The Department of Health and Human Services Office of Civil Rights (HHS OCR) recently settled with a notable covered entity – a nonprofit Federally Qualified Community Health Center (FQHC) – over alleged Health Information Portability and Accountability Act (HIPAA) Privacy and Security Rule violations.

With the FQHC agreeing to pay $400,000 to HHS and entering into a corrective action plan, this settlement highlights how long HHS OCR investigations can take (five years from investigation start to settlement); how broad HHS OCR targets are (FQHCs are not safe from scrutiny); and just how onerous corrective action can be after an investigation.

Our data privacy and cybersecurity team has prepared an excellent, detailed summary of the case, which may be found here.