OCR settlementsWith two OCR settlements announced within the span of a week, it seems the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) has resumed its enforcement efforts.
On July 23, OCR announced a $25,000 settlement with Metropolitan Community Health Services, while on July 27, OCR announced a $1,040,000 settlement with Lifespan Affiliated Covered Entity. Both entities are also subject to corrective action plans, and two years of monitoring by the OCR. The details of the OCR settlements are discussed below.

OCR Settlements: Metropolitan Community Health Services

On June 9, 2011, Metropolitan Community Health Services (Metro) filed a breach report with the OCR regarding an unauthorized disclosure of protected health information (PHI). The breach occurred due to disclosure of PHI to an unknown email account, compromising the PHI of 1,263 patients. Although the breach itself wouldn’t normally lead to a HIPAA fine, upon investigation, OCR found that Metro had a long history of noncompliance with the HIPAA Security Rule.
The noncompliance included:

  • Failure to conduct any risk analyses
  • Failure to implement policies and procedures
  • Failure to provide workforce members with security awareness training

OCR Director Roger Severino stated, “Health care providers owe it to their patients to comply with the HIPAA Rules. When informed of potential HIPAA violations, providers owe it to their patients to quickly address problem areas to safeguard individuals’ health information.”
For more information on the OCR settlement, please click here.

OCR Settlements: Lifespan Affiliated Covered Entity

On April 21, 2017, Lifespan Affiliated Covered Entity’s (Lifespan ACE) parent company, Lifespan Corporation, filed a breach report with OCR. The breach was the result of an employee leaving an unattended laptop in their car. The laptop was stolen, and since it was unencrypted, the PHI of 20,431 patients was compromised.

Upon investigation, OCR discovered that Lifespan ACE was not compliant with HIPAA standards. This noncompliance to HIPAA standards included:

  • Failure to encrypt ePHI on laptops when it was reasonable and appropriate to do so
  • Failure to implement media and device controls
  • Failure to have a business associate agreement with Lifespan Corporation

“Laptops, cellphones, and other mobile devices are stolen every day, that’s the hard reality. Covered entities can best protect their patients’ data by encrypting mobile devices to thwart identity thieves,” said Roger Severino, OCR Director.
For more information on the OCR settlement, please click here.