So far in 2016, we have seen four HIPAA enforcement cases resolved by OCR.  One involved only the second Civil Money Penalty ever assessed. The three others were resolution agreements.  Add those cases to what was done in 2015 and you have the most active 12 month period of HIPAA enforcement ever.  Certainly, the first quarter of 2016 has been the most active quarter ever when it comes to HIPAA enforcement announcements.

In this episode we discuss the cases resolved so far in 2016 and more thoughts on what is coming up for 2016.

HIPAA For MSPs by David Sims Ep 46: HIPAA Enforcement 2016
00:00:00 00:00:00

HIPAA Enforcement 2016

HIPAA Enforcement DollarFebruary 3, 2016 – Lincare Civil Money Penalty

  • Lincare employees traveled with laptops that were unencrypted.
  • Policy was to lock them in your car at night to secure them.
  • Therapist gets in big fight with husband and leaves without the car – and without the laptop.
  • Husband finds laptop and reports it to Lincare using it as a tool trying to get her back – according to Lincare.

What OCR said

  • Lincare had an obligation to provide safeguards to prevent something like this – aka encrypt the laptops!
  • No written policies and procedures
  • Lincare said – it wasn’t our fault
  • OCR said oh, yes it was
  • Administrative judge has agreed that OCR has the evidence and standing to fine Lincare
Otis rides a cow. Source:

Otis rides a cow. Source:

Different than others

  • This is a true civil money penalty not a resolution agreement for $239,800
  • Only 2nd time ever a true CMP levied

February 16, 2016 – Pool & Land Physical Therapy, Inc.

  • $25,000 and 3 year CAP focused on P&P development and training
  • August 2012 complaint made to OCR that PHI disclosed on website without permission.
  • Used patient testimonials without HIPAA authorization

March 16, 2016 – North Memorial Health Care

  • $1.55 million and 2 year CAP
  • Accretive Health does Revenue Cycle Management for Hospital
  • Accretive employee lost unencrypted laptop July 2011 and
  • Reported to OCR in Sept 2011 that BA had breach of PHI – 2,800 eventually turned out to be 6,697 patients
  • BAA didn’t exist until Oct 2011
  • Accretive Health started doing work in March 2011.
  • No BAA from March to October means Accretive had access to impermissibly disclosed PHI the whole time.
  • That means that breach is for 289,904 patients Accretive had access to without a BAA.

March 17, 2016 – The Feinstein Institute for Medical Research

  • $3.9 million and 3 year CAP
  • A research subsidiary of a huge health system in New York (21 hospitals and over 450 facilities and practices)
  • Unencrypted laptop stolen from backseat of employees car with 13,000 patients in Sept 2012
  • Organization took the stand that as a research center they didn’t need to do all the HIPAA stuff

National HIPAA Summit March 21 – 23

  • OCR likely to make announcements of something