Office of Civil Rights


While your business may indeed be a “victim” when hit by a phishing attack, your enterprise can also be responsible for violations of law associated with the incident.   Earlier this week, the HHS Office for Civil Rights (“OCR”) announced a $400,000 settlement with Metro Community Provider Network (“MCPN”) related to a 2012 HIPAA breach caused by a phishing scam. The phishing scam, carried out by accessing MCPN employees’ email accounts, gave a hacker access to the electronic protected health information (“ePHI”) of 3,200 individuals. In investigating the breach, OCR determined that, prior to the breach, MCPN had not conducted a security risk analysis (a requirement under HIPAA). Further, OCR found that even after MCPN conducted a risk analysis, its analysis was insufficient to meet the requirements of the HIPAA Security Rule.

In addition to the $400,000 fine, MCPN agreed to a corrective action plan with OCR. That plan requires MCPN to conduct a comprehensive risk analysis and to submit a written report on the risk analysis to OCR. Additionally, MCPN will be required to develop an organization-wide risk management plan, to review and revise its Security Rule policies and procedures, to review and revise its Security Rule training materials, and to report to OCR any instance of a workforce member failing to comply with its Security Rule policies and procedures.

The MCPH settlement underscores the importance of risk analyses and workforce training to avoid phishing scams. Additionally, it is crucial that entities regulated by HIPAA conduct an enterprise-wide HIPAA risk analysis, update that analysis to address new threats, and implement policies and training based on identified risks. Failure to comply with these essential HIPAA requirements can turn a relatively routine breach investigation into a $400,000 settlement.

A copy of the MCPN resolution agreement and corrective action plan is available here. OCR’s press release on the settlement is available here. General Security Rule guidance from OCR is available here.

Written by  Dianne J. Bourque  (reprinted from Mintz Levin’s Health Law Policy Matters blog)

The most recent Office for Civil Rights (“OCR”) HIPAA enforcement action serves as an important reminder to health care providers of the security risks associated with a mishandled medical records custody transfer and the risks of leaving paper records in the driveway.  The enforcement action and ensuing settlement – an $800,000 fine and corrective action plan – was levied against Parkview Health System, Inc., (“Parkview”) a provider of community-based health care services.  In 2008, Parkview took custody of the paper medical records of 5,000 – 8,000 patients in connection with a physician’s retirement and in anticipation of purchasing some of the physician’s practice.  In 2009, perhaps after the transaction fell through, although the Parkview Resolution Agreementdoes not specify, Parkview left 71 boxes of these medical records unattended in the driveway of the physician’s home, and, according to OCR, within 20 feet of a public road and a short distance from a heavily trafficked public shopping area. Medical records custody transfers are extremely common in health care transactions such as asset purchases or sales, or when a health care provider is retiring or leaving a practice.  Medical records custody agreements ensure that records are maintained for legally required time periods to facilitate ongoing patient care, payment, audit, and other purposes.  Providers should take care to ensure that, in addition to retention and availability, custody arrangements ensure the ongoing security of medical records in any form.  Paper records should be secured in accordance with HIPAA standards, for example, stored in locked facility with physical safeguards consistent with HIPAA standards.  Storage in a retiring physician’s driveway, abandoned office space, public storage facility, or other unsecured physical location is inconsistent with HIPAA standards.  Records in electronic form must be protected in accordance with the HIPAA Security Rule.  Both the transferring and the recipient provider should carefully consider technical security measures, who will have electronic access to the records, and how that access will occur.  Failure to address these important considerations risks not only a breach but aggressive enforcement by OCR.

Written by Stephanie D. Willis and Dianne J. Bourque (republished from Mintz Levin’s Health Law Policy Matters blog)


Last week, the HHS Office of Civil Rights (OCR) released two reports required by the Health Information Technology for Economic and Clinical Health (HITECH) Act: (i) the Annual Report to Congress on Breaches of Unsecured Protected Information (Breach Report); and (ii) the Annual Report to Congress on HIPAA Privacy, Security, and Breach Notification Rule Compliance (Compliance Report). In reviewing the Breach and Compliance Reports, Chief Information Officers, compliance and privacy officers, and information security professionals in the health care field should note five key lessons:

1) Know Where Your Organization’s Protected Health Information (PHI) is Primarily Stored and Invest in the Right Protection

The statistics in both reports clearly show that the most breaches still come from “older” sources of PHI, such as paper records, desktop computers, and network servers. The Breach Report states that 225 out of the 458 total reports of breaches (or 49%) affecting 500 or more individuals involved these PHI sources in 2011 and 2012. In fact, the largest breach occurring in the two-year period covered by the Breach Report involved a TRICARE contractor’s loss of back-up tapes that affected a total of approximately 4.9 million individuals.

In addition to updating and monitoring security protocols for older PHI sources, covered entities should address security problems with newer storage media. For instance, the Breach Report documents a large jump in the number of breaches involving laptop computers with a corresponding increase in affected individuals between 2011 and 2012: from 48 reports affecting 437,770 individuals in 2011 to 60 reports affecting 654,158 individuals. Because theft was the primary cause of breaches in 2009-2012, ensuring that laptops and other portable electronic devices are secured in accordance with standards acceptable under HIPAA will become even more important as organizations adopt more “bring your own device” policies to ensure the mobility and convenience of health care delivery. Continue Reading Five Lessons from OCR’s Report to Congress on Breaches and HIPAA Rules Compliance

Written by Dianne J. Bourque

Last week at the OCR/NIST conference, Building Assurance through HIPAA Security, Linda Sanches of the Office for Civil Rights provided an extensive update on the pilot HITECH audit program, including preliminary findings,  what regulated entities can expect next and suggestions for covered entities concerned about being audited.  Mintz Levin attended the conference and is pleased to share some of the highlights below:

The initial round of audits included 8 health plans, 10 providers, and 2 clearinghouses.

  • Providers had the most findings (81%).  Provider findings were both privacy and security related.
  • The most common privacy findings included misuse of the PHI of deceased individuals, compliance with the patient confidential disclosures right, disclosures for judicial  proceedings, compliance with the patient access right, failure to follow policies and procedures, no evidence of policy and procedure implementation, insufficient policies and procedures, failure to review and update policies on an ongoing basis, and failure of the organization to prioritize HIPAA compliance.

For more on the OCR HITECH audits, see our complete post at the Mintz Levin Health Law Policy Matters blog.


Written by Kimberly Gold

If your company needs another reminder that policies and procedures, risk assessments, documentation and training are critical elements for HIPAA compliance programs, we have another corrective action plan – and monetary fine – that should be utilized as a “teachable moment” for health care providers and business associates alike.

Phoenix Cardiac Surgery, P.C. has agreed to pay a $100,000 fine and implement a corrective action plan under a Resolution Agreement with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) after a lengthy investigation into potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules.

OCR investigated the physician practice following a report that it had been posting clinical and surgical appointments on a publicly accessible Internet-based calendar.  OCR’s investigation, dating back to 2003, found that Phoenix Cardiac Surgery had failed to implement sufficient policies and procedures to appropriately safeguard patient information.  OCR also concluded that the physician practice did not adequately document employee training on the Privacy and Security Rules, identify a security official, conduct a risk analysis, or obtain satisfactory assurances in business associate agreements with Internet-based calendar and email providers. In a press release announcing the Phoenix Cardiac Surgery settlement, OCR Director Leon Rodriquez expressed the agency’s hope that health care providers “pay careful attention” to the Resolution Agreement and the expectation that all providers, “no matter the size,” fully comply with the Privacy and Security Rules.

The Resolution Agreement has a clear warning for service providers:  Vendors of services that store and transmit patient information, including the seemingly innocuous Web-based e-mail and calendar services, are business associates and are required to comply with the Privacy and Security Rules.  It also serves as a reminder to health care providers to ensure that business associate agreements are in place for all these types of services.

The settlement reaffirms OCR’s commitment to enforcing the Privacy and Security Rules, and its willingness to sanction covered entities for HIPAA violations.  Just last month, BlueCross BlueShield of Tennessee agreed to pay $1.5 million to settle claims of non-compliance with the Privacy and Security Rules.

Written by Stephen Bentfield

In the two-plus years since the enactment of the HITECH Act, the health care industry has seen a dramatic shift in federal and state HIPAA enforcement posture.  Just within the last month, HHS announced a $4.3 million civil fine imposed on Cignet Health for failing to provide patients with copies of their medical records and then refusing to cooperate with HHS in its subsequent investigation, and a $1 million settlement with Massachusetts General Hospital that resulted from a privacy breach that occurred when an employee lost patient records on a subway train. 

These are just the latest signals. 

Starting next month, the Office of Civil Rights (“OCR”) is holding a series of two-day courses across the country to train state attorneys general on HIPAA enforcement and investigative techniques.  Add to that the HITECH Act’s requirement for stepped-up audits of covered entities and business associates to ensure compliance with the HIPAA Privacy and Security Rules and the picture becomes clear:  the days of relaxed HIPAA enforcement are over.  

Given this new enforcement environment, HIPAA covered entities (and business associates, for that matter) should consider undertaking a comprehensive internal inventory and audit of their contractual arrangements with service providers and vendors to ensure these arrangements are HIPAA and HITECH Act compliant.  But surely security breaches and compliance audits happen to other people. 

Why should your organization expend the time, money, and resources to conduct a top-to-bottom review?  

Find out why and how after the jump.    


Continue Reading HIPAA Enforcement on the Rise: Do You Know Who Your Business Associates Are??

The cost of data breaches keeps on rising.  Add another million to this week’s HIPAA charges.

Just released this afternoon – the Office of Civil Rights announced that it has reached a settlement with Massachusetts General Hospital relating to a 2009 loss of medical records when a billing manager who was carrying the records accidentally left them on a train.  The incident involved 192 patients of the hospital’s Infectious Disease Associates outpatient practice, including patients with HIV/AIDS. 

Today’s press release announced that the settlement includes a $1,000,000 payment and a resolution agreement, including a corrective action plan, under which Massachusetts General agrees to undertake measures to improve the privacy and security of patient medical records.

The Resolution Agreement and Corrective Action Plan can be reviewed here.


This week, we heard about the first civil money penalty under the HIPAA Privacy Rule for failure to provide access to medical records and willful neglect — and it was a whopper.  The appearance of Adam Greene, Senior Health IT and Privacy Advisor to the Office of Civil Rights — the enforcement arm of the Department of Health and Human Services — at the HIMSS Conference in Orlando was timely, to say the least.

Contributed by Dianne Bourque from HIMSS

The Office of Civil Rights presented a break out session entitled HIPAA and Health IT: Trends in Privacy, Security & Breach Notification, and offered some insights into its experience with HITECH implementation and enforcement to date.  The session also provided a glimpse at what regulated entities could look forward to in the future.   According to Mr. Greene, some of the top security enforcement issues to date have been related to:

1. Impermissible uses and disclosures of protected health information (PHI)

2. Lack of reasonable/appropriate physical safeguards

3. Failure to provide access (more details about Cignet Health in this article from The Washington Post (registration required))

4. Failure to abide by the minimum necessary standard

5. Inadequate complaint processes

Mr. Greene indicated that his office averages 900 reports of breaches per month under HITECH and that 51% of these breaches relate to theft.  Interestingly, hacking and IT security breaches only account for 7% of reported breaches.

Mr. Greene also indicated that final rules implementing various provisions of HITECH will be published sometime in 2011.  The rules will include staggered compliance dates providing time for covered entities to update Notices of Privacy Practices, Business Associate Agreements and other forms.  Mr. Greene indicated that the Office of Civil Rights is also preparing a HITECH outreach campaign, including educational videos and improved website navigation.  Existing guidance documents will be updated and new guidance documents will be prepared.  Finally, the Office of Civil Rights is planning its auditing approach for covered entities and a training program for state attorneys general who will be enforcing HIPAA under new authority from HITECH.

Mintz Levin will be monitoring all of these changes, so stay tuned.