How to Avoid Being the Next OCR Target for a HIPAA CMP

Bryan Cave – How to Avoid Being the Next OCR Target for a HIPAA CMP

In 2016, the Office for Civil Rights (“OCR”) imposed civil monetary penalties (“CMPs”) of over $22.8 million on 12 entities, including a business associate. The most frequent violations of the Health Insurance Portability and Accountability Act and the Health Information Technology for Economic and Clinical Health Act regulations (“HIPAA Laws”) are not hacking! …

how-to-avoid

Business Associates Beware! OCR Means Business

In June 2016, OCR entered into its first settlement agreement with a business associate, Catholic Health Care Services of the Archdiocese of Philadelphia (“CHCS”), for potential violations of the HIPAA Laws by failing to protect electronic protected health information (“EPHI”) of nursing home residents. The smartphone of a CHCS employee was stolen and contained EPHI. The smartphone was not password protected, and the EPHI was unencrypted. The EPHI of more than 400 residents included social security numbers, diagnostic and treatment information, medications, and the names of family members and legal guardians. OCR determined that CHCS had failed to perform a HIPAA Security Risk Assessment and implement a risk management plan regarding compliance with the HIPAA Laws, and that CHCS didn’t have policies and procedures as required under the HIPAA Security Rule. The settlement included a penalty of $650,000 and a corrective action plan for two years, which will be monitored by OCR….beware