Archive for OCR
St. Elizabeth’s Medical Center in Boston has agreed to a corrective action plan and civil fine of $218,400 with OCR to address deficiencies in its HIPAA compliance program following employee practices at the hospital that exposed ePHI on more than 1,000 patients.
OCR initially received a complaint in November 2012 that hospital employees were allegedly storing patient records containing PHI in an unsecure online document sharing application without analyzing the risks of doing so, according to a July 8 resolution agreement between OCR and St. Elizabeth’s. Those documents contained the ePHI of at least 498 patients.
The New York Giants reportedly didn’t even know their defensive-end Jason Pierre-Paul had one of his fingers amputated before his medical charts appeared in news reports July 8, but that’s a story for another audience.
ESPN reporter Adam Schefter isn’t in trouble for posting a picture on Twitter of what looks like Pierre-Paul’s medical chart—journalists aren’t covered by HIPAA—but staff members at Jackson Memorial Hospital in Miami and the hospital itself could be facing some stiff sanctions for releasing the records to a reporter.
Deven McGraw, a well-known health data privacy expert and federal legal advisor, just joined the HHS Office for Civil Rights on June 29. She takes over as deputy director of health information privacy and will head up the agency’s HIPAA policy and enforcement efforts.
OCR announced the appointment earlier in June. McGraw comes to OCR from Manatt, Phelps & Phillips, LLP, where she was a partner and co-chair of the law firm’s privacy and data security practice. The firm has offices in California, New York, Washington, D.C., and Mexico.
McGraw also served as the director of the Health Privacy Project at the Center for Democracy & Technology and the chief operating officer at the National Partnership for Women & Families, both of which are located in Washington, D.C.
The HHS Office for Civil Rights (OCR) entered into a $125,000 resolution agreement March 15 with Cornell Prescription Pharmacy (CCP) in Denver for HIPAA violations.
OCR received a media report January 11, 2012, indicating that CCP disposed of PHI in a publicly accessible dumpster. OCR began investigating CCP January 13, 2012, and notified the covered entity of the investigation February 27, 2012. The resolution agreement states that CCP failed to do the following:
- Reasonably safeguard PHI
- Implement written policies and procedures for compliance with the HIPAA Privacy Rule
- Provide and document HIPAA Privacy Rule training for workforce members since the compliance date of the rule
In addition to agreeing to the civil monetary penalty, CCP also agreed to do the following as part of the resolution agreement with OCR:
- Develop, maintain, and revise written policies and procedures to comply with federal privacy standards
- Provide copies of policies and procedures to OCR for review and approval
- Adopt and implement policies and procedures within 30 days of OCR approval
- Distribute policies and procedures to workforce members within 30 days of OCR approval
- Require workforce members to sign policies and procedures indicating that they have read, understand, and will abide by them
- Assess, update, and revise policies and procedures annually
- Restrict workforce members from the use or disclosure of PHI if they have not signed the policies and procedures
- Train workforce members on the new policies and procedures within 30 days of implementation
- Notify HHS/OCR of any future reportable breaches within 30 days of conducting an internal investigation
OCR Director Jocelyn Samuels recently stated that audit procedures for phase two HIPAA audits have yet to be finalized, delaying the start date of the audits, according to lexology.com. OCR originally planned to begin phase two audits in fall 2014.
Unlike phase one, the second phase of HIPAA privacy, security, and breach notification audits will likely be desk-based, which means OCR will not conduct on-site audits of covered entities (CE) and business associates (BA) unless resources are available. OCR representatives confirmed during a panel at the 2014 AHIMA Convention and Exhibit September 30, 2014, that the agency had begun its process of randomly selecting CE for the next round of audits, but had not sent notifications to facilities yet. At minimum, it will include large and small hospitals, dental practices, health insurance companies, and health plans in its pool of organizations that may be selected for an audit. BA audits are expected to begin after CE audits are underway, according to the panel.
Visit the OCR audit program website for the latest on HIPAA audits.