The United States Department of Health and Human Services (HHS) recently announced two settlements with covered entities for potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules.
In the first case, a Minnesota-based hospital system settled with the government, agreeing to pay $1.55 million. The hospital system allegedly failed to enter into a business associate agreement with one of its contractors and also failing to institute an organization-wide risk analysis to address the risks and vulnerabilities to its patient information systems.
The second settlement involved a New York State not-for-profit biomedical research institute sponsored by a prominent New York-based hospital system. An investigation by HHS determined that the research institute’s security management process was limited in scope, incomplete, and insufficient to address potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by the institute. HHS also found a lack of policies and procedures for authorizing access to ePHI by its workforce members, failure of the institute to implement safeguards to restrict access to unauthorized users, and lack of policies and procedures to govern the receipt and removal of laptops that contained ePHI. The institute agreed to pay HHS $3.9 million.
Covered entities should take particular note that both investigations began as a result of lost laptop computers. Loss of portable electronic devices continues to be the number one cause of HIPAA breaches across the country.
Covered entities, business associates, and sub-contractors must have robust HIPAA policies and procedures in place to avoid the risk of violating HIPAA and becoming a subject of an HHS investigation. Frier Levitt has a team of attorneys that are well-versed in HIPAA and experienced in guiding clients around HIPAA pitfalls. Contact us today.
