Category Archives: HIPAA

The Crushing Cost of HIPAA Security Rule Non-Compliance

In just one week, OCR announced settlements totaling $10.6 million with three organizations for alleged systemic HIPAA Security Rule violations. In each of the three cases, the entity self-reported a hacking incident. Combined, the hacking incidents compromised the health information of more than 16 million people. While it’s not common to see three large settlements in one week, enforcement for HIPAA Security Rule non-compliance is not new and likely will continue with increasing intensity.

DMC Law and IT Direct Team Up to Offer a 3-Part HIPAA Security and Cybersecurity Webinar

October is Cybersecurity Awareness Month!  It’s no secret that healthcare entities and the businesses that serve them are a popular target for cybercriminals – costing millions each year and damaging reputations. In fact, hacking and IT incidents are the leading cause of reported HIPAA breaches.   Healthcare executives need to understand both the risks and […]

Hacked Orthopedic Provider to Pay $1.5 Million to Settle Claims of Systemic HIPAA Violations

Today, OCR announced its largest HIPAA enforcement settlement so far this year. An orthopedic clinic agreed to pay $1.5 million and to adopt a corrective action plan after a 2016 hacking incident that compromised over 200,000 patient records. OCR’s investigation revealed systemic HIPAA Privacy and Security Rule issues. This settlement confirms that HIPAA Security Rule violations remain an important enforcement focus, that post-incident compliance will not excuse pre-incident noncompliance and that seven figure settlements are not reserved just for large hospital systems.

OCR’s HIPAA Right of Access Enforcement Initiative Heats Up

Today, OCR announced five new settlements under its “HIPAA Right of Access Initiative,” making right of access the most prominent area of HIPAA enforcement so far this year. In 2019, OCR indicated that it would prioritize claims involving individuals’ right to receive timely access to their health records at a reasonable cost under the HIPAA Privacy Rule. And it is making good on its promise. All providers must pay special attention to this issue as patient complaints in this area are high and provider compliance typically is not strong.

Drafting an Effective HIPAA Breach Report

HIPAA breaches happen. So long as humans are involved in handling protected health information (PHI), there will be mistakes that result in a breach (and, of course, this does not include hacking incidents or bad actor breaches). For compliance purposes, the response to a breach is key. Providers that respond swiftly, implement corrective measures and timely notify affected patients and file a thorough breach report with the Department of Health and Human Services (DHHS) are far more likely to avoid scrutiny.

First Seven-Figure HIPAA Settlement of 2020

Less than one week after its last announced settlement, the Office for Civil Rights announced its first seven-figure HIPAA settlement of 2020. A non-profit healthcare system in Rhode Island, Lifespan, agreed to pay $1,040,000 for alleged systemic HIPAA violations. A 2017 breach involving an unencrypted stolen laptop triggered the investigation. OCR found HIPAA Security Rule violations and the lack of a business associate agreement with its parent corporation, which reported the 2017 breach.

Second HIPAA Enforcement Action of 2020 Announced

Today, the Office for Civil Rights (OCR) announced a $25,000 settlement with a small federally qualified health center (FQHC) for systemic HIPAA Security Rule violations. Over 9 years ago, the FQHC reported a disclosure of patient information to an unknown email account affecting 1,263 patients. This breach report prompted an investigation revealing a near complete failure to comply with the HIPAA Security Rule.

Telehealth, Privacy and The Three Little Pigs

We learned early in life from the Three Little Pigs that a house made of straw or sticks, while much easier to build, lacks the safety and security of a brick house. This fable’s lesson applies to many scenarios including the recent rapid deployment of telehealth services. While a pandemic, not laziness, caused the hurried telehealth services implementation for many, that’s irrelevant to the big bad wolf (and there is always a big bad wolf). He will come and he will huff, and he will puff, and he will compromise the privacy of patient information in a system without adequate protections.