Department of Health and Human Services

On September 7, 2017, the U.S. Department of Health and Human Services’ Office for Civil Rights issued an announcement containing disaster preparedness and recovery guidance in advance of Hurricane Irma. The announcement underscores key privacy and security issues for entities covered by HIPAA to help them protect individuals’ health information before, during and after emergency situations.
Continue Reading

On April 12, 2017, the U.S. Department of Health and Human Services’ Office for Civil Rights entered into a resolution agreement with Metro Community Provider Network that stemmed from MCPN’s lack of a risk analysis and risk management plan that addressed risks and vulnerabilities to protected health information.
Continue Reading

On February 16, 2017, the U.S. Department of Health and Human Services’ Office for Civil Rights entered into a resolution agreement with Memorial Healthcare System that emphasized the importance of audit controls in preventing breaches of protected health information. The 5.5 million dollar settlement with Memorial is the fourth enforcement action taken by OCR in 2017, and matches the largest civil monetary ever imposed against a single covered entity.
Continue Reading

On February 1, 2017, the U.S. Department of Health and Human Services’ Office for Civil Rights announced a 3.2 million dollar civil monetary penalty against Children’s Medical Center of Dallas for alleged ongoing violations of the HIPAA Privacy and Security Rules, following two consecutive breaches of patient ePHI.
Continue Reading

On January 18, 2017, the U.S. Department of Health and Human Services’ Office for Civil Rights entered into a resolution agreement with MAPFRE Life Insurance Company of Puerto Rico relating to a breach of protected health information contained on a portable storage device. This is the second enforcement action taken by OCR in 2017, following the action taken against Presence Health earlier this month for failing to make timely breach notifications.
Continue Reading

On January 7, 2017, the U.S. Department of Health and Human Services’ Office for Civil Rights entered into a resolution agreement with Presence Health stemming from the entity’s failure to notify affected individuals, the media and OCR within 60 days of discovering a breach. This marks the first OCR settlement of 2017 and the first enforcement action relating to untimely breach reporting by a HIPAA covered entity.
Continue Reading