The U.S. Department of Health and Human Services ("HHS"), Office for Civil Rights ("OCR") recently released details about a $750,000 HIPAA settlement, emphasizing the importance of risk analysis and device and media control policies. The OCR found a cancer care provider in widespread noncompliance with the HIPAA security rule, and it specifically attributed a security breach to the fact that (i) the provider had not conducted an enterprise-wide risk analysis, and (ii) the provider did not have a written policy in place specific to the removal of hardware and electronic media containing protected information into and out of its facilities. In an unrelated matter, OCR also launched a new portal for mobile health developers to ask questions about HIPAA privacy and security. According to a press release, anyone may browse the site, and although users must log in with an email address to submit questions, all users will remain anonymous to OCR, and posting information will not subject anyone to enforcement action.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.