40% OFF Sale through January 23: COVID Clinical Best Practices. Use "CLINICAL40" coupon code in your shopping cart.

OCR settlementsWith two OCR settlements announced within the span of a week, it seems the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) has resumed its enforcement efforts.
On July 23, OCR announced a $25,000 settlement with Metropolitan Community Health Services, while on July 27, OCR announced a $1,040,000 settlement with Lifespan Affiliated Covered Entity. Both entities are also subject to corrective action plans, and two years of monitoring by the OCR. The details of the OCR settlements are discussed below.

OCR Settlements: Metropolitan Community Health Services

On June 9, 2011, Metropolitan Community Health Services (Metro) filed a breach report with the OCR regarding an unauthorized disclosure of protected health information (PHI). The breach occurred due to disclosure of PHI to an unknown email account, compromising the PHI of 1,263 patients. Although the breach itself wouldn’t normally lead to a HIPAA fine, upon investigation, OCR found that Metro had a long history of noncompliance with the HIPAA Security Rule.
The noncompliance included:

  • Failure to conduct any risk analyses
  • Failure to implement policies and procedures
  • Failure to provide workforce members with security awareness training

OCR Director Roger Severino stated, “Health care providers owe it to their patients to comply with the HIPAA Rules. When informed of potential HIPAA violations, providers owe it to their patients to quickly address problem areas to safeguard individuals’ health information.”
For more information on the OCR settlement, please click here.

OCR Settlements: Lifespan Affiliated Covered Entity

On April 21, 2017, Lifespan Affiliated Covered Entity’s (Lifespan ACE) parent company, Lifespan Corporation, filed a breach report with OCR. The breach was the result of an employee leaving an unattended laptop in their car. The laptop was stolen, and since it was unencrypted, the PHI of 20,431 patients was compromised.

Upon investigation, OCR discovered that Lifespan ACE was not compliant with HIPAA standards. This noncompliance to HIPAA standards included:

  • Failure to encrypt ePHI on laptops when it was reasonable and appropriate to do so
  • Failure to implement media and device controls
  • Failure to have a business associate agreement with Lifespan Corporation

“Laptops, cellphones, and other mobile devices are stolen every day, that’s the hard reality. Covered entities can best protect their patients’ data by encrypting mobile devices to thwart identity thieves,” said Roger Severino, OCR Director.
For more information on the OCR settlement, please click here.

HIPAA Resources

Need assistance with HIPAA compliance? Compliancy Group can help! They help you achieve HIPAA compliance with Compliance Coaches® guiding you through the entire process. Find out more about the HIPAA Seal of Compliance® and Compliancy Group.

Get HIPAA compliant today!

Telehealth Training or Telemedicine Training?

If you are developing a hybrid telehealth model, now might be the right time to get serious about telehealth training. TBHI offers competency-based training from the convenience of your home or office Internet connection. Whatever your need, from basic telehealth to specialty topics, TBHI is the industry leader with online training to help you develop your evidence-based protocols, learn to be compliant with state, provincial and national laws, implement practical documentation shortcuts to legal and ethical compliance, and find the best technology to maximally protect your clients or patients.

Enjoy a step-by-step learning path that teaches you how to prevent as well as handle even the most difficult of clinical scenarios. All training is evidence-based and available online 24/7 through any device. Individual courses and webinars, as well as two micro certifications: