Header graphic for print
HealtHITechLaw HIPAA, HITECH and Beyond

Category Archives: Enforcement

Subscribe to Enforcement RSS Feed

Largest HIPAA Settlement Announced by HHS

Posted in Breach, Enforcement

Many thanks once again to our colleague, Robin Canowitz, for authoring this post. In the largest HIPAA settlement yet to be announced, two New York organizations have agreed to pay $4.8 million to settle allegations that they failed to secure the electronic health information (ePHI) of thousands of their patients.  New York Presbyterian Hospital (NYP) and… Continue Reading

Unencrypted Laptops Result In Significant HIPAA Fines

Posted in Breach, Enforcement

In April 2014, the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) continued to emphasize the importance of encryption in maintaining the confidentiality and security of protected health information (“PHI”), especially in addressing and mitigating the significant risk to PHI posed by unencrypted laptops and other mobile devices. On April 22,… Continue Reading

OCR TO BEGIN SECOND ROUND OF HIPAA AUDITS

Posted in Enforcement, OCR Audits

The U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) has announced that it is gearing up for its second round of HIPAA compliance audits later this year.  The HIPAA Audit Program is authorized under Section 13411 of the HITECH Act and is intended to assess compliance with the HIPAA Privacy, Security,… Continue Reading

Dermatology Practice Hit With $150,000 HIPAA Penalty

Posted in Breach, Enforcement

2013 ended like it started – with OCR actively monitoring and enforcing health care provider HIPAA compliance.  On December 26, 2013, OCR imposed a $150,000 penalty and a corrective action plan upon a Massachusetts dermatology physician practice arising out of a self-reported HIPAA breach.   See Resolution Agreement. In October 2011, Adult & Pediatric Dermatology, P.C. of… Continue Reading

Employee Sentenced to 3 Years for Violating HIPAA

Posted in Enforcement

A nursing assistant at a Florida assisted living facility was sentenced last week to 37 months in prison for violating HIPAA’s prohibition on the wrongful disclosure of patient health information.  The employee negotiated the sale of Social Security numbers with an undercover Tampa police detective.  According to the criminal complaint, the employee obtained information from the assisted… Continue Reading

OCR Issues Guidance on Refill Reminder Exception to HIPAA Marketing Rule

Posted in Enforcement, Rulemaking

Prompted by litigation filed by Adheris[1] as well as concerns raised by consumer advocates and health care stakeholders regarding the viability of prescription refill reminder programs under HIPAA’s stricter marketing prohibitions, on September 19, 2013, OCR issued additional guidance regarding the scope of HIPAA’s refill reminder exception.  Notably, OCR also delayed enforcement on this issue… Continue Reading

The Final Omnibus HIPAA Rule: Are You Ready?

Posted in Enforcement, Rulemaking

As we mentioned in last week’s Webinar on the HIPAA Final Omnibus Rule, there are less than nine short months for covered entities and their business associates (and all downstream business associates) to comply with the HIPAA final rules.  For those entities that have already taken steps following the release of the HITECH interim rules, the… Continue Reading

OCR Settles with Hospice of Northern Idaho for $50,000.00

Posted in Enforcement

OCR’s recent enforcement action against a small non-profit hospice organization in Idaho is more evidence that OCR is looking carefully at HIPAA Security Rule compliance.  On December 28, 2012, HHS announced that Hospice of Northern Idaho (“HONI”) had agreed to pay HHS $50,000 to settle potential violations of the HIPAA Security Rule.  This is the… Continue Reading

STATE ATTORNEYS GENERAL WADE FURTHER INTO HIPAA POOL

Posted in Business Associate, Enforcement

In 2009, HITECH gave State Attorneys General the authority to bring civil actions on behalf of their state residents for violations of HIPAA.  The HITECH Act permits State Attorneys General to sue in federal district court to obtain monetary damages on behalf of state residents and/or to enjoin further violations of HIPAA. Although trained by… Continue Reading

Alaska Medicaid Pays $1.7 Million to Settle HIPAA Violations

Posted in Enforcement

Last week, the Alaska Department of Health and Human Services (“Alaska DHHS”), the state’s Medicaid agency, agreed to pay U.S. Health and Human Services $1.7 million to settle alleged violations of the HIPAA Security Rule.  The HIPAA Security Rule protects health information in electronic form by requiring covered entities to use physical, technical, and administrative… Continue Reading

OCR Presents Preliminary HIPAA Audit Findings

Posted in Enforcement

OCR’s Audit Program, which began in December 2011, is part of HHS’ efforts under HITECH to assess HIPAA compliance by covered entities, identify best practices, and discover risks and vulnerabilities in protecting the privacy and security of PHI which may not have come to light through OCR’s complaint investigation and compliance reviews. OCR has repeatedly stated that… Continue Reading

OCR EDUCATES CONSUMERS REGARDING HIPAA RIGHT OF ACCESS

Posted in Enforcement

Health care providers and health plans should expect an increase in patient requests for their own health care information as OCR continues to emphasize the HIPAA right of access. On May 31, 2012, Leon Rodriguez, Director of OCR, issued a memorandum regarding patients’ fundamental right to access their own health care information.  See  hhs.gov/ocr/privacy/hipaa/understanding/consumers/righttoaccessmemo.pdf.  Director Rodriguez,… Continue Reading

HIPAA Criminal Liability May Be Significant

Posted in Enforcement

A recent decision serves as a reminder that violations of HIPAA may trigger criminal liability. The Ninth Circuit Court of Appeals held that a former hospital employee is subject to HIPAA’s criminal penalties for the unauthorized access to patient records after he was terminated.  The former employee was sentenced to four months in prison, followed… Continue Reading

HIPAA Enforcement Targets Small Physician Practice

Posted in Enforcement

A 5-physician practice in Phoenix was the target of HHS Office of Civil Right’s (“OCR”) most recent enforcement action.  The practice agreed to pay HHS a resolution amount of $100,000, as well as enter into a Corrective Action Plan, for its fialure to comply the most fundamental of HIPAA requirements.  As I discussed at the… Continue Reading

Blue Cross Blue Shield Settles HIPAA Violation With HHS for $1.5 Million

Posted in Enforcement

On March 13, 2012, HHS announced that Blue Cross Blue Shield of Tennessee (“BCBST”) has agreed to pay it $1.5 million to settle  potential HIPAA violations arising from the theft of 57 unencrypted computer hard drives from a leased facility in Tennessee.  This settlement is significant because it is OCR’s first enforcement action arising out… Continue Reading

HIPAA Business Associate Becomes Target of State AG Enforcement

Posted in Business Associate, Enforcement

A recent complaint filed by the Minnesota State Attorney General against a HIPAA business associate seeks to recover statutory damages for multiple alleged violations of the HIPAA Security Rule.  Following last year’s HHS OCR enforcement targeting HIPAA covered entities, this latest HIPAA enforcement should place all business associates on notice that enforcement authorities have them… Continue Reading

Proposed 2013 Budget Will Decrease Funding for OCR HIPAA Enforcement

Posted in Enforcement

The President’s fiscal year 2013 budget proposes to decrease funding for the Department of Health and Human Services Office of Civil Rights (“OCR”) by $2 million.  The estimated budget allocates $39 million to the agency charged with HIPAA enforcement, down from an estimated $41 million in fiscal 2012.  In light of OCR’s enhanced enforcement capabilities… Continue Reading