Photo of Austin R. Shepard

Austin’s practice is focused on transactional matters and regulatory compliance in the healthcare industry.

Under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and specifically the Privacy Rule under HIPAA’s implementing regulations, patients have a right to access their health information held by health care providers. In 2016, the Department of Health and Human Services’ Office for Civil Rights (OCR) issued guidance stressing the importance of this right. The OCR also implemented a HIPAA Right of Access Initiative as an enforcement priority in 2019, and the OCR has since actively pursued violations under the right of access standard.

Continue Reading OCR Continues to Crack Down on Right of Access Violations

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) reached a settlement for $1,500,000 and entered into a substantial corrective action plan with Athens Orthopedic Clinic (AOC) as a result of AOC’s alleged systemic noncompliance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. AOC, located in Georgia, provides a wide range of orthopedic services to approximately 138,000 patients a year.

Problems began for AOC in June 2016, when the practice was notified by a journalist that AOC patient records may have been posted for sale on the internet. Shortly thereafter, AOC was contacted by a hacker demanding payment for the stolen patient records. It was later determined that the hacker had accessed AOC’s electronic medical records using a vendor’s credentials on June 14, 2016, and continued to access protected health information (PHI) until July 16, 2016. AOC filed a breach report with OCR on July 29, 2016, revealing that the names, dates of birth, social security numbers, and other PHI of over 200,000 patients had been compromised by this breach.

Continue Reading Hacked Patient Records Land Athens Orthopedic Clinic in Hot Water with OCR

Since the outbreak of COVID-19, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) has issued various notifications of enforcement discretion related to compliance with the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations, discussed previously. However, OCR issued guidance on May 5, 2020, reminding covered healthcare providers that the HIPAA Privacy Rule remains in force during the COVID-19 public health crisis except as expressly relaxed under OCR’s prior guidance. Specifically, OCR’s most recent guidance addresses the disclosure of patient protected health information (PHI) to the media by allowing the media to film patients in facilities where PHI is accessible.

Continue Reading OCR Warns Providers and Media: Patient Privacy Remains Protected Despite Pandemic

In the first published enforcement action of 2020, a gastroenterology practice in Ogden, Utah, has agreed to pay a $100,000 settlement to the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) for alleged violations of the Health Insurance Portability and Accountability Act (“HIPAA”) Security Rule.

According to the Resolution Agreement entered into between Steven A Porter, M.D., P.C. (the “Practice”) and OCR, the Practice reported a breach to OCR in 2013 due to conduct by a business associate of the Practice. While investigating the breach, OCR determined that the Practice had not implemented appropriate policies and procedures to address security violations, failed to conduct a security risk analysis, and did not have reasonable and appropriate security measures in place. Further, the Practice had used an electronic health records vendor for several years without entering into an appropriate business associate agreement.

In addition to the $100,000 payment, the Practice is required to submit to a Corrective Action Plan for a two-year period. The Corrective Action Plan requires the Practice to take a series of broad measures in furtherance of HIPAA compliance, detailed below.
Continue Reading Small Businesses Are Not Safe from Big HIPAA Liability

In one of this year’s largest HIPAA settlements, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) is set to collect $3 million from the University of Rochester Medical Center (URMC). This settlement over potential violations of the Privacy and Security Rules under HIPAA also requires URMC to follow a corrective action plan that includes two years of HIPAA compliance monitoring by OCR.
Continue Reading Unencrypted Mobile Devices Cost Medical Center $3 Million In HIPAA Settlement

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) has collected over $2.15 million in civil penalties from Miami-based Jackson Health System (JHS) for multiple violations of the Security and Breach Notification Rules under HIPAA. JHS is a nonprofit academic medical system that serves approximately 650,000 patients a year in six major hospitals and a network of affiliated healthcare facilities. This is the first publicized imposition of civil monetary penalties under HIPAA in recent years, in contrast to the many publicized settlements of alleged violations, indicating that JHS’ violations were severe.
Continue Reading Jackson Health System Slammed With $2.15 Million Penalty for Privacy Breaches

Social media posts have become so common and reflexive that people often fire off posts without appropriately considering the consequences.  This can be costly on multiple fronts.  In the health care context, beyond the risk of losing patients (and the revenue they bring), inappropriate posts can result in Health Insurance Portability and Accountability Act (HIPAA) violations.  Indeed, as the Director of the U.S. Department of Health and Human Services Office for Civil Rights (OCR) has stated, “Social media is not the place for providers to discuss a patient’s care… [doctors] and dentists must think carefully about patient privacy before responding to online reviews.”  Of course, this warning is not limited to dentists; all health care providers should take heed. 
Continue Reading From Yelp to YIKES! Dental Practice’s Social Media Posts Result in $10,000 HIPAA Settlement

In 2016, the Department of Health and Human Services’ Office for Civil Rights (OCR) provided a variety of guidance to address the importance of honoring the right of patients to have access to their medical information and not to be over-charged for exercising that right.

Earlier this week, the OCR announced an enforcement action and settlement under its Right of Access Initiative against Bayfront Health St. Petersburg (Bayfront) in Florida. This settlement, the first of its kind under OCR’s initiative to enforce patients’ rights to promptly receive copies of their medical records without being overcharged, has cost Bayfront $85,000. The 480-bed hospital is also required to undertake a corrective action plan that includes a one-year period of monitoring by OCR.
Continue Reading OCR Proves it is Serious About HIPAA’s Right of Access