April has been a busy month for the OCR. As of the writing of this email, there has been 2 HIPAA settlements for potential violations of the HIPAA Security Rules, and 1 settlement for the potential violation of the Privacy Rules. Potential non-compliance of the security rules were due to a stolen, unencrypted laptop (2012 incident) costing $2.5M, impacting 1,391 patients. An unauthorized disclosure due to a phishing attack (2012) costing $400K, impacting 3,200 patients. A lack of appropriate business associate contracting process (2015) in place costing $31K, impacting an unknown number of patients.

Action Items:

1. Ensure Business Associate Agreements are in place with all vendors with access PHI/ePHI.
2. Encrypt all high risk assets (e.g., laptops, tablets, phones, unsupervised/untethered desktops, removable media such as backup tapes and flash media).
3. Enhance security awareness to include training regarding Phishing and other social engineering attacks.

You can find the corrective Action Plans here:

• https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/MCPN.html
• http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/CCDH
• https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/cardionet