Federal Regulators Fine First Business Associate for HIPAA Breach
On June 29, 2016, the OCR announced the first HIPAA enforcement fine levied on a Business Associate. A nonprofit organization was hit with a $650,000 fine for a breach that affected just 412 patients. The company was also put on a corrective action plan that cited a list of security violations that must be remediated. While some of the violations were technical controls, many revolved around policies and conducting risk assessment.
Some of the findings included:
- The lack of regular risk assessments
- The lack of developing, maintaining, and revising written policies to comply with HIPAA requirements.
- Lack of password protection on mobile devices
Read the story from Healthcare Info Security.