In a statement released on April 24, 2017, the U.S. Department of Health and Human Services, Office of Civil Rights (OCR), has shown once again the level of expectations that exist for covered entities and business associates. As discussed below, OCR has shown that it will not just limit its review to a particular alleged violation of the HIPAA Privacy and Security Rules but rather will take an enterprise wide view of the compliance efforts of covered entities and business associates.Continue Reading HIPAA Policies and Procedures – Make sure they are in final form.
In a statement released on April 12, 2017, the U.S. Department of Health and Human Services, Office of Civil Rights (OCR), has shown that it expects covered entities of all sizes to adhere to the HIPAA privacy and security rules. While many of the fines levied by OCR in the past have involved large covered entities such as hospitals and health plans, OCR’s most recent enforcement action resulted in a $400,000 settlement to be paid by a federally qualified health center in Colorado.Continue Reading HIPAA Fines – Not Just for Hospitals and Health Insurers
On December 24, 2013 the HHS Office of Civil Rights (“OCR”) and Adult & Pediatric Dermatology, P.C., of Concord, Massachusetts entered into a Resolution Agreement whereby the practice agreed to settle potential violations of the HIPAA privacy and security rules. The potential violations of HIPAA resulted from the theft of an unencrypted thumb drive, containing the ePHI of approximately 2,200 patients, from the car of a practice employee.
Upon being notified of the breach the OCR conducted an investigation and determined that the practice had failed to conduct and accurate and thorough analysis of potential risks to ePHI in the care of the practice. The OCR further determined that the practice did not have adequate written policies and procedures and did not adequately train employees.
The Resolution Agreement entered into between the practice and the OCR requires the practice to make a $150,000.00 payment to the OCR as well as implement a corrective action plan. The Resolution Agreement is not an admission of liability by the practice.
A copy of the Resolution Agreement may be found at:
Physician practices should view this settlement as clear indication that OCR expects the compliance of all covered entities and not just large entities such as hospitals, universities and managed care entities. Physician practices that are not yet in compliance with the HIPAA privacy and security rules should take the appropriate steps to come into compliance.