Skip to content

Menu

LexBlog, Inc. logo
NetworkSub-MenuBrowse by SubjectBrowse by PublisherBrowse by ChannelAbout the NetworkJoin the NetworkProductsSub-MenuProducts OverviewBlog ProBlog PlusBlog PremierMicrositeSyndication PortalsAbout UsContactSubscribeSupport
Book a Demo
Search
Close

OCR Published Three HIPAA Settlements in Two Weeks, Signaling a Ramp Up of HIPAA Enforcement Activity

By Stephanie S. Sobkowiak & Daniel J. Kagan on April 25, 2017
Email this postTweet this postLike this postShare this post on LinkedIn

Providers Beware: OCR Published Three HIPAA Settlements in Two Weeks, Signaling a Ramp Up of HIPAA Enforcement Activity:

Make sure risk assessments, business associate agreements and policies & procedures are in place and up to date.

In a two week period, the United States Department of Health and Human Services, Office for Civil Rights (OCR) published settlements with three different health care providers for violations of HIPAA. The settlements were not insignificant, ranging from $31,000 for a small physician practice, to $400,000 for a federally qualified health center (FQHC), to $2,500,000 for a wireless health services provider. Each of these violations and subsequent settlements should act as a cautionary tale to providers, both large and small, that they must continue to be vigilant in their HIPAA compliance efforts.

On April 12, OCR reached a $400,000 settlement, resolution and corrective action plan with an FQHC. In late January 2012, the FQHC experienced a breach due to a phishing incident. While the FQHC took corrective action to prevent similar events from occurring in the future, OCR’s subsequent investigation exposed that the FQHC failed to conduct its first risk analysis until mid-February 2012, weeks after the incident. Further, OCR deemed that this first risk analysis, and all subsequent risk analyses performed by the FQHC, were insufficient to meet the HIPAA Security Rule requirements.

On April 20, OCR reached a $31,000 settlement, resolution and corrective action plan with a small pediatric subspecialty practice. The practice used a business associate to store records containing protected health information (PHI). After a compliance review, OCR investigated the practice and discovered that it did not have a signed business associate agreement in place with the records storage company until approximately twelve years after it started using the company.

On April 24, OCR reached a $2,500,000 settlement, resolution and corrective action plan with a company that provides remote mobile monitoring of, and rapid response to, patients at risk for cardiac arrhythmias. This settlement represents the first in which OCR focused on a wireless health services provider. The company experienced a breach when an employee’s laptop, containing PHI of nearly 1,400 patients, was stolen from his car, parked outside his home. After the company reported the breach to OCR, OCR conducted an investigation. This investigation uncovered that the company: (1) conducted an insufficient risk analysis and had an inadequate risk management process; (2) had only draft policies and procedures to implement the HIPAA Security Rule; and (3) had no final policies or procedures implementing safeguards for electronic PHI, including those for mobile devices containing PHI.

These enforcement actions should serve as reminders to providers of all types and sizes, as we predict that OCR’s enforcement actions will continue.

Photo of Stephanie S. Sobkowiak Stephanie S. Sobkowiak

Stephanie Sprague Sobkowiak is chair of the firm’s Health Care practice and a prior member of the firm’s Executive Committee. Stephanie is recognized as one of Connecticut’s top lawyers for health care providers.

Described in Chambers USA as “a really strong lawyer” who…

Stephanie Sprague Sobkowiak is chair of the firm’s Health Care practice and a prior member of the firm’s Executive Committee. Stephanie is recognized as one of Connecticut’s top lawyers for health care providers.

Described in Chambers USA as “a really strong lawyer” who “cuts through the nonsense” to solve problems, Stephanie represents hospitals, physician groups, dental practices, community health centers and others in the health care industry. In her role, she partners with her clients on corporate, regulatory, compliance, risk management, fraud and abuse, medical staff and credentialing matters, Certificates of Need, and HIPAA and other patient privacy issues. In each relationship, she strives to understand her clients’ goals and strategic vision in order help develop strategies that make sense in the context of their businesses.

Known for her negotiation skills, Stephanie credits her success to applying a pragmatic approach when putting together transactions or resolving disputes between her clients and opposing parties. She has negotiated countless corporate agreements, advocated for clients in matters before the Connecticut Department of Public Health, the Office of Health Strategy and the Department of Social Services and handled a variety of complex Medicare matters. She also drafts and negotiates purchase and sale transactions for clients in the health care space.

Stephanie frequently shares her knowledge of federal and state health care regulatory requirements by speaking at seminars and authoring articles. Her insight on these topics, as well as other timely risk-avoidance issues, benefits a wide audience of health care professionals, lawmakers, accountants, lawyers and others.

Read more about Stephanie S. SobkowiakEmail
Show more Show less
Photo of Daniel J. Kagan Daniel J. Kagan

Dan Kagan is an Associate in the Health Care, Long Term Care and Privacy and Cybersecurity Groups. He represents hospitals, physicians, nursing homes, assisted living communities, CCRCs and other health care clients with a wide range of regulatory, compliance, risk management, transactional and…

Dan Kagan is an Associate in the Health Care, Long Term Care and Privacy and Cybersecurity Groups. He represents hospitals, physicians, nursing homes, assisted living communities, CCRCs and other health care clients with a wide range of regulatory, compliance, risk management, transactional and reimbursement issues.

With regard to Privacy and Cybersecurity, Dan has experience drafting privacy policies and notices, website terms of use, written information security plans and incident response plans.  Dan counsels clients on compliance issues related to state, federal and international privacy laws including the General Data Protection Regulation (GDPR).  Dan also has experience representing both health care and non-health care clients that have suffered data breaches and assists such clients with breach response and applicable reporting obligations.  Dan writes extensively on privacy and cybersecurity issues and is a co-editor of Murtha’s Privacy and Cybersecurity Perspectives blog.

As a member of the Health Care and Long Term Care groups, Dan has experience representing clients with HIPAA compliance, Stark and anti-kickback analyses, purchase and sale transactions, reviewing and drafting contracts, certificate of need requirements, rate appeals, Medicare and Medicaid audits, medical staff and credentialing matters, licensing and change of ownership proceedings.

Prior to joining Murtha Cullina, Dan clerked for the Honorable Lubbie Harper, Jr. and the Honorable Joseph H. Pellegrino of the Connecticut Appellate Court.

Dan received his J.D. with honors from the University of Connecticut School of Law where he was a Notes and Comments Editor for the Connecticut Insurance Law Journal. He earned his Bachelor of Arts in Economics from McGill University.

Read more about Daniel J. KaganEmailDaniel's Linkedin Profile
Show more Show less
  • Posted in:
    Privacy & Data Security
  • Blog:
    Privacy and Cybersecurity Perspectives
  • Organization:
    Murtha Cullina LLP
  • Article: View Original Source
LexBlog, Inc. logo
Facebook LinkedIn Twitter RSS
Real Lawyers
99 Park Row
  • About LexBlog
  • Careers
  • Press
  • Contact LexBlog
  • Privacy Policy
  • Editorial Policy
  • Disclaimer
  • Terms of Service
  • RSS Terms of Service
  • Products
  • Blog Pro
  • Blog Plus
  • Blog Premier
  • Microsite
  • Syndication Portals
  • LexBlog Community
  • Resource Center
  • 1-800-913-0988
  • Submit a Request
  • Support Center
  • System Status
  • Resource Center
  • Blogging 101

New to the Network

  • Tennessee Insurance Litigation Blog
  • Claims & Sustains
  • New Jersey Restraining Order Lawyers
  • New Jersey Gun Lawyers
  • Blog of Reason
Copyright © 2025, LexBlog, Inc. All Rights Reserved.
Law blog design & platform by LexBlog LexBlog Logo