The U.S. Department of Health and Human Services’ HIPAA-enforcing arm, OCR (Office for Civil Rights), has bestowed a few early Christmas presents on healthcare providers and their business associates.
The festive cheer all came this November and December in the form of three costly resolution agreements with violators of the HIPAA Privacy and Security Rule, as reported Dec. 22 on the Arent Fox law firm’s blog, “Health Care Counsel.”
In fact, amid the holiday celebrations, the OCR moves act as warnings of enforcement actions to come, wrote Arent Fox lawyer Samuel Cohen, author of the blog post.
“They serve as a year-end reminder to covered entities (and business associates) that OCR is continuing to ramp-up its enforcement of HIPAA violations,” Cohen wrote.
The three most recent resolution agreements announced by OCR were:
- Lahey Hospital and Medical Center, Burlington, Mass., a non-profit teaching facility affiliated with Tufts Medical School, agreed to pay $850,000 and adopt what OCR called a “robust” corrective action plan to correct problems with its HIPAA compliance program. The OCR investigation that led to the settlement started in 2011 when a laptop connected to portable CT scanner was stolen from an unlocked treatment room. The laptop’s hard drive contained the PHI of 599 people.
- Triple-S Management Corporation, an insurance holding company based in San Juan, Puerto Rico, agreed on behalf of three of its wholly owned subsidiaries to pay OCR $3.5 million and adopt a corrective action plan. This resolution agreement came after an investigation triggered by Triple-S ‘ notification to OCR of multiple potential breaches of PHI. “OCR’s investigations indicated widespread non-compliance throughout the various subsidiaries of Triple-S,” according to an OCR release.
- University of Washington Medicine in Seattle agreed to pay $750,000, put in place a corrective action plan and report annually on its compliance efforts to resolve allegations that it violated the HIPAA Security Rule, OCR said. The agency started this investigation after receiving a breach report in 2013 that the PHI of about 90,000 people was accessed after an employee downloaded an e-mail attachment containing malware.