HIPAA Audit: OCR Is On The Move
In spite of the continued emphasis on the need for protecting Patient Health Information (PHI), there are still few healthcare enterprises who take things for granted! The latest Parkview Health System Inc., HIPAA settlement for a corrective action at $800,000 demonstrates the need for PHI to be protected in all forms, even paper records. The PHI breach at Parkview Health Systems was of a different kind. No hacking into systems or stolen lap tops with PHI information!
In a settlement that stemmed from a 2009 complaint filed from a retiring physician, it was found that Parkview took custody of medical records of nearly 5,000 to 8,000 patients, packed into 71 boxes. The complaint alleged that Parkview Health employees left these boxes unattended on the driveway, accessible to unauthorized persons at a close distance to a high traffic shopping venue. The medical records were therefore simply stolen! Considering that OCR has been warning about cracking down on strict HIPAA enforcement, Parkview had to pay a hefty sum of $800,000.
As there are still a lot of paper based PHI in practice, effective policies and protections against improper disposal are crucial. Although this incident occurred five years ago, it is an expensive reminder for every healthcare organization workforce member to think about how they handle the patient information in particular. Christina Heide, acting deputy director of health information privacy at OCR, reiterates that it is imperative, HIPAA covered entities and their business associates protect patient information records at all times, even during normal routines such as their transfer and disposal, since healthcare entities and business associates are directly liable for HIPAA compliance under the HIPAA Omnibus Rule.
Incidents like the Parkview violations remind us that protecting health information needs a careful and comprehensive rethinking of the myriad ways that health care data can get lost. Workforce awareness and training are some essentials in averting paper-based breaches, according to Kate Borten, president of security and privacy consulting firm, The Marblehead Group. But what is more important, is for you to think out of the box to define, assess and manage the risks involved in existing processes, find established ways of securing patient health information as such regulatory violations cost significant amount of money in settlements!
To prevent similar issues arising in the future, Parkview Health implemented a comprehensive electronic health record system that is more secure than a paper record system. Information security and compliance would get much simpler, if you could explore comprehensive security solutions such as Aegify Security Posture Management (for continuous security monitoring), or Aegify Risk Manager (for assessing and understanding the business risks), or Aegify SecureGRC (to remain continuously compliant the requirements of the law). With built-in policies, procedures, best practices, and a rich knowledgebase on security, risk, and compliance, supporting multiple regulatory / standard requirements, Aegify framework can greatly simplify your security, risk and compliance processes.
Related posts
