On March 3, 2020, the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) signaled to covered entities of all sizes that they need to take their HIPAA obligations seriously. OCR entered into a settlement and corrective action plan with a small physician practice for $100,000 to settle alleged violations of the HIPAA Security Rule. This enforcement action is an example of OCR enforcing HIPAA’s requirements on smaller covered entities. OCR specifically noted that this practice sees approximately 3,000 patients per year.
Continue Reading A Reminder That Covered Entities Of All Sizes Need To Comply With HIPAA Security Rule
Boston-Area Hospitals Pay Nearly $1M in Penalties for Permitting Filming of “Boston Med”
On September 20, the Department of Health and Human Services Office for Civil Rights (OCR) announced separate settlements with Boston Medical Center (BMC), Brigham and Women’s Hospital (BWH) and Massachusetts General Hospital (MGH) with penalties totaling $999,000. In each instance, a news story about ABC News filming a medical documentary (a Boston Globe article on BMC and BWH and a posting on MGH’s website) prompted OCR to conduct “a compliance review.” In all three separate investigations, OCR found deficiencies. While the BMC settlement agreement does not provide any details on the specifically alleged improper conduct, the BWH and MGH agreements note that both hospitals took measures to protect patient information but nonetheless OCR found the efforts to be inadequate. In those agreements, OCR implies that BWH and MGH obtained at least some written authorizations but disclosed information to the film crews before obtaining those authorizations.
Continue Reading Boston-Area Hospitals Pay Nearly $1M in Penalties for Permitting Filming of “Boston Med”
OCR Releases Hurricane Florence Guidance Ahead of Storm
Hurricane Florence has caused the Department of Health and Human Services (“HHS”) to declare a public health emergency ahead of the storm. Accordingly, HHS’ Office for Civil Rights (“OCR”) released guidance ahead of the hurricane. The focus of the guidance is that HIPAA should not impede patient care in a disaster situation.
Continue Reading OCR Releases Hurricane Florence Guidance Ahead of Storm
ALJ Judge Upholds OCR’s $4,348,000 Data Breach Penalty on Texas Hospital
HIPAA has teeth. On June 1, 2018, an Administrative Law Judge (ALJ) ruled that the University of Texas MD Anderson Cancer Center violated HIPAA. In doing so, the ALJ granted the Office of Civil Rights (OCR) summary judgment, requiring the hospital to fork up the $4,348,000 in civil monetary penalties imposed by OCR.
Continue Reading ALJ Judge Upholds OCR’s $4,348,000 Data Breach Penalty on Texas Hospital