OCR Announces Two New Settlements For HIPAA Privacy and Security Violations

The Office for Civil Rights (OCR) has announced its seventh and eight settlements of 2017, with two separate covered entities. The first was with a covered entity that made unauthorized disclosures of a patient’s identity to the media, advocacy groups, and state legislators, and failed to appropriately sanction workforce members responsible for the disclosure. The second settlement was with a covered entity that failed to conduct an adequate risk assessment and failed to implement appropriate security controls, resulting in the theft of an unencrypted laptop containing the protected health information (PHI) of 1,391 individuals.

Both settlements highlight the need for covered entities to pay attention to the fundamentals of HIPAA privacy and security – risk analyses and implementation of appropriate policies and procedures. Both of these cases stemmed from ordinary human error. Because neither covered entity had put adequate safeguards in place, this human error had expensive consequences.

More information on these settlements, as well as previous OCR settlements for privacy and security violations, can be found here: