Mostly unnoticed amidst the recent series of multimillion dollar settlements announced as penance for HIPAA violations has been the unknown, but undoubtedly far larger, number of government investigations of data breaches for which no fine has been imposed. Obtaining this more favorable treatment is a matter of proper preparation, mitigation and remediation, not luck.
The U.S. Department of Health and Human Services' Office for Civil Rights (OCR) has announced a steady stream of settlements with HIPAA violators over the past several years, as often chronicled on this blog. The largest settlements often result from subject companies' failure to have conducted proper HIPAA risk assessments or to have implemented required policies and procedures.
Some high-profile data breaches, however, are not eventually followed by equally high-profile settlement announcements. A case in point is the breach suffered by Bizmatics Inc., a large vendor of electronic health records software and revenue cycle management services. Bizmatics' servers were hacked in 2015, potentially exposing the protected health information of more than 300,000 people, and the OCR initiated an investigation of the company.
According to a recent article in HIPAA Journal, the OCR has now closed its investigation without taking action against Bizmatics. The article details the actions taken by the company that allowed it to avoid a costly settlement.
For more articles and regular updates on legislative changes, regulatory developments and other news of interest to businesses, professionals and investors in the healthcare industry, please subscribe to Day Pitney's mailing lists.
Click here for more Healthcare Blogs from Day Pitney
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
