OCR March Madness - Professional Risk Management Services
Menu

OCR March Madness

In January, I posted about the “Top Three HIPAA Lessons Learned in 2015”, citing the need to encrypt portable devices containing PHI as the number one lesson learned.  In March, the Office of Civil Rights (OCR) announced two new resolution agreements – both stemming from the loss of unencrypted laptops.  It appears that OCR is beginning to lose patience with covered entities who fail to encrypt portable devices and protect patient health data.  Both resolution agreements were notable in their own right.

  • North Memorial Health Care (March 16th) – This nonprofit healthcare system reached a resolution with OCR, agreeing to pay a settlement amount of $1.55 million.  OCR began investigating North Memorial after it reported the theft of an unencrypted laptop housing the health information of nearly 10,000 individuals.  Interestingly enough, North Memorial was not directly responsible for the breach.  The laptop was stolen from the locked car of an employee working for Accretive, North Memorial’s business associate.  Although it doesn’t appear that North Memorial’s covered conduct included their business associate’s loss of the laptop, OCR did determine that North Memorial failed to enter into a business associate agreement and, therefore, improperly shared the PHI of almost 300,000 individuals with Accretive.

 

  •  Feinstein Institute for Medical Research (March 17th) – The following day, OCR announced that it had reached a resolution agreement with Feinstein, a biomedical research institute.  In this case, OCR’s investigation was also prompted by the self-reporting of a stolen unencrypted laptop from a car.  OCR determined that Feinstein failed to do a security risk assessment, failed to put into effect policies to safeguard the laptop, and failed to encrypt the laptop, resulting in the improper disclosure of PHI for 13,000 individuals.  Feinstein settled with OCR for $3.9 million.  As can be seen below, this is the highest resolution settlement amount ever paid for the loss of an unencrypted portable device.

 

* Number of individuals affected reported by entity other than OCR.

 

Justin A. Pope, JD
Associate Risk Manager

Justin Pope joined PRMS in 2014. Mr. Pope is responsible for researching emerging legal issues, creating online risk management content, and providing advice to individual providers through the Risk Management Consultation Service.

As a law student, he focused primarily on international, administrative, and food law. During his final year at Howard, Mr. Pope gained additional insight into the FDA’s regulatory process while serving as a research assistant to his professor. He has also interned as a legal assistant for both the Ft. Monroe Garrison Office of the Staff Judge Advocate and the Office of the Naval Inspector General, opining on a variety of legal issues, including privacy law. Mr. Pope received his Bachelor of Arts degree in International Affairs from the University of Virginia and his Juris Doctor degree from the Howard University School of Law.

Posted:
Categories: PRMS Blog

PRMS®
4300 Wilson Boulevard, Suite 700, Arlington, VA 22203
(800) 245-3333  |  clientservices@prms.com

Privacy Policy | Business Associate Agreement | Terms and Conditions

Professional Risk Management Services® © 2024


Actual terms, coverages, conditions and exclusions may vary by state and are subject to underwriting. Insurance coverage provided by
Fair American Insurance and Reinsurance Company (FAIRCO), New York, NY (NAIC 35157). FAIRCO is an authorized carrier in California, ID number 3715-7.
PRMS, The Psychiatrists' Program and the PRMS Owl are registered Trademarks of Transatlantic Holdings, Inc., a parent company of FAIRCO.

Professional Risk Management Services (“PRMS”) provides the information contained in this website for general use and information. Information provided is intended to improve clarity on issues regarding psychiatry services and insurance coverage, and related issues regarding those services. This information is intended, but not promised or guaranteed, to be current, complete, or up-to-date. PRMS is neither a law firm nor a provider of professional medical services, and the materials on this website do not constitute legal, medical, or regulatory advice. You should not act or rely on any legal or medical information in this website without first seeking the advice of an attorney, physician, or other appropriate professional.