OCR Settlements on the Rise as HHS Resumes Enforcement

OCR settlements on the riseOCR Settlements on the Rise as HHS Resumes Enforcement

With two OCR settlements announced within the span of a week, it seems the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) has resumed its enforcement efforts.

On July 23, OCR announced a $25,000 settlement with Metropolitan Community Health Services, while on July 27, OCR announced a $1,040,000 settlement with Lifespan Affiliated Covered Entity. Both entities are also subject to corrective action plans, and two years of monitoring by the OCR. The details of the OCR settlements are discussed below.

OCR Settlements: Metropolitan Community Health Services

On June 9, 2011, Metropolitan Community Health Services (Metro) filed a breach report with the OCR regarding an unauthorized disclosure of protected health information (PHI). The breach occurred due to disclosure of PHI to an unknown email account, compromising the PHI of 1,263 patients. Although the breach itself wouldn’t normally lead to a HIPAA fine, upon investigation, OCR found that Metro had a long history of noncompliance with the HIPAA Security Rule.

The noncompliance included:

  • Failure to conduct any risk analyses
  • Failure to implement policies and procedures
  • Failure to provide workforce members with security awareness training

OCR Director Roger Severino stated, “Health care providers owe it to their patients to comply with the HIPAA Rules. When informed of potential HIPAA violations, providers owe it to their patients to quickly address problem areas to safeguard individuals’ health information.”

For more information on the OCR settlement, please click here.

OCR Settlements: Lifespan Affiliated Covered Entity

On April 21, 2017, Lifespan Affiliated Covered Entity’s (Lifespan ACE) parent company, Lifespan Corporation, filed a breach report with OCR. The breach was the result of an employee leaving an unattended laptop in their car. The laptop was stolen, and since it was unencrypted, the PHI of 20,431 patients was compromised.

Upon investigation, OCR discovered that Lifespan ACE was not compliant with HIPAA standards.

This noncompliance to HIPAA standards included:

  • Failure to encrypt ePHI on laptops when it was reasonable and appropriate to do so
  • Failure to implement media and device controls
  • Failure to have a business associate agreement with Lifespan Corporation

“Laptops, cellphones, and other mobile devices are stolen every day, that’s the hard reality. Covered entities can best protect their patients’ data by encrypting mobile devices to thwart identity thieves,” said Roger Severino, OCR Director.

For more information on the OCR settlement, please click here.

HIPAA Resources

Need assistance with HIPAA compliance? Compliancy Group can help! They help you achieve HIPAA compliance with Compliance Coaches® guiding you through the entire process. Find out more about the HIPAA Seal of Compliance® and Compliancy Group. Get HIPAA compliant today!

Your TBHI Professional Training Options

TBHI specializes in teaching you how to relax when delivering telehealth.  It offers you a step-by-step learning path of online training that helps you be legally and ethically compliant, clinically proficient, and able to handle even the most difficult of clinical scenarios. Take advantage of COVID discount pricing to learn how to sit back and enjoy your telehealth experiences, rather than struggling with ZOOM fatigue and clinical uncertainty. All courses are evidence-based, available 24/7 through any device and most count toward legal and ethical requirements for licensure. Two micro certifications are also available.

    1. Telehealth Group Therapy  — Exciting, highly interactive telehealth learning experience designed to get answers to your questions about legally and ethically managing telehealth group therapy. Digital class will allow you to connect with colleagues ahead of time to ask questions and share answers. Distinguished faculty will lead you through telehealth group therapy theory and exercises.
    2. Telehealth Clinical Best Practices Workshop — Live, interactive webinar, w/ 4 CME or CE hours to discuss preventing and handling complex clinical issues.
    3. Course Catalog
    4. Micro Certifications to give you a broader range of legal and ethical grounding, and allow you to distinguish yourself as a TBHI-credentialed professional on your websites, in social media, directories and other areas.

Rate this post!

(4 raters, 20 scores, average: 5.00 out of 5)

Leave a Reply

Name and email are required. Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.