April has had three more OCR resolution announcements. That’s a total of 7 cases for $14.3m in 2017 so far. When we covered resolutions recently I kept waiting for another one to come out and gave up. Then, BAM, three in a row!

In this episode:

HIPAA Boot Camp

Speaking Events

David in Washington, DC at the Un-conference Conference in September

How to win a $100 Amazon gift card

Three settlements

Expand or collapse the extended show notes

Ways to win $100

Ways to get an entry in the $100 Amazon card drawing  [41:10]

  • Get 1 entry in the drawing:
    • Review/Recommend us online and send a screenshot to us
      • iTunes, Stitcher, our LinkedIn (1 entry per site)
    • Send in a question via email, social media, Speakpipe, etc
    • Do a shout out to us on social media twitter, FB, LinkedIn whatever using our profile @HelpMeWithHIPAA
  • Get 2 entries in the drawing when you:
    • Complete our listener survey and add in the notes – Give me $100!  You must include your email in the notes too.
    • Send an email that we joked about sending at the end of one of our episodes about David – this is a trivia question to get extra entries for our regular listeners
  • Get 3 entries in the drawing when you:

April 12, 2017

Metro Community Provider Network (MCPN)

$400,000 settlement and 3 year CAP

  • January 27, 2012, MCPN filed a breach report
  • hacker accessed employees’ email accounts and obtained 3,200 individuals’ ePHI through a phishing incident
  • OCR investigation revealed that MCPN DID take the necessary corrective action related to the phishing incident
  • HOWEVER…., the investigation also revealed that MCPN failed to conduct a risk analysis until mid-February 2012
    • No SRA – EVER
    • No risk management plan EVER
  • It gets worse….

    When MCPN finally conducted a risk analysis, that risk analysis, as well as all subsequent risk analyses, were insufficient to meet the requirements of the Security Rule

  • Official quote from Severino

    “Patients seeking health care trust that their providers will safeguard and protect their health information,” said OCR Director Roger Severino. “Compliance with the HIPAA Security Rule helps covered entities meet this important obligation to their patient communities.”

  • https://www.hhs.gov/about/news/2017/04/12/overlooking-risks-leads-to-breach-settlement.html

Notes to self on this one

  • If email, even encrypted, gets hacked they get all the data that is stored in that email account.
  • If you panic and do an SRA at the last-minute – like after a phishing attack breach – you will likely not meet the standard and be in the same boat with these guys.

April 20, 2017

The Center for Children’s Digestive Health (CCDH)

$31,000 settlement and 2 year CAP

Notes to self on this one

  • Audit your BAAs and vet them!!!
  • Don’t assume if your BA gets investigated it won’t come back on you.
  • Don’t forget State Attorneys General can use HIPAA now too.
  • CAP is mostly about written policies and procedures specifically relating to managing BAs

April 24, 2017

CardioNet – A CE in PA

$2.5 million settlement and 2 year CAP

  • Some headlines made note of the wireless provider being a big deal

    This settlement is the first involving a wireless health services provider, as CardioNet provides remote mobile monitoring of and rapid response to patients at risk for cardiac arrhythmia.

  • It didn’t say much though because it was still just an unencrypted laptop issue not the wireless device
  • The real headline was

    $2.5 million settlement shows that not understanding HIPAA requirements creates risk

  • Jan 10, 2012 report of laptop stolen from employees car outside their home
    • 1,391 patients on unencrypted device
  • Feb 27, 2012 another breach reported
    • 2,219 patients this time
  • Findings
    • Insufficient risk analysis and risk management program
    • Policies and procedures were in draft form and never implemented
    • There were zero finalized policies and procedures that could be produced
  • Official Severino quote:

    Mobile devices in the health care sector remain particularly vulnerable to theft and loss,” said Roger Severino, OCR Director. “Failure to implement mobile device security by Covered Entities and Business Associates puts individuals’ sensitive health information at risk. This disregard for security can result in a serious breach, which affects each individual whose information is left unprotected.

  • https://www.hhs.gov/about/news/2017/04/24/2-5-million-settlement-shows-not-understanding-hipaa-requirements-creates-risk.html
  • https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/cardionet/index.html

Notes to self on this one

  • If you are subject to HIPAA don’t just poke it with a stick
  • Notified in May 2012 they were being investigated.
    • Settled just a short of 5 years later
  • Templates are not gonna cut it. These are not the policies and procedures you are looking for (little hat tip to May the 4th needed to be in here)

Hopefully this will get released before they announce another settlement!

The information in these resolution agreements makes certain things clear.  OCR isn’t willing to walk back enforcement right now.  Lack of a proper compliance program is clear.  They had no BAA, no SRA, no plan.  No, no, no isn’t just a song it is the point that oCR is trying to get across.  If you have nothing we will find out.  Now is the time to act before they find out about whatever you know your program is lacking.

Please remember to follow us and share us on your favorite social media site and rate us on your podcasting apps, we need your help to keep spreading the word.  As always, send in your questions and ideas!

Remember, HIPAA is not about compliance, it’s about patient care.

Share This
HIPAA Boot Camp