll three settlements contribute to the longstanding puzzle of how OCR determines financial payment amounts bedeviling CEs BAs attorneys and experts alike Vision Upright MRI of San Jose Calif agreed to pay just 5000 to settle allegations that it failed both to conduct a security risk analysis and didnt notify the 22000 affected individuals within the required 60 days4ppAs of June 1 OCR had issued 15 enforcement actions this year nine of which were announced by former OCR Director Melanie Fontes Rainer a Biden appointee who resigned in midJanuary and later shared exclusively with RPP her concerns about the future of the agency5 OCR has collected a total of 7610316 from its enforcement actions so far this yearppBayCare officials would not answer any of RPPs questions including why it took so long to reach an agreement and what the 800000 is based on Instead a spokesperson provided the following twosentence statement about the settlement BayCare takes patient privacy very seriously We have cooperated fully with the Department of Health and Human Services Office of Civil Rights in its investigationppThe spokesperson also clarified that this settlement does not encompass a March 2024 breach that occurred when an employee of Winter Haven Hospital mistakenly attached a cardiac department file with information for some 2100 patients when emailing a patient However the spokesperson would not comment on this incidentppOCR didnt fill in too many blanks about either the 800000 settlement or the 75000 one In its announcement OCR said it began an investigation following its receipt of a complaint in October 2018 in which the complainant alleged that after receiving treatment at a BayCare facility she was contacted by an unknown individual who had photographs of her printed medical records as well as a video of someone scrolling through her medical records on a computer screenppThe headline on the announcement referred to the incident as being perpetrated by a malicious insiderppThe credentials of a nonclinical former staff member of a physicians practice were used that provided access to BayCares electronic medical records for the continuity of common patients care OCR said It was not clear if the former staff member whose credentials were used was the one who engaged in the inappropriate access nor who contacted the patientppThe settlement agreement identified St Josephs Hospital as the medical center at issue But it said nothing about the intent of the person who contacted the patient and if anything happened after the photo and video were sharedppAlthough most OCR settlements allege CEs and BAs havent conducted a risk analysis that wasnt the case with BayCare Instead OCR alleged BayCare failed to implement policies procedures for authorizing access to ePHI electronic PHI that are consistent with the applicable requirements of the HIPAA Privacy Rule failed to reduce risks and vulnerabilities to ePHI to a reasonable and appropriate level and failed to regularly review records of information system activity6ppYet conducting a risk analysis is the first requirement in BayCares CAP which also calls for the development of a related risk management plan and revised policies and procedures addressing risk management information system action review and information access management Training on the new policies is also requiredppRegarding Comstar its resolution agreement states that on March 19 2022 an unknown actor gained access to ePHI maintained on Comstars network servers Comstar did not detect the intrusion until March 26 2022 when its IT service vendor began receiving support tickets It was determined ransomware was used to encrypt Comstars network servers and that the PHI of 585621 individuals was affected7ppOCR based the settlement on a single infraction it said Comstar failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality integrity and availability of electronic protected health information that it holds Comstar did not respond to RPPs request for commentppThe agency provided no other information such as how long the data was encrypted whether ransom was paid and if any data was exfiltratedppInformation posted by the CentervilleOstervilleMartons Mills COMM FireRescue Department in Massachusetts described Comstar as its former ambulance billing firm and said all of Comstars patient records were affected and that its data storage system as a whole was held hostage by ransomware8ppUpon learning of the potential security breach Comstar immediately notified COMM Fire of the situation and out of an abundance of caution and despite the fact that no evidence was found indicating patient records were actually removed COMM Fire authorized Comstar to notify every patient who could have been potentially impacted the undated online notice states COMM wasnt a client of Comstars at the time the relationship spanned from 2009 to 2019ppComstars CAP is similar and perhaps a bit broader than BayCares In addition to conducting a risk analysis and developing a management plan the BA is to revise its policies and procedures to address its security management process security awareness and training security incident procedures and BA breach notification requirements and retrain workers as called for in BayCares CAPpp1 US Department of Health and Human Services Office for Civil Rights HHS Office for Civil Rights Settles HIPAA Security Rule Investigation with a Florida Health Care Provider news release May 28 2025 httpsbitly4dCp2zvpp2 Theresa Defino 15M Warby Parker Fine a Holdover OCR Focuses On Men in Sports Antisemitism Biological Truth Report on Patient Privacy 25 no 3 March 2025 httpsbitly4clCVSjpp3 US Department of Health and Human Services Office for Civil RightsHHS Office for Civil Rights Settles HIPAA Ransomware Cybersecurity Investigation with Comstar LLC news release May 30 2025 httpsbitly3Zb1Sugpp4 Jane Anderson Risk Analysis Not Just for Big Providers OCR Warns in Settlement With MRI Firm Report on Patient Privacy 25 no 6 June 2025pp5 Theresa Defino Former OCR Director Fontes Rainer Reflects On Imperfect RSP Law Urges Final Security Reg Report on Patient Privacy 25 no 5 May 2025 httpsbitly4kLcyrQpp6 US Department of Health and Human Services Office for Civil Rights Resolution Agreement February 14 2025 httpsbitly455uxoqpp7 US Department of Health and Human Services Office for Civil Rights Comstar LLC Resolution Agreement and Corrective Action Plan February 19 2025 content last reviewed May 30 2025 httpsbitly4kjQLaPpp8 CentervilleOstervilleMartons Mills FireResue Department Comstar Notification page last accessed June 2 2025 httpswwwcommfiredistrictcomcomstarppView sourceppSee more pp
Health Care Compliance Association HCCA
var today new Date var yyyy todaygetFullYeardocumentwriteyyyy
ppRefine your interests ppBack to TopppExplore 2025 Readers Choice AwardsppCopyright var today new Date var yyyy todaygetFullYeardocumentwriteyyyy JD Supra LLCp