OCR Fine Calls Attention to HIPAA Security Rule Compliance

Katten Muchin Rosenman LLP

In a noteworthy development, a sole practitioner gastroenterology practice recently agreed to pay $100,000 to the Office for Civil Rights of the Department of Health and Human Services (OCR) and adopt a two-year corrective action plan to settle alleged violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). According to an OCR Press Release published on March 3, OCR alleged that the practice failed to comply with "basic" HIPAA security rule requirements by not conducting a thorough security risk analysis and implementing a risk management plan — a failure that OCR characterized as part of an "unacceptable and disturbing trend within the health care industry." OCR also alleged that the practice did not have a written business associate agreement with the practice's EHR vendor since 2013. As is often the case, the settlement stemmed from a compliance review OCR conducted following the practice's filing of a breach report in 2013. In what was likely an aggravating factor, OCR stated that certain of the alleged violations persisted despite OCR's provision of "significant technical assistance" to the practice. (The OCR Press Release regarding this enforcement action is available here.)

Key Takeaways

Covered entities (and business associates) should continue to:

  1. ensure that they have conducted a recent, enterprise-wide security risk analysis and update the analysis at least annually and as needed for changes in operations or threats;
  2. develop and implement a security risk management plan that reduces identified risks to reasonable and appropriate levels; and
  3. develop a vendor management program and ensure that business associate agreements are in place with all business associates.

It is also critical to have appropriate written HIPAA policies in place and to review and monitor those policies as well as conduct regular training.

While these takeaways are not new, the eye-catching amount of the settlement for a single-physician medical practice reinforces OCR's longstanding view that security risk analysis, risk management and business associate agreements are foundational to HIPAA compliance. As OCR seeks to meaningfully move the dial on addressing widespread cybersecurity risk within the health care industry, covered entities and business associates of all sizes are on notice that OCR will take seriously these foundational failures. Fortunately, OCR also has provided a wealth of compliance guidance on risk analysis, risk management, business associate contracting, and vendor diligence and management.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Katten Muchin Rosenman LLP | Attorney Advertising

Written by:

Katten Muchin Rosenman LLP

Katten Muchin Rosenman LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.