Wagner Header

The Wagner Law Group

The Wagner Law Group is a nationally recognized practice in the areas of ERISA and employee benefits, estate planning, employment, labor and human resources and  investment management.



Established in 1996, The Wagner Law Group is dedicated to the highest standards of integrity, excellence and thought leadership and is considered to be amongst the nation's premier ERISA and employee benefits law firms. The firm has six offices across the country, providing unparalleled legal advice to its clients, including large, small and nonprofit corporations as well as individuals and government entities worldwide. The Wagner Law Group's 27 attorneys, senior benefits consultant and three paralegals combine many years of experience in their fields of practice with a variety of backgrounds. Seven of the attorneys are AV-rated by Martindale-Hubbell and six are Fellows of the American College of Employee Benefits Counsel, an invitation-only organization of nationally recognized employee benefits lawyers.  Seven of the firm's attorneys have been named to the prestigious Super Lawyers list for 2016, which highlights outstanding lawyers based on a rigorous selection process.




Contact Info

The Wagner Law Group


  Integrity | Excellence



Tel: (617) 357-5200 

Fax: (617) 357-5250 

99 Summer Street 

13th Floor

Boston, MA 02110


Washington, D.C.

Tel: (202) 969-2800

  Fax: (202) 969-2568

800 Connecticut Ave., N.W.

Suite 810

Washington, D.C. 20006


Palm Beach Gardens 

Tel: (561) 293-3590
Fax: (561) 293-3591
7108 Fairway Drive
Suite 125
Palm Beach Gardens, FL 33418



Tel: (813) 603-2959

Fax: (813) 603-2961

101 East Kennedy Boulevard

Suite 2140
Tampa, FL  33602 


San Francisco

Tel: (415) 625-0002

Fax: (415) 358-8300

300 Montgomery Street

Suite 600

San Francisco, CA 94104


St. Louis

Tel: (314) 236-0065

Fax: (314) 236-5743
25 W. Moody Avenue
St. Louis, MO  63119







May 24, 2017


 Health and Welfare Law Alert




Two HHS Settlements for HIPAA Violations Include Penalties Totaling over $5 Million







HHS has announced two major settlements it has reached with covered entities to resolve alleged violations of the HIPAA Privacy and Security Rules.  The terms of each settlement agreement require the covered entity to pay a multimillion dollar penalty to HHS and implement a corrective action plan.




HIPAA Privacy Rule.  The HIPAA Privacy Rule establishes standards to protect individuals' medical records and other protected health information ("PHI").  The rule applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically.  The Privacy Rule requires covered entities to implement appropriate safeguards to protect the privacy of PHI, and sets limits and conditions on the uses and disclosures of PHI by covered entities without patient authorization.

HIPAA Security Rule.  The HIPAA Security Rule applies to health plans, health care clearinghouses, and to any health care provider who transmits PHI in electronic form ("e-PHI").  The Security Rule requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting e-PHI.  Specifically, covered entities must:


  • Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit;
  • Identify and protect against reasonably anticipated threats to the security or integrity of the information;
  • Protect against reasonably anticipated, impermissible uses or disclosures; and
  • Ensure compliance by their workforce. 




Privacy Rule Violation.  HHS initiated its compliance review following media reports that the covered entity had disclosed a patient's PHI without authorization.  Specifically, a patient at one of the covered entity's clinics was arrested after presenting a fraudulent identification card to office staff.  The staff proceeded to report the incident to law enforcement, which is authorized under the Privacy Rule.  However, the covered entity subsequently issued a press release that impermissibly disclosed PHI by including the patient's name in the press release headline.  In addition, the covered entity failed to timely document the sanctioning of its employees who impermissibly disclosed the patient's name to the media.




To resolve these Privacy Rule violations, the covered entity agreed to pay a $2.4 million penalty and implement a corrective action plan that required it to update its policies and procedures on safeguarding PHI, and provide training to its employees on the issue.




Security Rule Violation.  This investigation stemmed from the covered entity's report to HHS that an employee's unencrypted laptop computer, which contained the PHI of 1,391 individuals, had been stolen from a vehicle parked outside the employee's home.  HHS's review of the incident revealed that the covered entity had insufficient risk analysis and risk management plans at the time of the theft and had failed to implement policies and procedures regarding encryption and the movement of electronic media within its facilities.




To settle these Security Rule violations, the covered entity agreed to pay a $2.5 million penalty and implement a corrective action plan that requires it to conduct a risk analysis and adopt a risk management plan.  The covered entity also agreed to implement secure device and media controls, and certify to HHS that all portable media devices are encrypted. 




Employer Takeaway.  To prevent costly HIPAA enforcement actions, covered entities are advised to: 


  • Conduct new risk analyses after all modifications to underlying technology;
  • Update policies and procedures to account for changes in technology or practices;
  • Regularly provide HIPAA training to employees;
  • Conduct HIPAA audits;
  • Monitor security breaches; and
  • Create and implement a breach response plan.




This Newsletter is protected by copyright. Material appearing herein may be reproduced with appropriate credit.


This Newsletter is provided for information purposes by The Wagner Law Group to clients and others who may be interested in the subject matter, and may not be relied upon as specific legal advice.  This material is not to be construed as legal advice or legal opinions on specific facts. Under the Rules of the Supreme Judicial Court of Massachusetts, this material may be considered advertising.