October 31, 2020

Volume X, Number 305


October 30, 2020

Subscribe to Latest Legal News and Analysis

October 29, 2020

Subscribe to Latest Legal News and Analysis

October 28, 2020

Subscribe to Latest Legal News and Analysis

Office of Civil Rights Steps Up HIPAA Enforcement Following Breaches of Protected Health Information

The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services has been busy.  In addition to its recent efforts to begin audits of covered entities and business associates, OCR has announced a slew of enforcement actions against covered entities for alleged HIPAA violations.

Last month, OCR announced two seven-figure settlements for breaches of protected health information (PHI) arising from thefts of unencrypted laptops.

  • OCR entered into a $1.55 million settlement with North Memorial Health Care of Minnesota, after a laptop was stolen from a car of one of the hospital’s business associates.  In investigating the incident, HHS found that the hospital did not have a business associate agreement in place with the business associate and also failed to conduct a risk assessment as required by the HIPAA Security Rule.

  • OCR entered into a $3.9 million settlement with the Feinstein Institute for Medical Research, after a laptop was stolen from an employee’s car, resulting in a breach of approximately 13,000 patients’ and research participants’ PHI.  OCR alleged that the Institute’s security process was “limited in scope, incomplete, and insufficient to address potential risks and vulnerabilities” to PHI.  OCR also found that the Institute did not maintain adequate HIPAA security policies and procedures.

As we have previously reported, thefts of unencrypted laptops are a common fact pattern leading to HIPAA liability.  Covered entities and business associates should take steps to implement technical safeguards that ensure that electronic PHI stored on a laptop or mobile device is rendered unreadable or unusable to unauthorized users.

In addition, earlier this month, OCR reached a $750,000 settlement with a health clinic that failed to enter into a business associate agreement before disclosing PHI of 17,300 patients to a business partner.

These recent enforcement actions underscore the importance of covered entities’ adopting adequate HIPAA policies and procedures as well as entering into valid business associate agreements with contractors and service providers that have access to PHI.

Finally, OCR just announced a $2.2 million settlement with New York Presbyterian Hospital for permitting a crew to film hospital patients, without their authorization, during the taping of a television show.  OCR found that the hospital allowed the film crew “virtually unfettered access,” and thus it did not protect against impermissible disclosures of PHI.

In conjunction with this settlement, OCR announced the release of additional guidance regarding media access to PHI.  In this guidance, OCR explains that a covered entity must enter into a business associate agreement before it may allow a film crew access to areas where PHI is accessible.  OCR writes that the only exceptions are for those disclosures permitted by the HIPAA Privacy Rule, such as to help locate an unidentified and incapacitated patient in its care.  OCR also writes that covered entities may allow film crews into areas generally accessible to the public, such as areas where the public enters and exits the facility or a public waiting room.

The OCR guidance does not discuss whether a business associate agreement is required when a patient gives authorization and the film crew does not have access to unauthorized PHI.  In these circumstances, it is likely that a patient authorization would suffice.

© 2020 Covington & Burling LLPNational Law Review, Volume VI, Number 120



About this Author

Dena Feldman, healthcare attorney, Covington

Dena Feldman helps clients from across the health care industry navigate a range of complex regulatory and policy issues.

Ms. Feldman has particular expertise on health privacy issues arising under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the Health Information Technology for Clinical and Economic Health (“HITECH”) Act, and state medical privacy laws. Ms. Feldman also regularly counsels clients on the federal rules and policies governing Medicare and Medicaid, including the new mandates of the Affordable Care Act.