HHS OCR Announces Largest Civil Monetary Penalty Imposed Since 2021 for Snooping Incident

Aleksandra Vold
BakerHostetler
Contact
LinkedIn
Facebook
X
Send
Embed

BakerHostetler

Nearly two months after settlement was reached, the Department of Health and Human Services Office for Civil Rights (HHS OCR) announced on Feb. 6 that it obtained a resolution agreement with Montefiore Medical Center over alleged violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The resolution agreement comes with a heavy penalty – $4.75 million – the largest resolution amount assessed in almost two years and the sixth-largest ever assessed.

HHS OCR’s investigation began in November 2015 after Montefiore notified the department that, for six months in 2013, one of its employees accessed 12,517 patients’ electronic medical records and sold some of that information to an identity theft ring. Over the next eight years, HHS OCR’s investigation identified significant potential HIPAA violations, including:

  • Failure to conduct an accurate and thorough enterprise-wide security risk analysis (5 F.R. § 164.308(a)(1)(ii)(A));
  • Failure to implement procedures to regularly review information system activity logs, access reports and security incident tracking (45 C.F.R. § 164.308(a)(1)(ii)(D)); and
  • Failure to implement hardware, software and/or procedural mechanisms that record and examine activity of information systems that contain or use protected health information (45 C.F.R. § 164.312(b)).

Pursuant to the corrective action plan (CAP), Montefiore agreed to conduct a thorough risk analysis, the methodology for which requires HHS OCR’s approval, and to develop a corresponding risk management plan, which must also be submitted to the department. The CAP also requires an overhaul of Montefiore’s policies and procedures and creation of a plan for their distribution, implementation of audit controls, and significant workforce training.

This resolution agreement and CAP serve as a reminder to covered entities and their business associates that HHS OCR investigations never focus solely on the reported breach. Typically, only 20 percent or less of the questions in data requests issued by the department are about the reported incident, with the remainder asking for evidence of implementation of dozens of HIPAA standards and proof of the entity’s implementation of recognized security practices. Proactive HIPAA compliance will not guarantee that breaches do not occur, but it can significantly minimize the risk that a costly breach will be followed by a costly regulatory fine.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© BakerHostetler | Attorney Advertising

Written by:

BakerHostetler
BakerHostetler
Contact
more
less

BakerHostetler on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide