Since the beginning of 2020, the U.S. Department of Health and Human Services, Office for Civil Rights (?ãOCR?ÃÂ¥) has announced six substantial settlements with HIPAA covered entities (either health care providers or health plans) for potential violations of the HIPAA privacy and security rules (?ãHIPAA Rules?ÃÂ¥) related to safeguarding protected health information (?ãPHI?ÃÂ¥). OCR is the federal agency responsible for enforcement of the HIPAA Rules.
These settlements generally arose from investigations pursued by OCR following the receipt of a breach report by the covered entity and involved settlement payments ranging from $25,000 to $6.85 million (the second largest HIPAA settlement payment in OCR history). The settlements also imposed a corrective action plan on each covered entity, with two years of monitoring by OCR.
Findings by OCR during its investigations included one or more of the following infractions by the subject covered entity:
- Neglected to implement HIPAA policies and procedures;
- Failed to conduct a risk analysis as required by the HIPAA security rules;
- Failed to have the necessary business associate agreements in place with business associates;
- Neglected to provide workforce members with HIPAA privacy and security training as required;
- Failed to encrypt electronic PHI on laptops after the covered entity determined it was reasonable and appropriate to do so;
- Failed to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level; and
- Failed to implement information system activity review, security incident procedures, and information access controls.