According to HHS Attorney, HIPAA Enforcement to Increase

Yesterday, Law360 reported on some interesting comments made by Jerome B. Meites, a chief regional civil rights counsel at HHS (speaking on his own behalf) at the American Bar Association conference in Chicago on Physician Legal Issues. [1] According to the report, Meites told "attendees that the past 12 months of enforcement will likely pale in comparison to the next 12 months." Meites further said that, "Knowing whatís in the pipeline, I suspect that that number will be low compared to what's coming up."

Meites also addressed the risk of portable media devices, stating that "Portable media is the bane of existence for covered entities. It causes an enormous number of the complaints that OCR deals with." These comments regarding portable media (e.g., phones, usb drives, laptops, etc.) are not surprising considering that of the 18 published actions, 7 involved the loss of unencrypted devices. Additionally, according to OCR's most recent report to Congress [2]:
The 222 reports submitted to OCR for breaches occurring in 2012 described the following locations of the PHI (in order of frequency):
(1) laptop computer (60 reports affecting 654,158 individuals);
(2) paper (50 reports affecting 386,065 individuals);
(3) network server (30 reports affecting 986,607 individuals);
(4) desktop computer (27 reports affecting 253,720 individuals);
(5) other (22 reports affecting 166,411 individuals);
(6) other portable electronic device (20 reports affecting 463,702 individuals);
(7) e-mail (8 reports affecting 241,108 individuals); and
(8) electronic medical record (5 reports affecting 121,964 individuals).
Similarly, many of the most notable class actions and other enforcement actions also involved the loss or theft of laptops. The action against Accretive Health by both the Minnesota Attorney General and the FTC stemmed from the theft of an unencrypted laptop and the class action settlement by AvMed Health Plans involved the theft of two unencrypted laptops from its corporate office (recall that in this case, several of the plaintiffs were victims of identity theft).

According to the report, Meites also "noted that failure to perform a comprehensive risk analysis, as required under HIPAA, has factored into most of the relatively few cases in which breaches actually resulted in financial settlements and not just corrective actions."
"You really have to think carefully about what a risk analysis involves, and it canít just be the obvious," Meites said. "Everywhere in your system where [patient information] is used, you have to think about how to protect it."
Providers and business associates should remember that a Risk Analysis is not a check-the-box exercise. That is, completing the HIT Security Risk Assessment Tool provided by the National Learning Consortium is unlikely to be sufficient to meet the obligations of performing a thorough Risk Analysis. Similarly, as OCR has made clear in numerous settlements, the Risk Analysis process is an on-going effort and a Risk Analysis must be undertaken when there is a change in the environment:
  • move to a new office space -- settlement with Blue Cross and Blue Shield of Tennessee
  • update to website that handles PHI -- settlement with WellPoint
  • change in server configuration -- settlement with Skagit County, Washington and New York and Presbyterian Hospital

(Brief summary of the OCR settlements.)

For those providers that have attested to Meaningful Use, completing a proper Risk Analysis is that much more important because MU dollars could be clawed back based on fraud given the failure to comply with the requirements of the program.

[1] Jeff Overley, Big Year Ahead For HIPAA Fines, HHS Atty Says,, June 12, 2014,

[2] HHS, OCR, Report to Congress on Breach Notification Program: 2011 - 2012 Report to Congress on the Breach Notification Program,

Posted by Tatiana Melnik on June 13, 2014

November 2021

Blog Home  

Newest Blog Entries
7/23/15 Hospital Settles with OCR for $ 218,400 Over Cloud-Based File Sharing

6/8/15 Two California Privacy Bills to Watch in 2015

3/28/15 When Looking at Security, Consider Every Device

3/9/15 Alabama Board of Optometry Makes Final a Rule on Telemedicine

1/25/15 Indiana Court of Appeals Upholds $1.44 Million Jury Verdict Against Walgreen Co. in a Privacy Breach Case; Denies Rehearing

12/9/14 Malware Leads to a $150,000 OCR Settlement with a Behavioral Health Provider

11/30/14 Can a Board of Medicine Use the Stateís Prescription Drug Database in Investigating Physician Actions?

11/29/14 Under the Florida Telemedicine Rule, Can a Physical be Conducted by Telemedicine?

11/19/14 Wearables and the Challenge for Consumer Device Makers

10/28/14 A Few Telemedicine Resources

10/27/14 FCC: The Newest Regulator to Throw its Hat into the Data Privacy and Security Ring

Blog Archives
April 2014 (6)
February 2014 (4)
May 2014 (6)
November 2014 (3)
July 2014 (1)
June 2015 (1)
November 2013 (3)
September 2014 (1)
December 2014 (1)
January 2015 (1)
June 2014 (3)
December 2013 (5)
March 2015 (2)
October 2013 (9)
July 2015 (1)
October 2014 (2)
March 2014 (3)
August 2014 (4)
January 2014 (4)

Blog Labels
Dental (1)
FCC (1)
Financial Services (1)
Mobile Apps (2)
Medical Marijuana (1)
Employment (1)
FAQ (6)
Meaningful Use (4)
EHR (2)
Privacy Litigation (3)
Identity Theft (1)
Security (1)
Healthcare Fraud (1)
Marketing (1)
BYOD (2)
Social Media (2)
Mobile Apps FDA (2)
Data Breach (10)
Big Data (3)
Healthcare Competition (1)
Privacy (4)
Telemedicine (7)