Hhs Resolution Agreements
HHS then examined The Athens Orthopaedics and alleged the following offences against hipaa, including: (i) failure to conduct a thorough and accurate assessment of the risks and potential vulnerabilities associated with the confidentiality, integrity and availability of its ePHI; (ii) the failure to implement sufficient hardware, software and procedures to record and analyze activities in information systems containing or using ePHI; (iii) non-conclusion of matching contracts with three counterparties; and (iv) not equipping all of its staff with HIPAA training and keeping copies of their HIPAA policies and procedures. Following a complaint investigation or compliance check, the OCR sometimes determines whether it is necessary to negotiate resolution agreements that require registered companies to take corrective action to comply with federal civil rights laws. These agreements can be broad national agreements that require systemic changes in the way a state does business, or may cover a single health care provider or hospital. Some recent examples are cited below: AOC has entered into a resolution agreement and a corrective action plan and has agreed to pay $1.5 million in penalties. The corrective action plan requires it to review its counterparty agreements if necessary, conduct a risk analysis, develop a risk management plan, review its privacy, security and damage reporting policies, and train staff in these policies. Compliance with the corrective action plan by the AOC is monitored by the HHS for a period of two years. Well-organized hacker groups have targetedly participated in institutions in the health and health sectors in order to gain access to sensitive data. The factual descriptions of the transaction agreements do not provide much detail, but the sanctions and corrective action plans imposed by the OCR demonstrate the importance of maintaining appropriate security measures to avoid inappropriate access to ePHI and to respond immediately to detected incidents.