HHS-OCR recently announced two HIPAA violation settlements with significant financial penalties in the space of a week, and both covered entities and business associates should take notice.  First was the settlement involving Lahey Clinic Hospital, Inc. (Lahey), which agreed to a settlement that stemmed from a 2011 incident where an unencrypted laptop was stolen from its facility, potentially compromising the PHI of 599 individuals.  Lahey was fined $850,000 as part of the settlement and agreed to enter into a Corrective Action Plan (CAP), which includes “a comprehensive, organization-wide risk analysis of the security risks and vulnerabilities to the ePHI created, received, maintained or transmitted by Lahey.”  The device was reportedly taken from an unlocked treatment room “off of the inner corridor” in the hospital’s radiology department.  The OCR investigation found that Lahey failed to implement the necessary physical safeguards for a workstation that houses ePHI, and that it “failed to conduct an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its ePHI as part of its security management process.”

Second was the news that Triple-S Management Corp. has agreed to pay $3.5 million to settle HHS-OCR’s claims that the company’s subsidiaries violated HIPAA and other privacy and security rules.  The Puerto Rican insurance holding company will also have to implement a three-year corrective action plan. The company did not admit liability under the agreement.  The OCR resolution agreement described five data breaches connected to TRIPLE-S that affected over 500 individuals and that took place between 2010 and 2015. Moreover, TRIPLE-S was responsible for two data breaches that affected fewer than 500 individuals.  The “widespread noncompliance” at Triple-S also included not implementing the proper safeguards to protect beneficiaries’ health information, disclosing that information to third parties without permission and using or disclosing more of that information than necessary for mailings, OCR said.

The importance of being HIPAA compliant is at an all-time high, with HHS-OCR planning to conduct numerous additional audits of both covered entities and business associates in the near future.  If you have concerns about whether your entity is HIPAA compliant, feel free to contact the Florida health law attorneys at Nicholson & Eastin, LLP.