Breaking Compliance News Blog

HIPAA News: Two Settlements and a Fraudulent OCR Postcard

Posted by Margaret Scavotto, JD, CHC on 8/10/20 1:15 PM

Find me on:

Watch Out for Fraudulent OCR Postcards

On August 6th, the OCR issued an Alert: Postcard Disguised as Official OCR Communication. This Alert warns covered entities and business associates that an impostor is sending postcards out, posing to be the OCR. The postcards ask the recipient go visit a website, call, or email “to take immediate action on a HIPAA Risk Assessment.” The postcard is not from the OCR; it is from a consulting company trying to sell services.

FQHC enters HIPAA settlement

Metropolitan Community Health Services (Metro), d/b/a Agape Health Services, a Federally Qualified Health Center in rural North Carolina, will pay $25,000 to resolve allegations that it violated the HIPAA Security Rule.

Metro filed a breach report after it disclosed PHI for 1,263 patients to an unknown email account. The OCR investigated, and found “longstanding, systemic noncompliance with the HIPAA Security Rule. Specifically, Metro failed to conduct any risk analyses, failed to implement any HIPAA Security policies and procedures, and neglected to provide workforce members with security awareness training until 2016.”

Unencrypted laptop leads to 7-figure HIPAA settlement

Lifespan Health System Affiliated Covered Entity (Lifespan ACE), a not-for-profit health system, entered a $1,040,000 settlement to resolve allegations that it failed to comply with the HIPAA Privacy and Security Rules. Lifespan ACE notified the OCR that a hospital employee’s unencrypted laptop containing PHI For 20,431 employees was stolen.

Upon investigating, the OCR found “a systemic noncompliance with the HIPAA Rules including a failure to encrypt ePHI on laptops after Lifespan ACE determined it was reasonable and appropriate to do so. OCR also uncovered a lack of deice and media controls, and a failure to have a business associate agreement in place….”

How well do your employees know HIPAA?

Most breaches start with a simple action by a single employee – the click of a URL, a single sent email, or a lost device. Security policies and procedures are essential to prevent breaches, but so is training.

MPA can help your employees get HIPAA right – we are scheduling our popular “Is It A Breach?!?” virtual training sessions today. Learn more.

MCS Signature November 2018

cdn2.hubspot.nethubfs378557hipaa handbooks abuse by smartphone snip


Topics: HIPAA

    Privacy Policy           Terms of Use