[benefits] blog logo

Two Covered Entities Settle Potential Violations of HIPAA Privacy and Security Rules For Approximately $2 Million

The U.S. Department of Health and Human Services (?Ç£HHS?Ç¥) recently announced resolution agreements (?Ç£RAs?Ç¥) with two covered entities, a health care provider and an insurer, under HIPAA?ÇÖs privacy and security rules (the ?Ç£Rules?Ç¥), requiring combined payments of approximately $2 million to settle potential violations of the Rules.?á Both RAs stemmed from investigations conducted by HHS as a result of breach notifications the covered entities submitted to report the thefts of laptop computers containing unencrypted electronic protected health information (?Ç£ePHI?Ç¥).?á Apart from the settlement payments, the RAs impose two-year corrective action plans, including the performance of risk analysis, implementation of risk management plans and training, and periodic follow up activities with HHS. Although failure to encrypt ePHI is not a per se violation of the Rules, the HHS news release regarding the RAs underscores HHS?ÇÖ view that unencrypted laptops and other mobile devices pose significant risks to the security of ePHI, and ?Ç£encryption is [a covered entity?ÇÖs] best defense against these incidents.?Ç¥

A copy of the health care provider?ÇÖs resolution agreement is available here.
A copy of the insurer’s resolution agreement is available?áhere.
A copy of the HHS news release is available?áhere.

The lawyers of our Employee Benefits and Executive Compensation Practice Group are readily able to assist companies on a nationwide basis with implementing sophisticated benefit plans and providing answers to their most challenging compensation issues. Additionally, our lawyers are well aware of the daily employee benefits challenges facing companies of all sizes and are capable of helping in-house lawyers and human resources personnel with the day-to-day advice and guidance necessary to properly administer employee benefits plans.

Leave a Reply

May 2014