The U.S. Department of Health and Human Services Office for Civil Rights (OCR) recently announced a $100,000 settlement with a company that is no longer in business. Filefax, Inc. (Filefax) was an Illinois company that provided storage and delivery services for medical records held by covered entities. OCR had been investigating Filefax since 2015 for allegedly leaving medical records containing PHI of approximately 2,150 patients in an unlocked vehicle in a Filefax parking lot and/or allowing an unauthorized person to remove the files from the facility.

A court-ordered receiver liquidated Filefax’s assets in 2016.  As part of the settlement with OCR, the receiver agreed to pay $100,000 and properly dispose of all medical records and PHI remaining in Filefax’s possession. The settlement amount may be small, but the circumstances are striking. OCR’s pursuit of a settlement against a defunct company serves as a lesson to other health care companies that no one is off limits to HIPAA enforcement actions.

OCR’s press release about the settlement is available here.

It was a busy April for the Office for Civil Rights (“OCR”) (see our prior post on a settlement from earlier in April).  On April 20, OCR announced a Resolution Agreement with Center for Children’s Digestive Health, S.C. (“CCDH”) related to CCDH’s failure to enter into a business associate agreement with a paper medical records storage vendor.  The cost of that missing agreement?  $31,000.  Then, on April 24, OCR announced a settlement with CardioNet, a remote monitoring company for cardiac arrhythmias, related to CardioNet’s failure to implement compliant HIPAA policies and procedures and failure to conduct a sufficient risk assessment.  The price of those failures?  $2.5 million! Continue Reading Two HIPAA Mistakes Lead to Fines from OCR

On October 7, 2016, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) published guidance to assist cloud service providers (CSPs) and their customers with HIPAA compliance. As discussed below, the guidance clarifies important questions about operating in the cloud, including the role of encryption when determining whether a cloud service provider is a business associate. Continue Reading HHS Publishes Guidance on HIPAA and Cloud Computing

Capping off a busy month of HIPAA settlements, on August 4, the Office for Civil Rights (“OCR”) announced a $5.55 million settlement with Advocate Health Care Network (“Advocate”), the largest fully-integrated healthcare system in Illinois.  The settlement is the largest HIPAA settlement ever by a single entity.  The settlement comes on the heels of two July settlement announcements with Oregon Heath & Sciences University (“OHSU”) ($2.7 million) and the University of Mississippi Medical Center ($2.75 million).  In total, OCR has reached nine HIPAA settlements in 2016, in addition to the imposition of civil monetary penalties against Lincare, Inc. (which we covered here).  In contrast, the office entered into only six settlements in all of 2015.   As Jocelyn Samuels, the Director of OCR, indicated in a press release regarding the Advocate settlement, the settlements should be a wake-up call to HIPAA Covered Entities and Business Associates:

We hope this settlement sends a strong message to covered entities that they must engage in a comprehensive risk analysis and risk management to ensure that individuals’ ePHI is secure. This includes implementing physical, technical, and administrative security measures sufficient to reduce the risks to ePHI in all physical locations and on all portable devices to a reasonable and appropriate level.

Continue Reading Latest OCR HIPAA Settlement Provides Lessons for Covered Entities

Last Friday, the U.S. Department of Health and Human Services Office of the National Coordinator for Health IT (“ONC”) and the Office for Civil Rights (“OCR”) released two fact sheets regarding permitted uses and disclosures of protected health information (“PHI”) among health care providers and other entities covered by HIPAA. ONC and OCR developed these fact sheets after health care providers expressed confusion over if and when PHI can be shared without the patient’s prior written consent under the HIPAA Privacy Rule (the “Privacy Rule”). Additionally, as ONC has been actively pushing health care providers toward interoperability of electronic health recordkeeping systems, many view the lack of clarity and understanding around the Rules a hindrance to achieving this goal.

Continue Reading Provider Confusion and Interoperability Concerns Prompt OCR and ONC to Release Guidance on PHI Sharing

Written by Dianne J. Bourque and Stephanie D. Willis

The HIPAA Omnibus Rule goes into effect today, which officially starts the clock for covered entities, business associates, and their subcontractors to begin updating their agreements, forms, policies, procedures, and practices to meet approaching compliance deadlines.

Business Associate Agreement (BAA) and Data Use Agreement (DUA) compliance deadlines depend on whether there is a current agreement in place that meets regulatory requirements.  New BAAs and DUAs must comply with Omnibus Rule requirements by September 23, 2013; otherwise, BAAs and DUAs that only became non-compliant after the Office for Civil Rights (OCR) released the Omnibus Rule may remain in effect until September 22, 2014 (or until the applicable agreement renewal date).  All parties must still comply with the Breach Notification interim final rule requirements under the HITECH Act during the 180-day transition period between March 26th and September 23rd of this year.

In the meantime, covered entities and business associates should be at least planning, if not undertaking, the following tasks:

  1. Preparing new, Omnibus Rule-compliant BAAs and DUAs in advance of contract renewal dates or the compliance deadline;
  2. Updating HIPAA policies and procedures and training materials;
  3. (Re)educating staff on their duties and responsibilities regarding protected health information and breach notification requirements; and
  4. Remaining alert for additional guidance from OCR.

Written By Kimberly Gold

The Department of Health and Human Services, Office for Civil Rights (OCR) has posted on its website sample business associate agreement provisions to help covered entities and business associates comply with the new business associate agreement requirements under the final HIPAA Omnibus Rule.

Continue Reading OCR Releases Sample Business Associate Agreement Provisions

Written by Dianne J. Bourque and Stephanie D. Willis

The HHS Office of Civil Rights (OCR) begins its pilot HIPAA compliance audit program this month. Section 13411 of the Health Information Technology for Economic and Clinical Health Act, or (HITECH) Act, requires HHS to perform these periodic audits of covered entities and business associates to evaluate compliance with the HIPAA Privacy and Security Rules and Breach Notification standards. The main purpose of the audits is to help OCR get ideas about helpful technical assistance and effective corrective action mechanisms. But if OCR uncovers a more egregious compliance issue, it may perform a more invasive compliance review.

According to OCR’s website:

  • OCR will perform up to 150 audits between November 2011 and December 2012.
  • OCR will attempt to include a wide range of covered entities – from covered individual and organizational providers of health services, to health plans of all sizes, and health care clearinghouses.
  • OCR will provide written notice to covered entities selected for an audit between 30 and 90 days before a planned onsite visit. Depending upon the complexity of the organization and the auditor’s need to access materials and staff, these onsite visits may last between 3 and 10 business days.
  • After the onsite visit, the covered entity will have the opportunity to review and provide written comments within 10 days after the OCR auditor provides it with a draft final report.
  • Within 30 days after receiving the covered entity’s response, the OCR auditor will submit a final audit report to OCR. The entities to be audited as well as the results of the audits will not be listed publicly.

The pilot audit program is just another brick in the wall of HIPAA enforcement that OCR has been building in recent years. A past post on our sister blog, Privacy and Security Matters, mentioned OCR’s numerous activities, which now include the HIPAA Enforcement Training sessions held nationwide for state attorneys general and three formal Resolution Agreements signed between February and July of this year alone. And more settlements are likely coming down the pike, given the recent TRICARE breach and the fact that there are 301 Security Rule complaints and compliance reviews open as of September 30, 2011.

With the new audit efforts beginning, it has become even more imperative for covered entities to monitor the activities of their business associates, for business associates to monitor their own activities, and for both to update their own internal privacy and security processes.