ephi

Subscribe to ephi via RSS

Touted as the first OCR settlement with a wireless health services provider, the OCR announced on April 24, 2017, that it has settled alleged HIPAA violations with CardioNet, based in Pennsylvania for $2.5 million.

CardioNet self-reported a data beach in January 2012, stating that an unencrypted laptop of one of its employees was stolen from a vehicle parked outside the employee’s home. (Again? Don’t get us started on why employees STILL have unencrypted laptops in their cars.)

The laptop contained the ePHI of 1,391 individuals who received mobile monitoring and response for cardiac arrhythmias by CardioNet. Since the breach involved more than 500 individuals, the OCR conducted an investigation. It alleges that as a result of the investigation, it found that CardioNet “had an insufficient risk analysis and risk management processes in place” and that the HIPAA Security Rule policies and procedures were in draft form and had not been implemented. Further, according to the OCR, CardioNet “was unable to produce any final policies or procedures regarding the implementation of safeguards for ePHI, including those for mobile devices.”
Continue Reading OCR Settles First Case With Wireless Provider for $2.5 Million

Showing no signs of letting up on enforcement actions, the Office for Civil Rights (OCR) late last week settled an investigation against Metro Community Provider Network MCPN, a Colorado based federally qualified health center, for alleged HIPAA violations. The fine, a whopping $400,000 for the center, which provides health care services to low income patients, settled alleged HIPAA violations of failing to “conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of ePHI…and to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.”

The problem is that OCR has never provided guidance on what this phrase means. What qualifies in its opinion as an “accurate and thorough assessment?” What are security measures that are “reasonable and appropriate?” The terms are inherently subjective and could move with the facts or the particular OCR investigator.
Continue Reading OCR Levies Hefty Fine Against FQHC

New guidance from the Office for Civil Rights (OCR) urges covered entities and business associates to use Secure Hypertext Transport Protocol (HTTPS) to protect communications from vulnerabilities.

According to OCR, the vulnerability can be introduced by the use of products that inspect HTTPS traffic. These products are used to detect malware or unsafe connections, which

On September 2, 2015, the U.S. Department of Health & Human Services (HHS) announced that Cancer Care Group, P.C. (CCG), a physician practice located in Indiana, agreed to pay $750,000 as part of a settlement to resolve alleged violations of HIPAA’s Security and Privacy Rules.

The HHS Office for Civil Rights (OCR) initiated an investigation