Kapua Iao
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights’ (OCR) HIPAA enforcement continues during the pandemic. This year, OCR has already settled with three covered entities (CEs) following investigations into their reported breaches. Such settlements remind healthcare organizations of the importance of HIPAA compliance and strong cybersecurity even during health crises.
What is HIPAA?
HIPAA is U.S. legislation created to improve health coverage standards and combat abuse related to protected health information (PHI). SEE ALSO: What is HIPAA? Or is it HIPPA? Most commonly associated with HIPAA are Title II and its significant provisions:- Privacy Rule (2003) – covers PHI protection and compliance standards
- Security Rule (2005) – sets security standards to protect electronic PHI (ePHI)
- Enforcement Rule (2006) – sets HIPAA enforcement standards
- HITECT Act (2009) – promotes the adoption and meaningful use of technology
Recent OCR settlements
Fees for the three recently settled cases— Steven A. Porter, M.D., Metropolitan Community Health Services, and Lifespan Health System Affiliated Covered Entity—total almost $1.2 million.| Porter, M.D. | Metro | Lifespan | |
| Date breach filed | 2013 | 2011 | 2017 |
| Date settled in 2020 | March 3 | July 23 | July 27 |
| Fee | $100,000 | $25,000 | $1.04 million |
| Misc. penalty | Corrective plan | Corrective plan | Corrective plan |
| # affected individuals | 500 | 1,263 | 20,431 |
| Type of breach | Improper disposal | Phishing | Theft of laptop |
| Why a violation | · No risk analysis conducted · Failed to implement security measures | · No risk analysis conducted · Did not adhere to Security Rule · Did not provide training until 2016 | · Failure to encrypt · Lack of media/device controls · Absence of a business associate agreement (BAA) |
- Encryption
- Risk analysis and management
- BAs and BAAs
- Employee awareness training
