OCR 2020 Settlements Target HIPAA Security Rule Non-Compliance
In almost the first three quarters of 2020, the U.S. Department of Health and Human Services, Office for Civil Rights (“OCR”) has settled three cases related to alleged violations of the Health Insurance Portability and Accountability Act (“HIPAA”), totaling $1,165,000. These settlements underscore OCR’s continued focus on enforcement of the HIPAA Security Rule.
Most recently, on July 27, 2020, Lifespan Health System (“Lifespan”) agreed to pay $1.04 million to OCR to settle potential violations of the HIPAA Privacy and Security Rules related to the theft of an unencrypted hospital employee laptop, which compromised the electronic protected health information (“ePHI”) of over 20,000 individuals. OCR’s investigation concluded that Lifespan had systematic noncompliance with HIPAA requirements, including failure to encrypt its ePHI after having determined it was reasonable and appropriate to do so.
On July 23, 2020, Metropolitan Community Health Services (“Metro”) agreed to pay...