Kusserow on Compliance: OCR continues enforcement involving HIPAA breaches

 2020 Survey found 60 percent of health care organizations had recent OCR encounters

Lifespan to pay $1,040,000 to Settle Unencrypted Stolen Laptop Breach

Although many agencies have taken the Pandemic into consideration when pursuing enforcement actions, this does not mean they have stopped altogether. Everyone was reminded of this with the announcement that Lifespan Health System Affiliated Covered Entity has agreed to pay $1,040,000 to the HHS Office for Civil Rights (OCR) and to implement a corrective action plan with OCR monitoring for 2 years, in order to settle potential violations of the HIPAA Privacy and Security Rules related to the theft of an unencrypted hospital employee’s laptop containing electronic protected health information affecting 20,431 individuals. OCR’s investigation found:

  • Lack of policies and procedures to encrypt all devices used for work purposes.
  • Failure to encrypt ePHI on laptops
  • Lack of device and media controls
  • Failure to have a business associate agreement in place

Going forward, Lifespan must designate at least one individual to ensure that the organization enters into business associate agreements with its business associates. It must also develop a process for evaluating business relationships and determining which vendors should be considered business associates.

It is noteworthy that the 2020 Healthcare Compliance Benchmark Survey Report found respondents reporting more enforcement encounters with OCR than with the OIG or DOJ.  Nearly 60 percent of respondents reported having encounters with the OCR regarding HIPAA breaches in the last few years. The question is no longer whether there will be a HIPAA Breach problem that draws OCR attention, but when it will occur.  The Survey also found was that three quarters of compliance offices now had responsibility for HIPAA Privacy.  This lays the compliance challenge at the feet of Compliance Officers.


Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2020 Strategic Management Services, LLC. Published with permission.

Webinar replay: Personal Health Information: Hospitals, Health Plans, and Human Resources

Event Date: Thursday, October 13, 2016

Headlines screaming about the mishandling of personal health information have become ubiquitous in the media. Employers handling health records are rightly concerned about their liability for the protection of such data. So where should an anxious employer begin?

This free webinar replay provides employers with an overview of their legal obligations, focusing significantly on health care providers, covered entities, and business associates under HIPAA, as well as the handling of health information from health insurance, medical leave, or disability, and covers GINA, the FMLA, and the ADA.

Replay this webinar to get real answers to questions like:

  • What obligations do organizations have to secure protected health information (PHI) under HIPAA?
  • What can HIPAA-covered entities and business associates expect from OCR audits and compliance investigations?
  • What other laws must employers consider when dealing with health information?

Oregon university pays $2.7M, agrees to corrective action plan following breaches

Data breaches affecting thousands of people have resulted in Oregon Health & Science University (OHSU) settling with HHS to resolve allegations of potential Health Insurance Portability and Accountability Act (HIPAA) (P.L. 104-191) violations. The settlement includes a $2.7 million payment as well as the implementation of a corrective action plan (CAP). The HHS Office for Civil Rights (OCR) stated that OHSU failed to correct system security issues despite several opportunities to do so.

Risk analysis and breaches

Between 2003 and 2013, OHSU performed six risk analyses that did not cover all electronic protected health information (ePHI) as required. Despite this limitation, widespread vulnerabilities were identified. OHSU did not properly implement security measures to address these issues and failed to create policies and procedures to allow the university to prevent, detect, and address security violations. Risk analysis revealed that lack of encryption was a vulnerability, but ePHI was still not encrypted.

As a result of OHSU’s inaction, several breaches occurred. Unencrypted laptops and a stolen unencrypted thumb drive resulted in several breaches. Protected information about thousands of people was stored on a cloud server without a proper security agreement. Over a thousand people had a diagnosis of a sensitive nature, presenting a significant risk of harm. This server also contained payment information, photos, Social Security numbers, driver’s license numbers, and procedures.

Resolution agreement

OHSU’s resolution agreement with HHS establishes OHSU’s responsibility to implement the CAP and pay the fee. In exchange, HHS releases OHSU from actions the agency could take due to the confidentiality issues. The CAP places various obligations on OHSU, starting with a thorough assessment of all risks and vulnerabilities to ePHI at all facilities, including all systems, networks, and devices that handle ePHI. A risk management plan must be created for implementing security measures and submitted to HHS for review and approval. HHS must also receive regular updates about encryption status and updates regarding OHSU’s compliance under the CAP.