OCR Announces $650,000 HIPAA Settlement Related to Business Associate’s Failure to Safeguard Nursing Home Residents’ PHI

On June 30, 2016, Department of Health and Human Services’ Office for Civil Rights announced a $650,000 settlement and corrective action plan with Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS). The press release indicates that CHCS was a business associate of six skilled nursing facilities for which it provided management and information technology services. CHCS experienced a breach when a CHCS-issued employee iPhone was stolen. The press release indicates that the iPhone, which was unencrypted and not… Read More >

HHS-OCR HIPAA Settlement Bulletin Highlights the Potential Impact of Unpatched and Unsupported Software

The Department of Health and Human Services, Office for Civil Rights (OCR) recently released a bulletin outlining the terms of a settlement with Anchorage Community Mental Health Services (ACMHS) over potential violations of the HIPAA Security Rule. According to the bulletin, ACMHS has agreed to “pay $150,000 and adopt a corrective action plan to correct deficiencies in its HIPAA compliance program.” OCR initiated an investigation after receiving notification from ACMHS regarding a breach of unsecured electronic protected health information (ePHI)… Read More >

$4.8 million HIPAA settlement

The U.S. Department of Health and Human Services (HHS) announced that it reached its largest HIPAA settlement to date with New York and Presbyterian Hospital (NYP) and Columbia University, following an investigation into the September 2010 joint breach report by the entities.  The settlement includes monetary payments of $4.8 million. NY and Columbia are separate covered entities that had a shared affiliation and shared network links to NYP patient systems containing ePHI.  When a physician attempted to deactivate a personal… Read More >

OCR Announces HIPAA Settlements Related to Theft of Unencrypted Laptops: 4 Important Lessons to Take Away

Two HIPAA settlements were announced April 22, 2014 by the Department of Health and Human Services Office of Civil Rights (OCR).  The settlements for alleged violations of the HIPAA Privacy and Security Rules for Concentra Health Services and QCA Health Plan of Arkansas collectively totaled $1,975,220. According to the OCR press release, the review of Concentra Health Services resulted from a breach report involving the theft of an unencrypted laptop from the company’s Springfield Missouri Physical Therapy Center.  OCR stated… Read More >