OCR announces seventh HIPAA settlement of the year

The Office for Civil Rights (OCR) announced its seventh HIPAA violation settlement of 2017, putting the agency well on its way to topping last year’s record-setting number of HIPAA settlements.

CardioNet, a Malvern, Pennsylvania-based organization that provides remote cardiac monitoring services, agreed to a $2.5 million settlement and a corrective action plan (CAP), according to OCR’s April 24 statement. This is the first-ever HIPAA settlement involving a wireless health services provider, according to OCR’s statement.

The settlement is the result of a breach reported in January 2012. CardioNet notified OCR that an employee’s laptop was stolen from a parked car outside the employee’s home. The laptop contained the protected health information (PHI) of 3,191 individuals. OCR’s investigation discovered that CardioNet’s security policies and procedures were only in draft form and had not been implemented. Furthermore, CardioNet’s had insufficient risk management and risk analysis processes.

So far, OCR has collected seven HIPAA settlements totaling almost $15 million this year. Last year, OCR set a record by collecting more than $32 million in 13 HIPAA settlements and civil monetary penalties. Covered entities (CE) and business associates (BA) should be prepared for 2017 to be another record-setting year for HIPAA enforcement, says Mac McMillan, FHIMSS, CISSM, president and chief strategy officer of CynergisTek in Austin, Texas. CEs and BAs should take tips from OCR’s resolution agreements and statements to identify compliance areas the agency is focusing on, McMillan recommends. “When you look at the lessons learned, risk assessment was one of the big items in every single resolution agreement,” he says. “Organizations are still either not doing it or not doing it correctly.”

OCR’s oversight of HIPAA compliance came under fire from industry experts and other government agencies such as the Office of Inspector General’s 2015 report OCR Should Strengthen its Oversight of Covered Entities Compliance with the HIPAA Privacy Standards. But, OCR is making it clear that the era of less strict enforcement is over. CEs and BAs must adjust to the new reality of heightened enforcement and larger fines, McMillan says. “OCR under Director Severino has definitely signaled that they are serious about enforcement. Not just the numbers of resolutions and size of fines have gone up, but they’ve expanded to reviewing smaller breaches and now trends in breach activity reported by an entity," he says. "They are doing exactly what they said they would do.”