Skip to content

Menu

ChannelsPublishersSubscribe
LexBlog, Inc. logo
LexBlog, Inc. logo
ProductsSub-MenuBlogsPortalsTwentySyndicationMicrositesResource Center
Join
Search
Close
Join the Movement. Blog 4 Good

Navigating a Hostile Regulatory Climate: Practical Lessons Following OCR’s Latest $4.8 MM HIPAA Settlements

By Barbara H. Ryland
May 9, 2014
EmailTweetLikeLinkedIn

On May 7, 2014, the Department of Health and Human Services Office of Civil Rights (“OCR”) announced the latest in a string of increasingly aggressive settlements of alleged Health Insurance Portability and Accountability Act (“HIPAA”) violations. The twin settlements with New York and Presbyterian Hospital (“NYP”) and Columbia University (“CU”) are the largest settlements to date and resulted from a physician who tried to deactivate a server that resulted in patient information being available on the internet and indexed in web crawlers. Here are a few lessons that can be learned from these settlements:

  1. There are no excuses for noncompliance. OCR has undeniably switched focus from educating entities to punishing violations. In the past, OCR was seen by many as having a softer touch and more concerned with ensuring compliance; they are now decidedly in enforcement mode, with new settlements almost every month.
  2. Breach notification reporting has become OCR’s primary method of conducting compliance audits. A breach does not mean the end of the world; however, a breach that was caused by multiple HIPAA violations will garner significant scrutiny. OCR uses breach reports to identify companies for more detailed audits.
  3. Risk Assessments may be difficult, but are NOT OPTIONAL: Cursory risk assessments that focus only on certain risks are not acceptable. HIPAA requires more. The last several OCR settlements have all highlighted the failure to conduct a truly comprehensive risk assessment that looks at all risks and vulnerabilities to ePHI, regardless of where it is stored. It is not an easy task to do this, particularly for larger, complex organizations, but OCR is making is clear that no company can get away with phoning in a risk assessment.

 

Photo of Barbara H. Ryland Barbara H. Ryland

Barbara H. Ryland is a senior counsel in the Washington office of Crowell & Moring’s Health Care Group. Ms. Ryland brings more than 20 years of experience navigating the complex health care regulatory environment in working with health care clients in counseling, litigation…

Barbara H. Ryland is a senior counsel in the Washington office of Crowell & Moring’s Health Care Group. Ms. Ryland brings more than 20 years of experience navigating the complex health care regulatory environment in working with health care clients in counseling, litigation and internal investigations. Ms. Ryland has worked with health plans to investigate and resolve False Claims Act disputes arising out of government health care programs. Ms. Ryland has also represented health plans in administrative disputes before CMS, involving Medicare Advantage and Part D plans, and in disputes with state agencies involving Medicaid managed care plans.

Read more about Barbara H. RylandEmail
Show more Show less
  • Posted in:
    Privacy & Data Security
  • Blog:
    Data Law Insights
  • Organization:
    Crowell & Moring LLP
  • Article: View Original Source

Stay Connected

Facebook LinkedIn Twitter RSS
Real Lawyers

Company

  • About LexBlog
  • Careers
  • Press
  • Contact LexBlog
  • Privacy Policy
  • Editorial Policy
  • Disclaimer
  • Terms of Service
  • RSS Terms of Service

Products

  • Products
  • Blogs
  • Portals
  • Twenty
  • Syndication
  • Microsites

Support

  • 1-800-913-0988
  • Submit a Request
  • Support Center
  • System Status
  • Resource Center

New to the Network

  • Redefined Blog
  • Global Trade Law Blog
  • The Quick Take
  • Consumer Privacy World
  • Energy Law Report
Copyright © 2021, LexBlog, Inc. All Rights Reserved.
Powered By LexBlog