This morning we are reading the Office of Civil Right's (OCR) Resolution Agreement and Corrective Action Plan (CAP) with iHealth Solutions of Louisville, Kentucky, following their unauthorized disclosure of 267 people's protected health information by failing to secure a server. iHealth is paying $75,000 and entering a two-year CAP, which seems pretty light given that we don't see where iHealth had previously conducted a risk assessment nor that they may not have previously developed Business Associate appropriate policies and procedures.
We've helped organizations after their breach investigation has been initiated. When we perform this work, we develop policies as required and perform a risk assessment and training as required to enable our clients to respond to the investigation; normally through an insurance company's (or independent) legal counsel. Why are we pointing this out? Because while reading the CAP, we note that OCR is asking for the very things that we would have delivered immediately - potentially staving off any settlement dollars or CAP.
No organization should guarantee a "no fines, no settlements" result from an OCR investigation. That said, all of the companies that we've helped post breach so far have avoided a CAP (including payments) every time. We remain curious why whomever was hired to assist iHealth didn't deliver the same results. You can read today's OCR CAP settlement by clicking the graphic below.
Stay (HIPAA) safe, Alan -