Skip to Main Content
Services Talent Knowledge
Site Search
Menu

Blog Post

March 03, 2016

Recent HIPAA Enforcement Emphasizes the Necessity of Comprehensive System-Wide Risk Analysis

Health care providers are learning firsthand the dangers of limited HIPAA risk analyses.   For those who fail to heed the warning sounded by the Director of the Office for Civil Rights, HHS (OCR) in December 2015, enforcement beckons.  The OCR Director Jocelyn Samuels cautioned: “All too often we see covered entities with a limited risk analysis that focuses on a specific system such as the electronic medical record or that fails to provide appropriate oversight and accountability for all parts of the enterprise.”  Recent OCR enforcement activities highlight the necessity of  a comprehensive, agency-wide risk analysis to ensure that risks to patient data are identified and addressed before the government comes knocking.  The following cases that illustrate underscore this point.

ALJ Upheld $239,800 Penalty Against Lincare Inc.

On January 13, 2016, an Administrative Law Judge upheld the $239,800 penalty against Lincare, an in-home respiratory care, infusion therapy, and medical equipment provider, for failing to implement appropriate safeguards with respect to employees removing patients Protected Health Information (PHI) from the office.  Without the appropriate policies in place or an agency-wide risk analysis, Lincare failed to identify missing files containing patients’ PHI that were left in the back of an employee’s car for months.  The ALJ upheld the OCR’s imposition of $239,000 in penalties against Lincare for violating HIPAA.

$750,000 Penalty for Failure to Implement Appropriate HIPAA Policies

On December 14, 2015, the University of Washington Medicine (UWM) agreed to settle charges that it potentially violated HIPAA’s Security Rule by failing to implement policies and procedures to prevent, detect, contain, and correct security violations.  The OCR investigated after receiving a breach report that approximately 90,000 individuals’ Protected Health Information (ePHI) was accessed when an employee downloaded an email attachment containing malicious malware.  OCR’s investigation indicated UWM did not adequately ensure that all of its affiliated entities were properly conducting risk assessments and appropriately responding to the potential risks and vulnerabilities in their respective environments.

$750,000 HIPAA Settlement Against Cancer Care Group, P.C.

The OCR recently announced a $750,000 penalty against the Cancer Care Group (comprised of only 13 physicians) (CCG) after a CCG laptop and unencrypted backup media with approximately 55,000 patients’ ePHI was stolen from an employee’s car.  The investigation indicated that CCG never conducted an enterprise-wide risk analysis prior to the breach and, despite regularly transporting ePHI, never established or implemented written policies regulating the removal of hardware and electronic media containing ePHI.  CCG’s Corrective Action Plan (CAP) emphasized the importance of:  (1) Conducting security risk analyses at regular or as-needed intervals, (2) Implementing responsive risk management plans, and (3) Updating training materials and policies and procedures.

The moral of the story is clear—Adopt and implement comprehensive and effective organization-wide risk analysis policies and procedures to ensure compliance with the HIPAA Security Rule.

Subscribe

Click here to sign up for alerts, blog posts, and firm news.

Subscribe

Sign up to receive our latest news

Practice Areas

Featured Industries

New & Emerging Industry Practice Areas

Other

Featured Media

Alerts

Start Delayed for Required Massachusetts Paid Family and Medical Leave Contributions

Alerts

NY Court of Appeals Expands Optional Safety Equipment Defense for Design Defect Claims

Alerts

EEO-1 Component 2 Data Update

This site uses cookies to give you the best experience possible on our site and in some cases direct advertisements to you based upon your use of our site.

By clicking [I agree], you are agreeing to our use of cookies. For information on what cookies we use and how to manage our use of cookies, please visit our Privacy Statement.

I AgreeOpt-Out