ephi

Subscribe to ephi via RSS

Showing no signs of letting up on enforcement actions, the Office for Civil Rights (OCR) late last week settled an investigation against Metro Community Provider Network MCPN, a Colorado based federally qualified health center, for alleged HIPAA violations. The fine, a whopping $400,000 for the center, which provides health care services to low income patients, settled alleged HIPAA violations of failing to “conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of ePHI…and to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.”

The problem is that OCR has never provided guidance on what this phrase means. What qualifies in its opinion as an “accurate and thorough assessment?” What are security measures that are “reasonable and appropriate?” The terms are inherently subjective and could move with the facts or the particular OCR investigator.
Continue Reading OCR Levies Hefty Fine Against FQHC

New guidance from the Office for Civil Rights (OCR) urges covered entities and business associates to use Secure Hypertext Transport Protocol (HTTPS) to protect communications from vulnerabilities.

According to OCR, the vulnerability can be introduced by the use of products that inspect HTTPS traffic. These products are used to detect malware or unsafe connections, which

On September 2, 2015, the U.S. Department of Health & Human Services (HHS) announced that Cancer Care Group, P.C. (CCG), a physician practice located in Indiana, agreed to pay $750,000 as part of a settlement to resolve alleged violations of HIPAA’s Security and Privacy Rules.

The HHS Office for Civil Rights (OCR) initiated an investigation