The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently announced two very large settlements for HIPAA law violations, underscoring the agency’s commitment to enforcing HIPAA privacy and security laws.
On March 16, HHS announced North Memorial Health Care of Minnesota had agreed to pay $1. 5 million to settle charges that it “potentially violated HIPAA Privacy and Security Rules by failing to enter into a business associate agreement with a major contractor and failing to institute an organization-wide risk analysis to address the risks and vulnerabilities to its patient information.”
One day later, HHS announced a near-record $3.9 million settlement (the record is $4.8 million) with the Feinstein Institute for Medical Research in New York over the theft of poorly secured data from 13,000 patients enrolled in a medical study. The settlement stems from an OCR investigation which found Feinstein’s “security management process was limited in scope, incomplete, and insufficient to address potential risks and vulnerabilities”.
It is worth noting both of these cases began with reported breaches stemming from stolen laptops containing unencrypted data. Subsequent investigations in both cases revealed a more widespread failure on the part of these organizations to adequately protect the security of data containing patient health information.
In addition to vigorous breach investigations, OCR last year signaled its intent to conduct random HIPAA security audits under the auspices of its 2016 Phase 2 HIPAA Audit Program.
Impact for NextGen Healthcare clients
These and similar cases, along with OCR’s stated intention to conduct random HIPAA audits, only further underscore the importance of implementing a complete HIPAA compliance program and performing an annual Security Risk Analysis (SRA) as mandated under both the HITECH and HIPAA laws.
NextGen Healthcare can assist clients in developing their HIPAA Security compliance program and conducting a compliant SRA. In partnership with HIPAA One®, we offer a user-friendly tool that manages the entire SRA process, including BAA tracking and compliance, and can provide hands-on data security assistance to practices. To learn more about our SRA solution click here or contact your NextGen Healthcare representative.