As a helpful reminder, clients need to be aware that the March 1, 2017 deadline for reporting 2016 HIPAA breaches is fast approaching. March 1, 2017 is the Deadline for Reporting 2016 HIPAA Breaches Affecting Fewer than 500 Individuals by Covered Entities to the OCR. Click here for a link to the OCR portal to file year end breach reports. Each year, covered entities are required to file a report within 60 days of year end if the covered entity experienced a breach during the prior year affecting fewer than 500 individuals.
We offer updates on national on regional issues such as malpractice defense, regulatory compliance, labor and employment issues and estate planning.
Don’t let your clients get caught paying a “big” settlement for failing to report a HIPAA breach! For the first time, the Office of Civil Rights (OCR) has announced a HIPAA settlement with a provider who failed to provide a timely breach report. Presence Health, a health network serving Illinois with approximately 150 locations, including 11 hospitals and 27 long-term care and senior living facilities, has been ordered to pay a $475,000 HIPAA settlement and being directed to implement a corrective action plan because it failed to report a breach in a timely manner.
Advocate Health Care Network, the largest fully-integrated health care system in Illinois, agreed to the largest HIPAA Settlement to be paid by a single entity for potential penalties in the amount of $5.55M. The alleged long term non-compliance resulting in this settlement included four failures to comply with HIPAA including: failure to adequately conduct risk assessments, failure to limit physical access to ePHI, failure to obtain Business Associate Agreements, andfailure to safeguard an unencrypted laptop from an unlocked car overnight.
The HIPAA Final Rule has been in effect since 2013, but HIPAA settlements following breaches continue to be reported. If you think the need for a risk analysis under HIPAA is not important, think again! On December 14, 2015, the Department of Health and Human Services (HHS) announced another $750,000 HIPAA settlement with the University of Washington Medicine (UWM). This settlement not only involves a payment of $750,000 but also requires a corrective action plan and annual reports to the Office for Civil Rights (OCR) on UWM’s compliance efforts. The settlement follows an OCR investigation after UWM reported a breach of electronic protected health information (ePHI) involving approximately 90,000 individuals after an employee downloaded an email attachment containing malicious malware. As a result, UWM’s IT system involving 76,000 patients names, medical record numbers, dates of service, and/or charges or bill balances as well as approximately 15,000 patients’ names, medical record numbers, and other demographics were compromised.
Office of Civil Rights (OCR) Director Jocelyn Samuels has made it clear that the “OCR remains committed to strong enforcement of the HIPAA Rules.” The latest settlement announced on 11/30/15 concerning Triple-S, an insurance holding company offering a wide range of insurance products and services, demonstrates just how committed the OCR is when it comes to HIPAA compliance. This settlement included payment of $3.5 Million and adopting a corrective action plan to implement a robust and comprehensive HIPAA compliance program pursuant to the Resolution Agreement entered by Triple-S.