HHS Settles With Hospital and Healthcare Network Following Potential HIPAA Violations
The Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) settled two investigations into potential violations of the Health Insurance Portability and Accountability Act. OCR announced a resolution agreement with a public hospital after initiating an investigation into complaints that the hospital was victim to a ransomware attack affecting the electronic protected health information (“ePHI”) of more than 5,000 patients. The hospital entered into a three-year corrective action plan and agreed to pay $25,000. In another case, OCR settled with a healthcare network following a phishing attack that compromised employee email accounts, exposing ePHI. The healthcare network also agreed to a corrective action plan and paid a $600,000 settlement to OCR.
To mitigate cyber threats, OCR recommends, among other things, that health care providers identify and monitor how ePHI is shared, integrate risk analysis and management into the organization’s business processes, implement regular reviews of information system activity, and maintain audit controls to monitor and record information system activity.
New Executive Order Aims to Lower Drug Prices
The White House published an Executive Order to lower prescription drug prices. The Order directs HHS to seek comment on guidance for the Medicare Drug Negotiation Program and consider adjustments that would align Medicare payments with hospital acquisition costs for covered outpatient drugs.
- * * *