After roughly seven months since the last announced settlement, the Office for Civil Rights (OCR) of the U.S. Department of Health and Human services has announced a settlement of alleged violations of the Health Insurance Portability and Accountability Act (HIPAA). The first OCR settlement of 2018 concerns a HIPAA security breach of electronic data. At the same time, a recently announced settlement of a private class action against Aetna highlights the importance of HIPAA privacy and the continuing relevance of paper records.
The settlement concerns 21st Century Oncology, Inc. (21CO), a large oncology practice with treatment centers in 17 states and overseas. In 2015, 21CO was notified by the Federal Bureau of Investigation that its patient records had been compromised and were being sold illegally. In total, the records of 2,213,597 patients were affected. The information breached included names, social security numbers, diagnoses, treatments, and insurance information.