Today, the US Department of Health and Human Services (HHS), Office for Civil Rights (OCR), announced a settlement with Montefiore Medical Center, a non-profit hospital system based in New York City for several potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. OCR is responsible for administering and enforcing health information privacy, including enforcement of the HIPAA Privacy, Security, and Breach Notification Rules for the healthcare sector. OCR plays a unique role in serving as the agency at HHS that enforces federal civil rights, privacy and security laws in healthcare. HIPAA requires that healthcare providers, insurers and others take steps to protect the privacy and security of patients’ protected health information. The $4.75 million monetary settlement and corrective action resolves multiple potential failures by Montefiore Medical Center relating to data security failures by Montefiore that led to an employee stealing and selling patients’ protected health information over a six-month period.
