Kusserow on Compliance: New OCR Guidelines

The HHS Office for Civil Rights (OCR) issued a new guidance which points out a list of 10 violations where Business Associates (BAs) can be held directly liable. The guidance points out that where BAs may not be liable, the covered entity (CE) may be still on the hook for violations of those violations. As such CEs should carefully review their BA Agreements (BAAs) to ensure that they cover requirements that don’t directly apply to BAs but are still enforceable against CEs.

The OCR also notes that large data breaches also continue to dominate the press. The OCR recently cited among recent notable breaches that an EMR and software services provider allowed hackers access to 3.5 million patient records. Touchstone Medical Imaging (TMI), agreed to pay $3 million for a breach involving one of its FTP servers that contained PHI for over 300,000 patients. LabCorp received notice from American Medical Collection Agency (AMCA), a collection firm working on its behalf, regarding unauthorized access of 7.7 million patients’ PHI stored by AMCA. This announcement followed a similar one from Quest Diagnostics, in which they reported that AMCA’s breach affected 11.9 million of its patients.

Updates on OCR enforcement actions can be found at https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/data/enforcement-highlights/index.html

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2019 Strategic Management Services, LLC. Published with permission.