The Office of Civil Rights (OCR), a division of the U.S. Department of Health and Human Services (HHS), has reached an $875,000 settlement and an extensive corrective action plan (CAP) with a university medical center concerning its violation of HIPAA’s privacy, security, and breach notification rules. Hacking a medical center web server, containing protected health information (PHI) by an unknown third party, led to the disclosure of PHI for more than 275,000 individuals.
The medical center filed the breach report in November 2017. The center later reported that the hacking incident had occurred in March 2016, and the center had become aware of it in September 2017. The center did not report the breach because it did not realize that PHI was stored on the compromised server. Following its investigation, OCR determined that the center had allowed unauthorized disclosures of PHI, failed to implement sufficient response and reporting protocols for security incidents, and neglected to conduct adequate risk analyses or evaluations. OCR also noted that the medical center had declined to adopt adequate audit controls and failed to provide timely breach notification to individuals and HHS.
As a result of the settlement, the medical center is also subject to a CAP, which involves various provisions, including the following:
- Complete a risk analysis and management plan that OCR must review and approve;
- Revise its privacy, security, and breach notification policies according to the plan within 30 days of the date of OCR’s approval;
- Incorporate the revised policies into proposed training materials for approval by OCR;
- Once approved, include them in training sessions for all employees;
- Train new employees within 15 days of starting work;
- Engage an independent monitor to analyze and assist with CAP compliance, subject to OCR approval; and
- Submit periodic compliance reports to OCR concerning the CAP for two years.
HBL has experience in all areas of benefits and employment law, offering a comprehensive solution to all your business benefits and HR/employment needs. We help ensure you are in compliance with the complex requirements of ERISA and the IRS code, as well as those laws that impact you and your employees. Together, we reduce your exposure to potential legal or financial penalties. Learn more by calling 470-571-1007.
Hall Benefits Law, LLC
Latest posts by Hall Benefits Law, LLC (see all)
- March 2024 | HBL Attorneys Visit Atlanta HQ - March 28, 2024