Senior Communications Manager
Kirk Nahra Discusses First OCR Sanction Involving a Research Institute
Kirk J. Nahra, chair of Wiley Rein’s Privacy Practice and co-chair of the Health Care Practice, was quoted in a March 17 HealthcareInfoSecurity.com article about a $3.9 million federal penalty imposed as part of a settlement involving a New York-based medical research institute for potential Health Insurance Portability and Accountability Act (HIPAA) violations.
The U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) cited insufficient security management processes, policies, and procedures as the reasoning for its action, and the research institute agreed to a “substantial corrective action plan.”
“OCR doesn’t have authority over all research entities because they aren’t all covered entities or business associates,” said Mr. Nahra. However, the office is “definitely sending a message to these folks to be careful and smart with research data,” he added.
“This particular case also is complicated by the involvement of a research entity,” he said. “So this case also sends a message to the research community that they need to be paying a lot of attention to these issues.”
Nahra pointed out that the recent OCR settlements demonstrate “an ongoing and expanded focus on overall security efforts and compliance activities. This is clearly a focus of attention, and an area where companies need to make sure they are taking appropriate action.”
To read the complete article, please click here.