Recent comparison agreements underscore the critical importance of HIPAA compliance for organizations of all sizes that bypass the PHI. When implementing and monitoring their HIPAA compliance programs, companies and business partners covered should consider areas that focus on OCR. Patient access to their own PHI, compliance with safety rule requirements, compliant counterparty agreements and implementation of policies, procedures and training have been recurring themes in OCR enforcement efforts. The most recent activity may indicate that after a ceasefire in the first half of the year, which could be influenced by the health emergency of COVID-19, the OCR would re-enter its regular enforcement measures. As suppliers adapt to the “new normal” and look to the future, it is important to also review HIPAA compliance measures. $1.55 million comparison highlights the importance of the implementation of HIPAA Business Associate Agreements – March 16, 2016 HHS then investigated Athens Orthopedic and highlighted the following HIPAA violations, including: (i) failure to conduct a thorough and accurate assessment of the risks and potential vulnerabilities related to confidentiality, integrity and availability of its ePHI; (ii) the failure to implement sufficient hardware, software and procedures to record and analyze activities in information systems containing or using ePHI; (iii) non-conclusion of matching contracts with three counterparties; and (iv) not equipping all of its staff with HIPAA training and keeping copies of their HIPAA policies and procedures. Available from www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/premera/index.html Lifespan ACE, a Rhode Island-based non-profit health care system, has established itself as a HIPAA1-linked company and has various subsidiaries of health care providers, including Rhode Island Hospital. On February 25, 2017, a laptop used for business purposes by a Rhode Island Hospital employee was stolen, leading to the illegal disclosure of protected health information (PHI) of 20,341 people. In particular, the PHI may have included information about the stolen laptop not only about rhode Island hospital patients, but also about patients from other Lifespan ACE providers, including pharmacies and other hospitals. Lifespan Corporation (The parent company and business partner of Lifespan ACE) submitted a report of infringement to the OCR and the ensuing investigation revealed that Lifespan ACE`s HIPAA rules were not being consistently followed systemically, including (i) a failure to encrypt all devices used for work, while an internal risk analysis determined that the use of encryption was appropriate and appropriate.

(ii) failure to track or invent all devices that have access to the network or contain ePHI and (iii) an omission from having the correct counterparty agreements between Lifespan Corporation and Lifespan member affiliates of ACE. A settlement agreement is a settlement agreement signed by HHS and a covered entity or counterparty, in which the covered entity or counterparty agrees to fulfill certain obligations and to establish HHS reports over a three-year period.