HIPAA Fines – Not Just for Hospitals and Health Insurers

In a statement released on April 12, 2017, the U.S. Department of Health and Human Services, Office of Civil Rights (OCR), has shown that it expects covered entities of all sizes to adhere to the HIPAA privacy and security rules. While many of the fines levied by OCR in the past have involved large covered entities such as hospitals and health plans, OCR’s most recent enforcement action resulted in a $400,000 settlement to be paid by a federally qualified health center in Colorado.

In the OCR statement (https://www.hhs.gov/about/news/2017/04/12/overlooking-risks-leads-to-breach-settlement.html), the Metro Community Provider Network agreed to pay $400,000 related to its alleged failure to properly comply with applicable privacy and security rules. The settlement, which also included a corrective action plan, stemmed from a 2012 security breach that had been reported to OCR by the health center. OCR’s subsequent investigation into the matter revealed that the health center had not conducted a timely security risk analysis nor did it properly implement a corresponding risk management plan to address the identified deficiencies.

This settlement should serve as a reminder to covered entities of all sizes that OCR expects compliance with applicable privacy and security rules. Covered entities should continue to exercise ongoing due diligence by regularly reviewing and updating, as needed, privacy and security policies and practices.

William Dillon
Board Certified in Health Law
Messer Caparello, P.A.
(850) 222-0720