Providers Beware: OCR Published Three HIPAA Settlements in Two Weeks, Signaling a Ramp Up of HIPAA Enforcement Activity:

Make sure risk assessments, business associate agreements and policies & procedures are in place and up to date.

In a two week period, the United States Department of Health and Human Services, Office for Civil Rights (OCR) published settlements with three different health care providers for violations of HIPAA. The settlements were not insignificant, ranging from $31,000 for a small physician practice, to $400,000 for a federally qualified health center (FQHC), to $2,500,000 for a wireless health services provider. Each of these violations and subsequent settlements should act as a cautionary tale to providers, both large and small, that they must continue to be vigilant in their HIPAA compliance efforts.

On April 12, OCR reached a $400,000 settlement, resolution and corrective action plan with an FQHC. In late January 2012, the FQHC experienced a breach due to a phishing incident. While the FQHC took corrective action to prevent similar events from occurring in the future, OCR’s subsequent investigation exposed that the FQHC failed to conduct its first risk analysis until mid-February 2012, weeks after the incident. Further, OCR deemed that this first risk analysis, and all subsequent risk analyses performed by the FQHC, were insufficient to meet the HIPAA Security Rule requirements.

On April 20, OCR reached a $31,000 settlement, resolution and corrective action plan with a small pediatric subspecialty practice. The practice used a business associate to store records containing protected health information (PHI). After a compliance review, OCR investigated the practice and discovered that it did not have a signed business associate agreement in place with the records storage company until approximately twelve years after it started using the company.

On April 24, OCR reached a $2,500,000 settlement, resolution and corrective action plan with a company that provides remote mobile monitoring of, and rapid response to, patients at risk for cardiac arrhythmias. This settlement represents the first in which OCR focused on a wireless health services provider. The company experienced a breach when an employee’s laptop, containing PHI of nearly 1,400 patients, was stolen from his car, parked outside his home. After the company reported the breach to OCR, OCR conducted an investigation. This investigation uncovered that the company: (1) conducted an insufficient risk analysis and had an inadequate risk management process; (2) had only draft policies and procedures to implement the HIPAA Security Rule; and (3) had no final policies or procedures implementing safeguards for electronic PHI, including those for mobile devices containing PHI.

These enforcement actions should serve as reminders to providers of all types and sizes, as we predict that OCR’s enforcement actions will continue.

Print:
EmailTweetLikeLinkedIn
Photo of Stephanie S. Sobkowiak Stephanie S. Sobkowiak

Stephanie Sobkowiak is a member of the Firm’s Executive Committee, Co-Chair of the Firm’s Health Care Practice Group and prior Chair of the Firm’s Regulatory Department.  Stephanie’s practice includes representation of health systems, hospitals, physicians, physician groups and other clients in the health…

Stephanie Sobkowiak is a member of the Firm’s Executive Committee, Co-Chair of the Firm’s Health Care Practice Group and prior Chair of the Firm’s Regulatory Department.  Stephanie’s practice includes representation of health systems, hospitals, physicians, physician groups and other clients in the health care industry. Her practice includes assisting those clients with a wide range of compliance, regulatory, managed care, risk management and reimbursement issues, including fraud and abuse, payor contracts, medical staff and credentialing matters, Certificates of Need and HIPAA and related security breaches.

Stephanie has experience assisting health care clients with a wide variety of contracts, from physician and physician extender employment agreements to service agreements and medical staff bylaws and related documents. She has negotiated numerous managed care agreements and counseled clients on a variety of issues related to payor relationships. She has drafted and negotiated numerous purchase and sale transactions for health care clients. She has also worked with physicians and other practitioners involved in matters before the Department of Public Health and with other health care providers involved in a variety of Medicare/Medicaid matters. She has lectured on meaningful use of electronic health records and general medical records issues as well as various other CMS and state law requirements.

Beginning her legal career as an associate in the Firm’s Corporate and Health Care Departments, Stephanie also worked with Jeffers Cowherd P.C. where she practiced health care as well as promotions and marketing law. Her promotions and marketing practice includes client counseling, contract negotiation and preparation of sweepstakes and contest rules, including campaigns run through social media.

Stephanie received her B.S. summa cum laude from the University of Delaware and received her J.D. from Boston College Law School.

Photo of Daniel J. Kagan Daniel J. Kagan

Dan Kagan is an Associate in the Health Care, Long Term Care and Privacy and Cybersecurity Groups. He represents hospitals, physicians, nursing homes, assisted living communities, CCRCs and other health care clients with a wide range of regulatory, compliance, risk management, transactional and…

Dan Kagan is an Associate in the Health Care, Long Term Care and Privacy and Cybersecurity Groups. He represents hospitals, physicians, nursing homes, assisted living communities, CCRCs and other health care clients with a wide range of regulatory, compliance, risk management, transactional and reimbursement issues.

With regard to Privacy and Cybersecurity, Dan has experience drafting privacy policies and notices, website terms of use, written information security plans and incident response plans.  Dan counsels clients on compliance issues related to state, federal and international privacy laws including the General Data Protection Regulation (GDPR).  Dan also has experience representing both health care and non-health care clients that have suffered data breaches and assists such clients with breach response and applicable reporting obligations.  Dan writes extensively on privacy and cybersecurity issues and is a co-editor of Murtha’s Privacy and Cybersecurity Perspectives blog.

As a member of the Health Care and Long Term Care groups, Dan has experience representing clients with HIPAA compliance, Stark and anti-kickback analyses, purchase and sale transactions, reviewing and drafting contracts, certificate of need requirements, rate appeals, Medicare and Medicaid audits, medical staff and credentialing matters, licensing and change of ownership proceedings.

Prior to joining Murtha Cullina, Dan clerked for the Honorable Lubbie Harper, Jr. and the Honorable Joseph H. Pellegrino of the Connecticut Appellate Court.

Dan received his J.D. with honors from the University of Connecticut School of Law where he was a Notes and Comments Editor for the Connecticut Insurance Law Journal. He earned his Bachelor of Arts in Economics from McGill University.