OCR Settles Three HIPAA Enforcement Actions in April

The Office for Civil Rights (OCR) inked three agreements last month to settle potential violations of the Health Insurance Portability and Accountability Act. First, OCR announced a $400,000 settlement with Metro Community Provider Network (MCPN), a federally-qualified health center (FQHC). MCPN settled with OCR amidst allegations that it failed to comply with the HIPAA Security Rule's requirements to conduct a risk analysis and implement a risk mitigation plan. MCPN also agreed to a three year corrective plan, requiring it to carry out a risk analysis, create a risk mitigation plan and review, and revise its Security Rule policies and procedures and employee training materials.

OCR also pursued Center for Children's Digestive Health (CCDH), a small pediatric specialty practice, for its failure to enter into a business associate agreement with its medical record storage provider. CCDH paid $31,000 and agreed to a two-year corrective plan, through which it is required to implement appropriate HIPAA policies and procedures.

OCR closed the month by announcing a $2.5 million settlement with CardioNet, an entity that provides wireless cardio monitoring services. The settlement addressed allegations that CardioNet failed to conduct a risk analysis and implement a risk mitigation plan, and also cited CardioNet's lack of policies to safeguard removable media containing protected health information. CardioNet agreed to correct these deficiencies through a two-year corrective action plan.

TIP: These settlements serve as a reminder that OCR is continuing to actively enforce HIPAA and pursue entities for non-compliance.