HIPAA Violations Cost HCPs Big, but In-House Can Help

By Jonathan R. Tung, Esq. on May 04, 2016 | Last updated on March 21, 2019

Health care providers collectively are holding their breath following last month's $1.55 million settlement agreement between Minnesota's North Memorial Health Care and the U.S. Department of Health and Human Services Office of Civil Rights (OCR). Soon all the oxygen was sucked out of the room following an even bigger settlement with New York's Feinstein Institute. What is a health care provider to do?

Even though hindsight is 20/20, compliance departments and in-house counsel would do well to peruse their agreement contracts with company contractors. A change might be just what the doctor ordered.

The Classic Mistake

It started out as one of the oldest security slip-ups in the book. The OCR began investigating North Memorial after it got wind of a report indicating that a computer was stolen from the locked car of a contractor. Unfortunately, even though the computer was password protected, it was not encrypted.

Teachable Moments

It's always difficult to focus on the misfortunes of others, but the OCR assumed a cautionary tone. North Memorial did not have compliant business associate agreements and also lagged behind in proper risk assessment when analyzing the entire company's network.

Round Two

But North Memorial was not the only institution that OCR had to discipline. The agency also settled the New York outfit Feinstein Institute for Medical Research for HIPAA breaches occurring in 2012. In that breach, about 13,000 patients' records were stolen because, OCR concluded, it had similarly lagged in implementing policies that might have stopped the breach. In other words, they were negligent.

Grand Takeaways

The in-house lawyer can do his company a favor by insisting on a thorough review of all the current business associate agreements for their at-home HCP client. This will no doubt reveal holes that will have to be plugged up -- a process that will cost time and money. But it might be better to let in-house rip off the Band-Aid before federal regulators do it instead.

Related Resources:

Copied to clipboard