HIPAA Easter: OCR Continues to Censure Healthcare Providers for Overlooking the Security Rule
Why Should You Care?
Healthcare providers typically focus their HIPAA compliance efforts on the Privacy Rule and Breach Notification Rule, often overlooking the importance of comprehensive compliance with the Security Rule. Although this HIPAA settlement may seem nominal, OCR took into account Metro Community Provider Network’s status as an FQHC serving a predominantly low income patient population. This settlement and heftier settlements of late (including a $5.5 million settlement for lack of audit controls and $5.55 million settlement for lack of comprehensive risk analysis and risk management), underscore OCR’s strong message that covered entities must conduct comprehensive risk analyses and adopt strong risk management strategies to keep electronic PHI secure. We anticipate that OCR will continue to be very active in its enforcement of the Security Rule under the Trump administration.
What’s the Takeaway?
Healthcare providers, other covered entities, and their business associates should take this opportunity to review their HIPAA compliance programs, including performing an updated risk analysis and implementing corresponding updates to their risk management plans. Covered entities and business associates that fail to adequately protect electronic PHI are exposing themselves to significant liability under HIPAA and state privacy and data security laws.