Back to Blog

Final Enforcement Action from OCR for 2018 Revealed

Image of Angela Simmons
Angela Simmons

The final HIPAA enforcement action for 2018 between Cottage Health and OCR reaffirmed yet again that entities must conduct a thorough and accurate Risk Assessment to assess and reduce risks and vulnerabilities to it's ePHI. ePHI is not found just in the EHR, but may be found on hard drives, medical modalities and devices, servers, email accounts, etc. Additionally, OCR once again has sent a costly reminder that Risk Assessment is not enough - you must then mitigate those risks or put compensating controls in place to prevent unauthorized access to ePHI.

This resolution agreement was also another reminder that obtaining satisfactory assurances that your third party vendors WILL safeguard the ePHI of the practice is required. Business Associate Agreements must be executed, but should never be entered into lightly. What proof exists that the Business Associate can or will actually conduct business in keeping with the tenets of the HIPAA rules?

In the Cottage Health Resolution Agreement OCR found that:

  • CH failed to conduct an accurate and thorough analysis of the potential risks and vulnerabilities to the ePHI held by CH. See 45 C.F.R. § 164.308(a)(l)(ii)(A).

  • CH failed to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with § 164.306(a). See 45 C.F.R. § 164.308(a)(l )(ii)(B).

  • CH failed to perform a technical evaluation in response to CH’s contractor installing Windows OS. See 45 C.F.R. § 164.308(a)(8).

  • CH failed to obtain satisfactory assurances from a particular contractor, in the form of a written business associate agreement, that the contractor would appropriately safeguard ePHI that the contractor maintained on behalf of CH. See 45 C.F.R. §§ 164.308(b) and 164.502(e).

Related Posts

After the HIPAA Violation...

Image of Elizabeth Phillips
Elizabeth Phillips

Growing up, my favorite excuse to get out of trouble was “But Dad, I didn’t know.”  It was second...

Read more

State Attorney General Gets Serious About HIPAA Violations

Image of Angela Simmons
Angela Simmons

On August 29th, 2018 the Attorney General for New York announced a settlement for $200,000 with the...

Read more