The Office for Civil Rights is split between Civil Rights and HIPAA enforcement, and since the new administration came into power in January the OCR has had dramatic changes in messaging and staffing. However a recent posted opinion to the updated "Press Release" section reminds us the OCR we have grown to fear, enforcing HIPAA, is operating "business as usual", with the right to assess large fines for non compliance.
The May 28, 2025 Press Release details the $800,000 fine and 2 year monitoring plan imposed on a Florida provider for their failure to prevent a former administrative employee from accessing a patient's paper and electronic medical record in 2018 (yes, the date is not a mistake - 7 years ago!).
What exactly did the Florida provider do wrong?
"[Provider] failed to implement policies and procedures for authorizing access to electronic protected health information that are consistent with the applicable requirements of the Privacy Rule, specifically, the requirement to make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request, as required by 45 C.F.R. §164.308(a)(4). B. [Provider] failed to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level as required by 45 C.F.R. §164.308(a)(1)(ii)(B). C. [Provider] failed to implement procedures to regularly review records of information system activity as required by 45 C.F.R. §164.308(a)(1)(ii)(D)." See https://www.hhs.gov/sites/default/files/hhs-ocr-hipaa-baycare-agreement.pdf
Current employees, former employees, outside third party threats, internal third party threats (our vendors and their subcontractors having leaks)....the exposure is endless and unstoppable; provided, however, mitigatable! The law requires each provider try to mitigate.
Specifically, the main purpose of reading OCR Press Releases (besides seeing whether any former classmates are the ones in trouble...), is to hopefully internalize preventative measures you need to adopt to avoid becoming the headline. OCR outlines such, here -
The expectation is you will, or have already, incorporated most, if not all, of the recommended/required protocols above through the assistance of your legal team and your IT vendor. If not, allow today's newsletter to serve as a needed wake-up call. You can insure against HIPAA risk, but, only if you have in place required protocols and trainings; many carriers will disclaim coverage if you do not meet basic required compliance...
Happy to discuss.
Have a question for Jennifer? Email is best. You can reach her at Jennifer@Kirschenbaumesq.com.
The May 28, 2025 Press Release details the $800,000 fine and 2 year monitoring plan imposed on a Florida provider for their failure to prevent a former administrative employee from accessing a patient's paper and electronic medical record in 2018 (yes, the date is not a mistake - 7 years ago!).
What exactly did the Florida provider do wrong?
"[Provider] failed to implement policies and procedures for authorizing access to electronic protected health information that are consistent with the applicable requirements of the Privacy Rule, specifically, the requirement to make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request, as required by 45 C.F.R. §164.308(a)(4). B. [Provider] failed to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level as required by 45 C.F.R. §164.308(a)(1)(ii)(B). C. [Provider] failed to implement procedures to regularly review records of information system activity as required by 45 C.F.R. §164.308(a)(1)(ii)(D)." See https://www.hhs.gov/sites/default/files/hhs-ocr-hipaa-baycare-agreement.pdf
Current employees, former employees, outside third party threats, internal third party threats (our vendors and their subcontractors having leaks)....the exposure is endless and unstoppable; provided, however, mitigatable! The law requires each provider try to mitigate.
Specifically, the main purpose of reading OCR Press Releases (besides seeing whether any former classmates are the ones in trouble...), is to hopefully internalize preventative measures you need to adopt to avoid becoming the headline. OCR outlines such, here -
"OCR recommends that health care providers, health plans, health care clearinghouses, and business associates that are covered by HIPAA take the following steps to protect ePHI:
- Identify where ePHI is located in the organization, including how ePHI enters, flows through, and leaves the organization’s information systems.
- Integrate risk analysis and risk management into the organization’s business processes.
- Ensure that audit controls are in place to record and examine information system activity.
- Implement regular reviews of information system activity.
- Utilize mechanisms to authenticate information to ensure only authorized users are accessing ePHI.
- Encrypt ePHI in transit and at rest to guard against unauthorized access to ePHI when appropriate.
- Incorporate lessons learned from incidents into the organization’s overall security management process.
- Provide workforce members with regular HIPAA training that is specific to the organization and to the workforce members’ respective job duties."
The expectation is you will, or have already, incorporated most, if not all, of the recommended/required protocols above through the assistance of your legal team and your IT vendor. If not, allow today's newsletter to serve as a needed wake-up call. You can insure against HIPAA risk, but, only if you have in place required protocols and trainings; many carriers will disclaim coverage if you do not meet basic required compliance...
Happy to discuss.
Have a question for Jennifer? Email is best. You can reach her at Jennifer@Kirschenbaumesq.com.