April has had three more OCR resolution announcements. That’s a total of 7 cases for $14.3m in 2017 so far. When we covered resolutions recently I kept waiting for another one to come out and gave up. Then, BAM, three in a row!

HIPAA For MSPs No, No, No Says OCR In Three April Settlements
00:00:00 00:00:00

In this episode:

April 12, 2017

Metro Community Provider Network (MCPN)

$400,000 settlement and 3 year CAP

  • January 27, 2012, MCPN filed a breach report
  • a hacker accessed employees’ email accounts and obtained 3,200 individuals’ ePHI through a phishing incident
  • OCR investigation revealed that MCPN DID take the necessary corrective action related to the phishing incident
  • HOWEVER…., the investigation also revealed that MCPN failed to conduct a risk analysis until mid-February 2012
    • No SRA – EVER
    • No risk management plan EVER
  • It gets worse….

    When MCPN finally conducted a risk analysis, that risk analysis, as well as all subsequent risk analyses, were insufficient to meet the requirements of the Security Rule

  • Official quote from Severino

    “Patients seeking health care trust that their providers will safeguard and protect their health information,” said OCR Director Roger Severino. “Compliance with the HIPAA Security Rule helps covered entities meet this important obligation to their patient communities.”

  • https://www.hhs.gov/about/news/2017/04/12/overlooking-risks-leads-to-breach-settlement.html

Notes to self on this one

  • If email, even encrypted, gets hacked they get all the data that is stored in that email account.
  • If you panic and do an SRA at the last-minute – like after a phishing attack breach – you will likely not meet the standard and be in the same boat with these guys.

April 20, 2017

The Center for Children’s Digestive Health (CCDH)

$31,000 settlement and 2 year CAP

Notes to self on this one

  • Audit your BAAs and vet them!!!
  • Don’t assume if your BA gets investigated it won’t come back on you.
  • Don’t forget State Attorneys General can use HIPAA now too.
  • CAP is mostly about written policies and procedures specifically relating to managing BAs

April 24, 2017

CardioNet – A CE in PA

$2.5 million settlement and 2 year CAP

  • Some headlines made note of the wireless provider being a big deal

    This settlement is the first involving a wireless health services provider, as CardioNet provides remote mobile monitoring of and rapid response to patients at risk for cardiac arrhythmia.

  • It didn’t say much though because it was still just an unencrypted laptop issue not the wireless device
  • The real headline was

    $2.5 million settlement shows that not understanding HIPAA requirements creates risk

  • Jan 10, 2012, report of laptop stolen from employee’s car outside their home
    • 1,391 patients on unencrypted device
  • Feb 27, 2012, another breach reported
    • 2,219 patients this time
  • Findings
    • Insufficient risk analysis and risk management program
    • Policies and procedures were in draft form and never implemented
    • There were zero finalized policies and procedures that could be produced
  • Official Severino quote:

    Mobile devices in the health care sector remain particularly vulnerable to theft and loss,” said Roger Severino, OCR Director. “Failure to implement mobile device security by Covered Entities and Business Associates puts individuals’ sensitive health information at risk. This disregard for security can result in a serious breach, which affects each individual whose information is left unprotected.

  • https://www.hhs.gov/about/news/2017/04/24/2-5-million-settlement-shows-not-understanding-hipaa-requirements-creates-risk.html
  • https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/cardionet/index.html

Notes to self on this one

  • If you are subject to HIPAA don’t just poke it with a stick
  • Notified in May 2012 they were being investigated.
    • Settled just a short of 5 years later
  • Templates are not gonna cut it. These are not the policies and procedures you are looking for (little hat tip to May the 4th needed to be in here)

Hopefully, this will get released before they announce another settlement!


The information in these resolution agreements makes certain things clear.  OCR isn’t willing to walk back enforcement right now.  Lack of a proper compliance program is clear.  They had no BAA, no SRA, no plan.  No, no, no isn’t just a song it is the point that OCR is trying to get across.  If you have nothing we will find out.  Now is the time to act before they find out about whatever you know your program is lacking.

Please remember to follow us and share us on your favorite social media site and rate us on your podcasting apps, we need your help to keep spreading the word.  As always, send in your questions and ideas!

Remember, HIPAA is not about compliance, it’s about patient care.™