Second HIPAA Enforcement Action of 2020 Announced

Themes from the 2019 enforcement year continue: neither size nor non-profit status matter, but HIPAA Security Rule compliance does.  Today, the Office for Civil Rights (OCR) announced a $25,000 settlement with a small federally qualified health center (FQHC) for systemic HIPAA Security Rule violations.  This is only OCR’s second announced resolution this year, likely due to the COVID-19 public health emergency.

Over 9 years ago, the 43-employee FQHC reported a disclosure of patient information to an unknown email account affecting 1,263 patients.  This breach report prompted an investigation.  According to the resolution agreement, OCR’s investigation revealed failures to implement HIPAA Security Rule policies and procedures, to provide security awareness training to its staff and to conduct an accurate and thorough assessment of potential risks and vulnerabilities to electronic protected health information.  These failures represent a near complete failure to comply with the HIPAA Security Rule.

Unfortunately, the lack of compliance with HIPAA Security Rule requirements, like performing a thorough risk analysis or implementing security policies and procedures, are common enforcement findings.  With more and more breaches of electronic information occurring, the focus on the HIPAA Security Rule will only intensify.

In the first announced resolution this year, a small gastroenterology practice agreed to pay $100,000 for failing to complete an accurate and thorough risk analysis, to implement measures to reduce identified risks and vulnerabilities and to have an adequate business associate agreement with its electronic health record vendor.  Like the settlement announced today, a breach report triggered OCR’s investigation.

Providers of all sizes need to focus on HIPAA Security Rule compliance, especially now that we are relying even more heavily on electronic systems, such as telehealth.