It has been a busy last few weeks at the U.S. Department of Health and Human Services Office for Civil Rights (OCR). OCR has announced four new enforcement actions, the most recent of which is rooted in a healthcare provider’s failure to properly identify and report a breach of protected health information (PHI), and the others in healthcare providers’ failure to conduct thorough, enterprise-wide HIPAA security risk analyses.
Interestingly, the actions involve a varied group of healthcare providers, from a state health services agency to a multi-hospital system—only two of which decided to enter into settlement agreements with OCR. Despite the differences in the healthcare providers and their approaches to reaching a resolution, the enforcement actions provide several key takeaways for other covered entities and business associates. Continue Reading Spate of New OCR HIPAA Enforcement Actions Confirms the Importance of (No Surprise!) Conducting a Thorough Risk Assessment and Prompt Breach Reporting