Covered Entities and Business Associates Must Take Heed of Recent HIPAA Privacy Sanctions

Two recent developments in the enforcement of the privacy and security rules under the Health Insurance Portability and Accountability Act (“HIPAA”) should give compliance officers of healthcare providers, health plans, and insurers pause. Last month the Office of Civil Rights of the U.S. Department of Health and Human Services (“OCR”) imposed the first ever civil penalty on a healthcare provider under the HIPAA privacy rule and entered into a substantial settlement agreement with another healthcare provider for violations of the HIPAA privacy rule arising from the loss of a few hundred individuals’ protected health information. In so acting, OCR has signaled its seriousness about the enforcement of the HIPAA privacy and security rules. In light of these developments, covered entities and their business associates should review their compliance policies and procedures and confirm good practices with respect to protected health information in order to avoid increasingly significant monetary sanctions.

To read the entire Newsletter, click here.