Physician Law Blog

Ever wonder if the Office of Civil Rights (“OCR”) is serious about the requirements for a HIPAA Security risk analysis and policy specific to removing hardware and electronic media containing ePHI from a covered entity’s facility? Yes, the OCR is extremely serious about those requirements as Cancer Care Group, P.C. (“Cancer Care”), a radiation oncology private practice, with 13 radiation oncologists discovered after reporting a breach of ePHI.

The OCR announced a settlement of $218,400 along with adoption of a robust plan of correction with St. Elizabeth’s Medical Center (SEMC) of Brighton, MA for alleged HIPAA violations. Before the settlement, SEMC had two different events leading up to it entering the resolution agreement with HHS. The first allegation involved a complaint to the OCR that employees were using an internet-based document sharing application to store ePHI without analyzing the associated security risks, exposing at least 498 individuals’ ePHI.

Just ask Cornell Prescription Pharmacy about disposal of unshredded paper pharmacy records containing protected health information (PHI), and you will hear that this pharmacy paid $125,000 plus it has entered a Resolution Agreement with the OCR. Not only is this pharmacy paying a significant penalty, it will be under a corrective action plan to correct deficiencies in their HIPAA compliance program and must submit the members of their workforce to receive training on that program within 30 days of implementing the policies and procedures.

If you ever wonder if you should be concerned about HIPAA compliance, think about this latest Office of Civil Rights (OCR) settlement with New York Presbyterian Hospital (NYP) and Columbia University Medical Center (CU).

OCR issued an update regarding two important HIPAA settlements involving theft of unencrypted laptops. The first involved Concentra Health Systems report of a breach that an unencrypted laptop was stolen from the Springfield Missouri Physical Therapy Center. After concluding that Concentra had previously recognized its lack of encryption in multiple risk analyses, its efforts to protect patient PHI remained vulnerable due to incomplete and inconsistent encryption. As a result, Concentra agreed to pay OCR $1,725,220 to settle the violations and will be implementing a corrective action plan to remediate the findings.