HIPAA Audit: OCR Is On The Move
While there has been continued emphasis on the need for conducting risk analysis and encrypting data, there are still many providers who are yet to take these calls for action seriously. Here’s another wake-up call to all such entities- Another federal investigation of a relatively small breach at a physician group practice in Massachusetts has resulted in a financial penalty of $150,000.
Adult & Pediatric Dermatology, P.C; of Concord, Massachusetts, notified OCR in October 2011, that an unencrypted thumb drive containing health information of about 2,200 individuals was stolen from a staff member’s vehicle, and was never recovered. Following this, OCR conducted a breach investigation, which revealed that the practice had not conducted a thorough risk analysis.
The Department of Health and Human Services’ Office for Civil Rights (OCR) announced a resolution agreement with APDerm on December 26th. In addition to the $150,000 penalty, the agreement calls for a corrective action plan to address the deficiencies in HIPAA compliance. This would also include conducting a thorough risk analysis and developing a risk management plan.
OCR pointed out that this is the first HIPAA settlement that cites a covered entity for not complying with the requirements of the HIPAA breach notification rule to have policies and procedures in place and to train members of the workforce. While this case illustrates OCR’s ongoing emphasis on conducting risk analysis, it also brings to the forefront, OCR’s emphasis on the importance of having written policies and procedures in place, and training staff members adequately with respect to breach notification.
The Warning Bell
This case clearly illustrates that failure to analyze risks associated with health information, negligence or irresponsibility in safeguarding protected health information will be inevitably followed by enforcement action. It also highlights the need for healthcare entities to take two importance steps towards breach prevention: 1. Understanding and addressing risks surrounding health information, and 2. encrypting data irrespective of where it is kept.
There have been two other cases where similar penalties were imposed for relatively small breaches, first of which was in January 2013, when Hospice of North Idaho agreed to pay $50,000 following the investigation of the theft of an unencrypted laptop computer that affected 441 individuals; and secondly, in May, when Idaho State University agreed to pay $400,000 as part of a resolution agreement arising from a breach that affected 17,500 patients as a result of the firewall protecting the server being disabled.
What these incidents repeatedly remind us is that protecting health information is not a one-time task. It should be treated as an ongoing requirement. Comprehensive security solutions such as Aegify Security Posture Management or Aegify SecureGRCcan facilitate meeting this ongoing requirement. With built-in policies, procedures, and frameworks for HIPAA compliance, these security solutions can greatly simplify the process of compliance and dramatically improve the security posture of healthcare entities.
Related posts
