HIPAA Audit: OCR Is On The Move
It was Alaska DHSS first, and now the Massachusetts Eye and Ear Infirmary suffering a big consequence for a relatively small breach. The organization has agreed to pay a hefty penalty of $1.5 million for HIPAA violations identified during OCR’s investigation of the theft of an unencrypted laptop which occurred in 2010.
This Boston-based teaching hospital of Harvard Medical School has also agreed to a corrective action plan similar to the one in the case of Alaska DHSS, including reviewing, revising, and maintaining policies and procedures for HIPAA security compliance. In addition to this, the agreement also requires the organization to get an independent monitor to conduct assessment of compliance with the corrective action plan and submit semi-annual reports to the Department of Health and Human Services for a period of three years.
Industry experts are of the opinion that this incident yet again reinforces the need for organizations to improve their HIPAA compliance efforts. Rebecca Herold, an independent security consultant who heads the firm Rebecca Herold & Associates stated that organizations of all sizes that possess protected health information should implement long-held, proven, and widely accepted security measures for all types of personal data. She further said that many organizations take a wait-and-see approach for implementing security controls. They want to be told to implement encryption, employee training etc. before making any such investment. They do not want to take action unless it is proven that these security measures are absolutely necessary.
Entities should understand that preventing a breach would cost significantly lesser than paying a penalty and taking corrective action after a breach has occurred and the reputation of the organization is lost. In the case of Massachusetts Hospital OCR launched an investigation after the theft of a laptop was reported in February 2010. This unencrypted laptop contained information on more than 3500 patients as well as 68 participants in a research project.
The investigation revealed that the hospital had failed to take necessary steps to comply with some requirements of the HIPAA security rule including conducting risk analysis, implementing adequate security measures, and adopting policies for restricted access to protected health information. It was also found that these failures had continued over an extended period of time, thus demonstrating long-term disregard for HIPAA norms.
This is the second time in three months that a huge penalty has stemmed from a small breach. This incident further highlights the need to be fully compliant with HIPAA rules at any given point in time. This is possible only with a solution like SecureGRC, which will take care of all the security requirements with its in-built HIPAA compliance framework, and allow organizations to steer clear of security challenges.
Related posts
