Following on the heels of a few relatively small HIPAA settlements, the U.S. Department of Health and Human Services Office of Civil Rights (OCR) announced that it has imposed $2,154,000 in civil monetary penalties against Jackson Health System in Florida for its failure to meet HIPAA privacy and security requirements.  The OCR announcement and accompanying

The Office of Civil Rights of the Department of Health and Human Services has announced settlements with three different Boston-area hospitals for allegedly compromising the privacy of protected health information by inviting documentary film crews on premises without first obtaining patient authorization.  The three settlements call for a total of almost $1 million in penalty payments and require each of the hospitals to undertake corrective action.  The corrections are not the same for each hospital and range from workforce education and communication to the establishment of specific procedures, for example, for deciding when to allow media access and for putting safeguards in place to monitor film crew activity.
Continue Reading  Beware the Bright Lights

Filefax, Inc., a health care records moving and storage company that served as a business associate, went into receivership in 2016.  But its receivership did not put an end to an OCR investigation into a HIPAA violation from 2015. Now, the receiver for Filefax has agreed to pay a fine of $100,000 and to properly store, inventory, and dispose of the medical records remaining in its possession under HHS supervision.

The investigation began with a complaint that OCR received about the exposure of a large volume of documents containing protected health information.  The investigation confirmed that an individual had left medical records of approximately 2,150 patients at a shredding and recycling facility and that Fllefax had either left the PHI in an unlocked truck in the Filefax parking lot or granted permission to a person to remove the PHI from Filefax and left the PHI, unsecured, outside the Filefax facility for that person to collect.
Continue Reading  Closure of Business Does Not Foreclose HIPAA Liabilities