Thursday, January 3, 2013

HHS announces first HIPAA breach settlement involving less than 500 patients

The U.S. Department of Health and Human Services just announced a landmark settlement involving the HIPAA Breach Notification Rule and the HIPAA Security Rule. At the heart of this settlement is their determination, that while the breach notification was sufficient, the underlying HIPAA Security Compliance efforts fell short. Particularly not having conducted a HIPAA Security Risk Analysis as well as maintaining specific mobile device policies and procedures! The settlement underscores that the facility was deficient in never having done a HIPAA risk analysis from the HIPAA Security Rule effective date of April 20, 2005 AND maintaining a risk analysis and management plan since that time. Click here to read the full press release from the US Dept. of Health and Human Services.

Click
here to review the Resolution Agreement and CAP and for more information on OCR's Enforcement Activities, click here. To explore information, tips, and steps on protecting and securing health information when using a mobile device, click here.

The Colorado Rural Health Center can assist your organization in completing or updating the HIPAA Security Risk Analysis. For more information email David Ginsberg at
dg@coruralhealth.org.