Less than one week after its last announced settlement, the Office for Civil Rights announced its first seven-figure HIPAA settlement of 2020. A non-profit healthcare system in Rhode Island, Lifespan, agreed to pay $1,040,000 for alleged systemic HIPAA violations. A 2017 breach involving an unencrypted stolen laptop triggered the investigation. OCR found HIPAA Security Rule violations and the lack of a business associate agreement with its parent corporation, which reported the 2017 breach.
Tag Archives: HIPAA Enforcement
Today, the Office for Civil Rights (OCR) announced a $25,000 settlement with a small federally qualified health center (FQHC) for systemic HIPAA Security Rule violations. Over 9 years ago, the FQHC reported a disclosure of patient information to an unknown email account affecting 1,263 patients. This breach report prompted an investigation revealing a near complete failure to comply with the HIPAA Security Rule.
We learned early in life from the Three Little Pigs that a house made of straw or sticks, while much easier to build, lacks the safety and security of a brick house. This fable’s lesson applies to many scenarios including the recent rapid deployment of telehealth services. While a pandemic, not laziness, caused the hurried telehealth services implementation for many, that’s irrelevant to the big bad wolf (and there is always a big bad wolf). He will come and he will huff, and he will puff, and he will compromise the privacy of patient information in a system without adequate protections.
Lessons from the first enforcement action of 2020: (1) No covered entity is immune from HIPAA enforcement. (2) Craft factual breach reports that leave no unanswered questions and do not unnecessarily grab OCR’s attention.
It appears that the 2019 HIPAA enforcement year is over with a lot less fanfare (and cash) than last year. The total in settlements and penalties for 2019 is $12.2 million, which is substantially less than OCR’s highest ever total of $28.7 million just one year ago.
With less than two days left in 2019, the Department of Health and Human Services’ Office for Civil Rights announced that a small, rural Georgia ambulance provider agreed to pay $65,000 to settle claims of multiple HIPAA Security Rule violations.
Earlier this year, the Department of Health and Human Services’ Office for Civil Rights (OCR) announced a Right of Access Enforcement Initiative, which would focus on ensuring that patients were getting timely access to their records without being overcharged. Prior to this announcement, enforcement actions against providers for denying a patient the proper right of access were rare. Since announcing the initiative, OCR has swiftly pursued claims resulting in two settlements within months of each other.