Episode 45: Employer Lessons from OCR HIPAA Settlements in 2018
In this episode, Suzanne and Chase review the Office of Civil Rights (OCR, a subdivision of HHS) list of HIPAA violation settlements that occurred in 2018. To lead off, though, Chase breaks down the purpose of the HIPAA privacy and security rules, and what the basic HIPAA requirements are for employers. Suzanne and Chase then discuss several OCR investigations of employer HIPAA violations that eventually led to settlements. Chase breaks down HIPAA violations resulting from several situations. First: a doctor’s response to media inquiries regarding a patient’s complaint. Second: a hospital group that developed policies and procedures, but failed to implement them and later experienced a breach when unencrypted USB drives were lost and an unencrypted computer was stolen. Third: a document retention company that left a box of files containing sensitive information in an unlocked truck in its parking lot. The final case involves hospitals that failed to obtain authorization from patients while filming a TV mini-series. Chase and Suzanne close with a discussion of HIPAA compliance learning points for employers and their group health plans.