The Office for Civil Rights (OCR) recently announced settlements with healthcare-related entities, including:

  • The OCR entered into a settlement with The Center for Children’s Digestive Health (CCDH) for $31,000.  CCDH is a small for-profit health care provider with seven locations in Illinois. The settlement arose out of an OCR compliance review initiated in August 2015 after an investigation of a CCDH business associate that stored inactive paper medical records for CCDH.  While CCDH had been disclosing PHI to the vendor since 2003, neither party could produce a business associate agreement in effect prior to October 12, 2015.  In addition to the settlement payment, CCDH has also entered into a corrective action plan with OCR.
  • The OCR issued a press release announcing that it has settled alleged HIPAA violations with MHHS for $2.4 million for disclosing PHI in a media press release.  According to the Resolution Agreement it has inked with the OCR, MHHS must also implement a corrective action plan, including updating its policies and procedures, training staff and requiring all of the facilities in the system to “attest to their understanding of permissible uses and disclosures of PHI, including disclosures to the media.”  Read more here.
  • The OCR announced on April 24, 2017, that it has settled alleged HIPAA violations with CardioNet, a wireless health services provider based in Pennsylvania, for $2.5 million.  CardioNet self-reported a data beach in January 2012, stating that an unencrypted laptop of one of its employees was stolen from a vehicle parked outside the employee’s home.   CardioNet self-reported a data beach in January 2012, stating that an unencrypted laptop of one of its employees was stolen from a vehicle parked outside the employee’s home. Read more here.

These posts are also being shared on our Data Privacy +Security Insider blog. If you’re interested in getting updates on developments affecting data privacy and security, we invite you to subscribe to the blog.