[ Tuesday, March 29, 2022 ]
4 New Enforcement Actions. The OCR issued a press release last night outlining 4 recent HIPAA enforcement action settlements. Three takeaways:
- None of the entities are hospitals or health systems, physician groups, or insurers, and all of them look like small practices (all of them could be solo practitioner dentist or psychotherapist shops). This goes to show that OCR doesn't only focus on the big dogs, and you can't hide behind the fact that "I'm just a little dentist office" to avoid HIPAA scrutiny.
- Three of the cases involve access, showing that OCR has not slowed up in making patient access an enforcement focus. These cases bring the total of access cases to 27.
- The fines are small: $28,000 on the low end, $62,500 on the high end. Not the 6, 7, or 8 figure cases we expected during the first 15 years of OCR enforcement.
All cases also appear to be complaint-driven; if you have a breach that you have to report, or a patient makes a complaint and you don't have a good story to tell, you better be prepared for a possible fine.
Jeff [8:49 AM]
Blogger: HIPAA Blog - Edit your Template