On Wednesday, the U.S. Department of Health and Human Services, Office for Civil Rights announced a $400,000 settlement with Metro Community Provider Network arising from MCPN’s alleged failure to implement adequate security management processes to safeguard electronic protected health information in accordance with the Health Insurance Portability and Accountability Act Security Rule. This settlement followed

Please join Crowell & Moring’s Jodi Daniel and Elliot Golding on January 31, 2017 for an ABA webinar called Evolving HIPAA Issues: Cloud, Mobile Apps, Access, and More

This in-person panel discussion (with simultaneous webinar broadcast) will provide perspectives from the HHS Office for Civil Rights (OCR), the former director of the HHS Office of

The Department of Health & Human Services Office of Civil Rights (“OCR”) announced on August 18, 2016 that it is stepping up enforcement actions related to small breaches.  Although OCR investigates all reported breaches affecting more than 500 people, this new initiative will increase investigations of breaches affecting fewer than 500 people.  As OCR recognizes,

The Department of Health and Human Services (“HHS”) Office of Civil Rights (“OCR”) has finally announced it is starting Phase 2 of its audit program.  OCR previously conducted a pilot audit of 115 Covered Entities in 2011-2012 to assess controls and processes.  Building on that experience, OCR will target approximately 200 Covered Entities and Business Associates in Phase 2.  Here is what entities can expect:

What: The audits will largely be “paper” reviews of policies and procedures, but will also include some on-site visits.  OCR indicates that it is “enhancing” its prior audit protocol, which OCR has already edited, based on changes in the Omnibus Rule.  OCR will first conduct desk audits of Covered Entities followed by a second round of desk audits for Business Associates (though these audits may also include site visits). A third set of audits will be conducted primarily onsite and will consider a broader range of issues than covered with the desk audits.  Some entities subject to a desk audit will also receive an onsite audit.  The audits will cover HIPAA only, not state privacy and security rules.

How: If selected for a desk audit, the timeline will generally be: (1) entities have 10 business days to provide requested documents electronically through a secure portal; (2) OCR will prepare draft findings; (3) auditees will have 10 business days to review and return written comments to OCR regarding the draft findings; and (4) OCR will complete a final audit report within 30 days of receiving comments back from the auditee.  Onsite audits will be more comprehensive than desk audits and will typically last 3-5 days.  In Phase 1 of the audit program, OCR typically provided 30-90 days advanced notice, but has not indicated how much notice will be provided for Phase 2.  Like desk audits, onsite auditees will have an opportunity to respond to OCR’s preliminary findings before a final report is prepared. 


Continue Reading OCR Announces Phase 2 of HIPAA Audits

OCR just announced another huge settlement.  The $1.5 million settlement with North Memorial Health Care is based on the alleged failure to enter into a business associate agreement and alleged failure to conduct a risk analysis.  The investigation started (as many OCR settlements often do) after OCR received a breach report regarding a stolen laptop

On Monday, the HHS Office of Civil Rights (OCR) released its third resolution and settlement agreement in as many weeks.  The $750,000 settlement with the University of Washington Medicine (“UWM”) is yet another citing the alleged failure to conduct an enterprise-wide risk analysis as required by the HIPAA Security Rule.  As part of the settlement,

The day before Thanksgiving, the HHS Office of Civil Rights (OCR) announced its first settlement involving a reported data breach implicating security of medical devices used in the hospital setting. OCR’s $850,000 settlement and resolution agreement with Lahey Hospital and Medical Center (LHMC) stem from the theft of a laptop workstation used to operate and produce images from a portable CT scanner from an unlocked treatment room on August 11, 2011.

Consistent with OCR’s past practice, OCR launched in-depth investigations that uncovered additional alleged HIPAA Security Rule violations following LHMC’s required breach reports to OCR. As part of its resolution agreement, LHMC agreed to update its security policies and procedures and comply with extensive training and reporting requirements conditions of a corrective action plan for two years.

The LHMC resolution is especially noteworthy for several reasons. At the outset, it is the first OCR resolution specifically involving a medical device in a hospital setting, as opposed to ePHI that hospitals store in EMRs/EHRs. Second, the number of individuals affected was relatively low compared to other incidents with comparably large settlements (only 600 people), which shows OCR is focused equally on large and small incidents.


Continue Reading HHS-OCR Announces First Settlement Involving Medical Device Security Issues