Years ago, we used to poke a little fun at HHS/OCR, comparing them to a sleeping giant. As time progressed, it seemed like OCR was providing some enforcement actions to compel the medical community, but these days has resumed their horizonal posture (think about it...). Well, paint us surprised reading about Oklahoma State University – Center for Health Sciences paying $875,000 and agreeing to a corrective action plan; it's been a fat minute since something like this has happened.
The cause of the settlement action was a criminal breach of ePHI and the disclosure of 279,865 individuals' ePHI. That's the bad part and here's the dumb part... OCR failed OSU-CHS' risk analysis, concluded that no evaluation was performed, failed auditing controls, failed incident response and reporting, and failed the timeline used to report the breach. All we have to say is, "really?!".
In 2022, there should be no excuse to not perform a reasonable and appropriate risk analysis, to overlook technical and non-technical testing and to train the staff to recognize and respond to security incidents. All of these items are "HIPAA 101".
Let us know what help you need or what questions you have. If you're already one of our partner-clients, you know we'll be honest and won't try to upsell you into anything you don't need to prevent being the next OCR settlement we all read about. Click the graphic below if you want to read the HHS announcement and settlement for yourself.
Stay (HIPAA) safe, Alan -