January 29, 2023

Volume XIII, Number 29


January 27, 2023

Subscribe to Latest Legal News and Analysis

January 26, 2023

Subscribe to Latest Legal News and Analysis

OCR Warns HIPAA Covered Entities: When You Learn About HIPAA Violations, Fix Them

Roger Severino, Director of the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS), provides advice for HIPAA covered health care providers:

When informed of potential HIPAA violations, providers owe it to their patients to quickly address problem areas to safeguard individuals’ health information

According to OCR allegations, a small health care provider in North Carolina, Metropolitan Community Health Services, reported a data breach on June 9, 2011. The breach involved the impermissible disclosure of protected health information to an unknown email account affecting 1,263 patients. It is not clear when OCR’s investigation commenced, but it “revealed longstanding, systemic noncompliance with the HIPAA Security Rule…Metro failed to conduct any risk analyses, failed to implement any HIPAA Security Rule policies and procedures, and neglected to provide workforce members with security awareness training until 2016.” Under the Resolution Agreement reached with OCR, Metro agreed to a two-year corrective action plan (CAP) and to pay $25,000.

The OCR considered that Metro is a Federally Qualified Health Center that provides a variety of discounted medical services to the underserved population in rural North Carolina, but that did not stop it from taking enforcement action against a relatively small covered entity. Other examples of enforcement actions against small health care providers include:

HIPAA compliance is no doubt a significant challenge for large and small covered healthcare providers, and other covered entities and business associates. In addition, data breaches can be nearly impossible to prevent in all cases. However, these and other OCR enforcement actions suggest that with some relatively basic compliance measures, small providers can be more successful during OCR investigations. Here are some examples:

  • Conduct a risk assessment that considers the threats and vulnerabilities to protected health information.

  • Maintain written policies and procedures that address required administrative, physical, and technical safeguards required under the Security Rule.

  • Provide training and improve security awareness for workforce members when they begin working for the organization and periodically thereafter.

  • Maintain business associate agreements with all business associates.

  • Document compliance efforts.

And, of course, evaluate compliance following a reported data breach and make the necessary improvements.

Jackson Lewis P.C. © 2023National Law Review, Volume X, Number 206

About this Author


Joseph J. Lazzarotti is a principal in the Berkeley Heights, New Jersey, office of Jackson Lewis P.C. He founded and currently co-leads the firm's Privacy, Data and Cybersecurity practice group, edits the firm’s Privacy Blog, and is a Certified Information Privacy Professional (CIPP) with the International Association of Privacy Professionals. Trained as an employee benefits lawyer, focused on compliance, Joe also is a member of the firm’s Employee Benefits practice group.

In short, his practice focuses on the matrix of laws governing the privacy, security, and...

973- 538-6890