Skip to content 
The U.S. Health and Human Services Department (HHS) recently reached settlements with two academic medical centers and an insurance holding company relating to potential privacy violations of the Health Insurance Portability and Accountability Act (HIPAA). Each entity will be subject to a corrective action plan and civil monetary penalties ranging from $750,000 to $3.5 million. The security failures resulting in the HHS investigations ranged from the simple theft of an employee laptop to the breach of approximately 90,000 individuals’ electronic personal health information (ePHI) after an employee fell victim to a phishing email. The common element in HHS’s investigative reports of the three entities is that each entity failed to perform a comprehensive risk analysis. The entities’ analyses were deficient in scope because either (1) the entity failed to properly include every affiliated facility in the risk analysis, or (2) the risk analysis did not include all of the systems and technologies where ePHI was created, transferred, stored, or received.
To ensure compliance with HIPAA and HITECH security and privacy regulations, covered entities should perform a broad risk analysis that covers all possible sources of PHI and keep the risk analysis up to date. Maintaining compliance with HIPAA regulations will likely be even more important in the upcoming year in light of a report the Office of the Inspector General (OIG) issued in October calling for stronger, more proactive oversight from HHS. Accordingly, covered entities can expect an increased possibility of enforcement activity, including privacy protection audits.
Consult an attorney at an Ally Law member firm to determine if your current security and privacy policies and procedures are compliant with federal and state regulations. If your system is being challenged by a private citizen or an arm of the government, an Ally Law member firm can guide you through the most efficient and cost-effective dispute resolution. For more information about our services in this area, contact us at yourally@ally-law.com.
By Vorys.
