On March 3, 2020, the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) signaled to covered entities of all sizes that they need to take their HIPAA obligations seriously.  OCR entered into a settlement and corrective action plan with a small physician practice for $100,000 to settle alleged violations of the HIPAA Security Rule.  This enforcement action is an example of OCR enforcing HIPAA’s requirements on smaller covered entities.  OCR specifically noted that this practice sees approximately 3,000 patients per year.
Continue Reading A Reminder That Covered Entities Of All Sizes Need To Comply With HIPAA Security Rule

Last week, the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) imposed a civil monetary penalty (“CMP”), to the tune of $2.15 million, against Jackson Health System (“JHS”).  The CMP stemmed from JHS’ numerous HIPAA violations that occurred from 2013 through 2016.  
Continue Reading A HIPAA Compliance Program “In Disarray” Leads to OCR Imposing a $2.15 Million Civil Monetary Penalty

There is no doubt that social media has its benefits, especially for medical practices that have come to use it for marketing and advertising.  However, risks are lurking.  On October 2, 2019, the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) entered into a $10,000 settlement with a dental practice (the “Practice”) for disclosing protected health information of a patient when responding to a review on a Yelp page.
Continue Reading OCR Fines Dental Practice $10,000 For Social Media Disclosures

Privacy and cybersecurity is at the forefront of everyone’s mind these days and, in 2018, the Office for Civil Rights (“OCR”) settled ten cases and prevailed in another before an Administrative Law Judge to the tune of $28,700,000. This is a new record for OCR, besting 2016 by over $5,000,000. The latest settlement clocked in at $3,000,000, owed by a health system in California that experienced two breaches of electronic protected health information (“ePHI”), which affected 62,500 individuals.  The first breach involved a security configuration where persons could access files with ePHI without a username or password, thereby making ePHI available to anyone with access to the health system’s server.  The second breach involved a server misconfiguration, exposing the health system’s ePHI over the internet, including social security numbers and treatment information.
Continue Reading HIPAA Enforcement In 2018 Hits All Time High

HIPAA has teeth.  On June 1, 2018, an Administrative Law Judge (ALJ) ruled that the University of Texas MD Anderson Cancer Center violated HIPAA.  In doing so, the ALJ granted the Office of Civil Rights (OCR) summary judgment, requiring the hospital to fork up the $4,348,000 in civil monetary penalties imposed by OCR. 
Continue Reading ALJ Judge Upholds OCR’s $4,348,000 Data Breach Penalty on Texas Hospital

Data breaches have become commonplace in every industry. In health care, however, it costs much more to respond to a data breach than in all other industries in this country, according to the results of a recent IBM-sponsored study.1  The report estimates that a health care data breach costs $380 per record on average versus $225 per record in other industries. While the increased cost of a health care record is unavoidable due to the sensitive nature of the information and the fact that it is more valuable to criminals on the dark web, health care providers can take steps to prepare for a data breach, which can reduce the risk of a breach occurring and minimize costs if one occurs.
Continue Reading Data Breaches Most Expensive For Health Care Industry But Precautionary Measures Can Keep Costs Down