The OCR evaluates all types of covered entities for HIPAA violations including private practices, general hospitals, outpatient facilities, pharmacies, and health plans. A few private practices recently reached settlements with OCR for HIPAA violations:
A pediatric and adult dermatology practice was fined $150,000 for a HIPAA violation involving the loss of an unencrypted flash drive containing PHI. Along with the fine, the group was required to implement a corrective action plan.
A cardiology practice reached a $100,000 settlement with the OCR after an ongoing failure to comply with HIPAA. The practice was posting clinical and surgical appointments on a publically accessible internet-based calendar. In addition, the practice failed to implement basic HIPAA requirements to appropriately protect patient information.
An orthopedic clinic did not execute a business associate agreement with a business partner before turning over the PHI of 17,300 patients. The practice settled for $750,000 as well as agreed to a comprehensive corrective plan.
When determining a settlement, the OCR takes into account the length of time during which the violation occurred, how many patients were affected, the type of PHI exposed, and how willing the organization is to assist with their investigation.