HIPAA Enforcement In 2018 Hits All Time High

Murtha Cullina

Privacy and cybersecurity is at the forefront of everyone’s mind these days and, in 2018, the Office for Civil Rights (“OCR”) settled ten cases and prevailed in another before an Administrative Law Judge to the tune of $28,700,000. This is a new record for OCR, besting 2016 by over $5,000,000. The latest settlement clocked in at $3,000,000, owed by a health system in California that experienced two breaches of electronic protected health information (“ePHI”), which affected 62,500 individuals.  The first breach involved a security configuration where persons could access files with ePHI without a username or password, thereby making ePHI available to anyone with access to the health system’s server.  The second breach involved a server misconfiguration, exposing the health system’s ePHI over the internet, including social security numbers and treatment information.

In its investigation, OCR uncovered that the health system: (1) failed to conduct a thorough security assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of the ePHI maintained on its system; (2) failed to perform technical and non-technical evaluations in response to environmental or operational changes affecting the ePHI; and (3) failed to obtain a written business associate agreement with a contractor that maintained ePHI for it.

There are a couple of takeaways from this latest OCR settlement.  First, all covered entities should ensure that they have conducted a recent security assessment of their systems, to identify and understand the risks and vulnerabilities to ePHI.  Covered entities need to conduct these security assessments periodically, especially as entities make changes to their computer systems and vendors, including their electronic health record systems.  Second, all covered entities should conduct a business associate audit, examining their vendor contracts and ensuring that a business associate agreement is in place with any vendor that will receive, maintain, or transmit PHI or ePHI on behalf of the covered entity.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Murtha Cullina | Attorney Advertising

Written by:

Murtha Cullina

Murtha Cullina on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.