The Office for Civil Rights (OCR) inked three agreements last month to settle potential violations of the Health Insurance Portability and Accountability Act. First, OCR announced a $400,000 settlement with Metro Community Provider Network (MCPN), a federally-qualified health center (FQHC). MCPN settled with OCR amidst allegations that it failed to comply with the HIPAA Security Rule's requirements to conduct a risk analysis and implement a risk mitigation plan. MCPN also agreed to a three year corrective plan, requiring it to carry out a risk analysis, create a risk mitigation plan and review, and revise its Security Rule policies and procedures and employee training materials.

OCR also pursued Center for Children's Digestive Health (CCDH), a small pediatric specialty practice, for its failure to enter into a business associate agreement with its medical record storage provider. CCDH paid $31,000 and agreed to a two-year corrective plan, through which it is required to implement appropriate HIPAA policies and procedures.

OCR closed the month by announcing a $2.5 million settlement with CardioNet, an entity that provides wireless cardio monitoring services. The settlement addressed allegations that CardioNet failed to conduct a risk analysis and implement a risk mitigation plan, and also cited CardioNet's lack of policies to safeguard removable media containing protected health information. CardioNet agreed to correct these deficiencies through a two-year corrective action plan.

TIP: These settlements serve as a reminder that OCR is continuing to actively enforce HIPAA and pursue entities for non-compliance.