- Hypertrophic Cardiomyopathy (HCM)
- Vaccines: 2023 Year in Review
- Eyecare
- Urothelial Carcinoma
- Women's Health
- Hemophilia
- Heart Failure
- Vaccines
- Neonatal Care
- NSCLC
- Type II Inflammation
- Substance Use Disorder
- Gene Therapy
- Lung Cancer
- Spinal Muscular Atrophy
- HIV
- Post-Acute Care
- Liver Disease
- Pulmonary Arterial Hypertension
- Biologics
- Asthma
- Atrial Fibrillation
- Type I Diabetes
- RSV
- COVID-19
- Cardiovascular Diseases
- Breast Cancer
- Prescription Digital Therapeutics
- Reproductive Health
- The Improving Patient Access Podcast
- Blood Cancer
- Ulcerative Colitis
- Respiratory Conditions
- Multiple Sclerosis
- Digital Health
- Population Health
- Sleep Disorders
- Biosimilars
- Plaque Psoriasis
- Leukemia and Lymphoma
- Oncology
- Pediatrics
- Urology
- Obstetrics-Gynecology & Women's Health
- Opioids
- Solid Tumors
- Autoimmune Diseases
- Dermatology
- Diabetes
- Mental Health
HIPAA compliance must address organization oversight
HHS is giving HIPAA enforcement efforts more teeth with fees and Corrective Action Plans
Approximately five years after the promulgation of the final privacy and security regulations under HIPAA, and two and a half years after the promulgation of a final rule addressing the implementation of civil money penalties, the first-ever monetary settlement paid, and Resolution Agreement/CAP, to resolve a potential violation of the HIPAA privacy and security standards was entered into between Department of Health and Human Services, Office of Civil Rights (OCR) and the Centers for Medicare and Medicaid (CMS) and Providence Health and Services, Providence Health System, and Providence Hospice and Home Care.
Providence agreed, without any admission of liability, to pay the government $100,000 and implement a comprehensive, three-year Corrective Action Plan (CAP). OCR and CMS had launched their investigation after Providence notified the state of Oregon, and affected patients, of the data breach, some of whom then filed complaints with the federal government.
This settlement appears to be a part of a trend of increased complaints of violations and enforcement by the OCR. Also, in March 2007, the OIG began auditing covered entities' compliance with the privacy and security regulations as well as OCR regulators being granted the authority to issue subpoenas in its civil privacy investigations without having to first seek the approval of the HHS Secretary. The enforcement trend and the settlement sends a signal to the industry of the need to elevate privacy and security as a focus area of compliance.
Now that HHS likely believes that covered entities have had sufficient time (approximately five years) to come into compliance with HIPAA privacy and security rules, HHS may be concluding that the time has come to add some "teeth" to its enforcement.
As such, the action taken against Providence is probably not an isolated measure, and is more likely the harbinger of a more aggressive approach to enforcement.
This column is written for informational purposes only and should not be construed as legal advice.
John Eriksen is a senior associate at Epstein, Becker and Green, P.C. in its Health Care and Life Sciences practice group and focuses primarily on health regulatory, compliance, managed care and transactional matters.
DC Roundtable: Patrick Cooney of The Federal Group Drops the Latest on PBM Legislation in Washington
April 11th 2024In this episode of "DC Roundtable," Peter Wehrwein, managing editor of Managed Healthcare Executive, spoke with Patrick Cooney, president of The Federal Group, a lobbying and strategic planning firm in Washington, D.C., about recent developments in Washington concerning PBMs.
Listen
