HIPAA Policies and Procedures – Make sure they are in final form.

In a statement released on April 24, 2017, the U.S. Department of Health and Human Services, Office of Civil Rights (OCR), has shown once again the level of expectations that exist for covered entities and business associates. As discussed below, OCR has shown that it will not just limit its review to a particular alleged violation of the HIPAA Privacy and Security Rules but rather will take an enterprise wide view of the compliance efforts of covered entities and business associates.

In an OCR statement (https://www.hhs.gov/about/news/2017/04/24/2-5-million-settlement-shows-not-understanding-hipaa-requirements-creates-risk.html), CardioNet, a provider of mobile monitoring services, agreed to pay $2,500,000 related to its alleged failure to properly comply with applicable privacy and security rules. The settlement, which also included a corrective action plan, stemmed from a 2012 security breach (stolen laptop) that had been reported to OCR by CardioNet. OCR’s subsequent investigation into the matter revealed that CardioNet had an insufficient risk analysis and risk management processes in place at the time of the theft. Additionally, OCR noted that CardioNet’s HIPAA Security Rule policies and procedures were in “draft” form and had never been formally implemented.

This settlement serves as evidence of OCR’s ongoing compliance expectations for covered entities and business associates.

William Dillon
Board Certified in Health Law
Messer Caparello, P.A.
(850) 222-0720