Providers Beware: OCR Published Three HIPAA Settlements in Two Weeks, Signaling a Ramp Up of HIPAA Enforcement Activity:

Make sure risk assessments, business associate agreements and policies & procedures are in place and up to date.

In a two week period, the United States Department of Health and Human Services, Office for Civil Rights (OCR) published settlements with three different health care providers for violations of HIPAA. The settlements were not insignificant, ranging from $31,000 for a small physician practice, to $400,000 for a federally qualified health center (FQHC), to $2,500,000 for a wireless health services provider. Each of these violations and subsequent settlements should act as a cautionary tale to providers, both large and small, that they must continue to be vigilant in their HIPAA compliance efforts.

On April 12, OCR reached a $400,000 settlement, resolution and corrective action plan with an FQHC. In late January 2012, the FQHC experienced a breach due to a phishing incident. While the FQHC took corrective action to prevent similar events from occurring in the future, OCR’s subsequent investigation exposed that the FQHC failed to conduct its first risk analysis until mid-February 2012, weeks after the incident. Further, OCR deemed that this first risk analysis, and all subsequent risk analyses performed by the FQHC, were insufficient to meet the HIPAA Security Rule requirements.

On April 20, OCR reached a $31,000 settlement, resolution and corrective action plan with a small pediatric subspecialty practice. The practice used a business associate to store records containing protected health information (PHI). After a compliance review, OCR investigated the practice and discovered that it did not have a signed business associate agreement in place with the records storage company until approximately twelve years after it started using the company.

On April 24, OCR reached a $2,500,000 settlement, resolution and corrective action plan with a company that provides remote mobile monitoring of, and rapid response to, patients at risk for cardiac arrhythmias. This settlement represents the first in which OCR focused on a wireless health services provider. The company experienced a breach when an employee’s laptop, containing PHI of nearly 1,400 patients, was stolen from his car, parked outside his home. After the company reported the breach to OCR, OCR conducted an investigation. This investigation uncovered that the company: (1) conducted an insufficient risk analysis and had an inadequate risk management process; (2) had only draft policies and procedures to implement the HIPAA Security Rule; and (3) had no final policies or procedures implementing safeguards for electronic PHI, including those for mobile devices containing PHI.

These enforcement actions should serve as reminders to providers of all types and sizes, as we predict that OCR’s enforcement actions will continue.

Print:
EmailTweetLikeLinkedIn
Photo of Daniel J. Kagan Daniel J. Kagan

Dan Kagan is an Associate in the Health Care, Long Term Care and Privacy and Cybersecurity Groups. He represents hospitals, physicians, nursing homes, assisted living communities, CCRCs and other health care clients with a wide range of regulatory, compliance, risk management, transactional and…

Dan Kagan is an Associate in the Health Care, Long Term Care and Privacy and Cybersecurity Groups. He represents hospitals, physicians, nursing homes, assisted living communities, CCRCs and other health care clients with a wide range of regulatory, compliance, risk management, transactional and reimbursement issues.

With regard to Privacy and Cybersecurity, Dan has experience drafting privacy policies and notices, website terms of use, written information security plans and incident response plans.  Dan counsels clients on compliance issues related to state, federal and international privacy laws including the General Data Protection Regulation (GDPR).  Dan also has experience representing both health care and non-health care clients that have suffered data breaches and assists such clients with breach response and applicable reporting obligations.  Dan writes extensively on privacy and cybersecurity issues and is a co-editor of Murtha’s Privacy and Cybersecurity Perspectives blog.

As a member of the Health Care and Long Term Care groups, Dan has experience representing clients with HIPAA compliance, Stark and anti-kickback analyses, purchase and sale transactions, reviewing and drafting contracts, certificate of need requirements, rate appeals, Medicare and Medicaid audits, medical staff and credentialing matters, licensing and change of ownership proceedings.

Prior to joining Murtha Cullina, Dan clerked for the Honorable Lubbie Harper, Jr. and the Honorable Joseph H. Pellegrino of the Connecticut Appellate Court.

Dan received his J.D. with honors from the University of Connecticut School of Law where he was a Notes and Comments Editor for the Connecticut Insurance Law Journal. He earned his Bachelor of Arts in Economics from McGill University.