Federal Regulators Fine First Business Associate for HIPAA Breach

healthcare-infor-securityIn October of 2013 The Office for Civil Rights implemented the Omnibus Rule that made all Business Associates directly accountable for HIPAA compliance.

On June 29, 2016, the OCR announced the first HIPAA enforcement fine levied on a Business Associate. A nonprofit organization was hit with a $650,000 fine for a breach that affected just 412 patients. The company was also put on a corrective action plan that cited a list of security violations that must be remediated. While some of the violations were technical controls, many revolved around policies and conducting risk assessment.

Some of the findings included:

  • The lack of regular risk assessments
  • The lack of developing, maintaining, and revising written policies to comply with HIPAA requirements.
  • Encryption
  • Lack of password protection on mobile devices

Read the story from Healthcare Info Security.

Comments are closed.