Special LIVE Event: Marketing Your Telehealth Services: Successful, Legal & Ethical Online Strategies See Details


OCR Settlements on the Rise as HHS Resumes Enforcement

by | Aug 7, 2020 | 0 comments

OCR settlementsWith two OCR settlements announced within the span of a week, it seems the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) has resumed its enforcement efforts.
On July 23, OCR announced a $25,000 settlement with Metropolitan Community Health Services, while on July 27, OCR announced a $1,040,000 settlement with Lifespan Affiliated Covered Entity. Both entities are also subject to corrective action plans, and two years of monitoring by the OCR. The details of the OCR settlements are discussed below.

OCR Settlements: Metropolitan Community Health Services

On June 9, 2011, Metropolitan Community Health Services (Metro) filed a breach report with the OCR regarding an unauthorized disclosure of protected health information (PHI). The breach occurred due to disclosure of PHI to an unknown email account, compromising the PHI of 1,263 patients. Although the breach itself wouldn’t normally lead to a HIPAA fine, upon investigation, OCR found that Metro had a long history of noncompliance with the HIPAA Security Rule.
The noncompliance included:

  • Failure to conduct any risk analyses
  • Failure to implement policies and procedures
  • Failure to provide workforce members with security awareness training

OCR Director Roger Severino stated, “Health care providers owe it to their patients to comply with the HIPAA Rules. When informed of potential HIPAA violations, providers owe it to their patients to quickly address problem areas to safeguard individuals’ health information.”
For more information on the OCR settlement, please click here.

OCR Settlements: Lifespan Affiliated Covered Entity

On April 21, 2017, Lifespan Affiliated Covered Entity’s (Lifespan ACE) parent company, Lifespan Corporation, filed a breach report with OCR. The breach was the result of an employee leaving an unattended laptop in their car. The laptop was stolen, and since it was unencrypted, the PHI of 20,431 patients was compromised.

Upon investigation, OCR discovered that Lifespan ACE was not compliant with HIPAA standards. This noncompliance to HIPAA standards included:

  • Failure to encrypt ePHI on laptops when it was reasonable and appropriate to do so
  • Failure to implement media and device controls
  • Failure to have a business associate agreement with Lifespan Corporation

“Laptops, cellphones, and other mobile devices are stolen every day, that’s the hard reality. Covered entities can best protect their patients’ data by encrypting mobile devices to thwart identity thieves,” said Roger Severino, OCR Director.
For more information on the OCR settlement, please click here.

    What Are Your Thoughts?

    Please leave your comments below.

    Basic Telehealth Legal Issues

    Would TBHI Telehealth Training Help You?

    Basic Telehealth Legal Issues: Rules, Regulations & Risk Management

    Bring your telehealth practice into legal compliance. Get up to date on interjurisdictional practice, privacy, HIPAA, referrals, risk management, duty to warn, duty to report, termination and much more!

    Disclaimer: The Telebehavioral Health Institute (TBHI Telehealth.org) offers information as educational material designed to inform you of issues, products, or services potentially of interest. We cannot and do not accept liability for your decisions regarding any information offered. Please conduct your due diligence before taking action. Also, the views and opinions expressed are not intended to malign any organization, company, or individual. Product names, logos, brands, and other trademarks or images are the property of their respective trademark holders. There is no affiliation, sponsorship, or partnership suggested by using these brands unless contained in an ad. We do not and cannot offer legal, ethical, billing technical, medical, or therapeutic advice. Use of this site constitutes your agreement to TBHI Terms and Conditions and Privacy Policy.


    Submit a Comment

    Your email address will not be published.

    Blog Categories