By Danika Brinda bio
Well, HIPAA enforcement in 2017 is getting off to an active start. While 2016 saw a record year with 13 HIPAA Enforcement fines amounting to $23.5 million, the OCR has already published two HIPAA Enforcement fines amounting to $2.7 million just 19 days into the New Year. It is safe to assume that we are going to see another active year with HIPAA Fines and Enforcement!
2017 HIPAA Enforcement Fine #1
Lack of Timely HIPAA Breach Notification
Fine: $475,000
Presence Health found out about missing operating room paper schedules containing 836 patients’ protected health information on October 22, 2013. Notification was made to the Department of Health and Human Services on January 31, 2014, approximately 101 days later. This was definitely a flag and the Office for Civil Rights (OCR) went in to investigate the concerns. During the investigation, it was found that Presence Health failed to write timely notification to those affected by data breaches on multiple occasions. In additional, Presence Health did not provide timely notification to the media and to the Secretary of OCR.
The one area I thought was interesting in the corrective action plan was the statement that “Each day on which Presence Health failed to notify each affected Individual of the breach indicates a separate violation of the Breach Notification Rule.” (Page 2, A here.) Every day late counted as a separate violation of the HIPAA Breach Notification Law!
Lesson Learned: Create a solid Breach Investigation and Notification Process. Don’t be late on notification to any party and don’t delay notification once a decision is made. If you know it is a data breach at day 34, complete the proper notifications shortly thereafter. Don’t wait until day 60.
2017 HIPAA Enforcement Fine #2
Failure to Conduct a HIPAA Risk Analysis and Implement Safeguards
Fine: $2,200,000
MAPFRE Life Insurance Company of Puerto Rico had a USB data storage device stolen from its IT department. The USB storage device had patient information including name, date of birth, and social security number for about 2,209 individuals. OCR is making a statement that failure to conduct a risk analysis, understand the risks to the organization and PHI, and implement safeguards contributed to the theft on an unencrypted USB storage device with patient information.
MAPFRE Life was found out of compliance in the following areas:
- Impermissible disclosures of PHI
- Failure to conduct a thorough risk analysis and implement security measures
- Failure to provide security awareness and training to members of the workforce
- Failure to implement encryption technologies for protected health information
- Failure to implement appropriate policies and procedures to company with the HIPAA Security Rule
Within the press release, OCR Director Jocelyn Samuels stated “Covered entities must not only make assessments to safeguard ePHI, they must act on those assessments as well. OCR works tirelessly and collaboratively with covered entities to set clear expectations and consequences.”
Lesson Learned: Don’t ignore the need to be HIPAA compliant. Any device or media that has protected health information needs to be properly protected. HIPAA is not system or hardware specific: It applies to all!
Struggling with HIPAA Compliance?
You are not alone. Many organizations don’t understand what is needed for HIPAA compliance and even where to begin.
The first step an organization can take is to conduct a HIPAA Risk Analysis. This will help an organization understand risks to the organization, understand current controls (technology and administrative) aimed to reduce risks, and create a plan to help increase privacy and security protections to protected health information. If you haven’t conducted a HIPAA risk analysis in the past 12 to 24 months, it is definitely time to conduct one.
Second, make sure that you have a solid set of HIPAA Policies and Procedures that document how your organization is compliant with HIPAA. I emphasize “your organization” because you want to ensure that your policies and procedures reflect your practices and overall statement of what is needed for compliance. Templated policies and procedures serve their purposes, but customization of those templates is a necessity.
Third, make sure that you have a solid training program for your workforce members and that they understand their responsibilities when it comes to protecting patient information. Additionally, reminders should be sent out throughout the year—hearing it multiple ways and at multiple times can help workforce remember and keep protection of the privacy and security of PHI on their mind!
Fourth, don’t panic. If you don’t have a great program or know you are out of compliance, change it. You can take the time to show that you were aware of your lack of compliance and show that you are taking steps towards compliance!
Nobody can go back and start a new beginning, but anyone can start today and make a new ending ~ Maria Robinson
Conclusion
Cheers to a great year! It will be interesting to watch where HIPAA Enforcement and HIPAA Breaches go in 2017!
Want to learn more about how to stay HIPAA compliant? Medical Office Manager is pleased to welcome Danika E. Brinda as presenter of our March 16, 2017 webinar, HIPAA in 2017: Hot Topics You Can’t Ignore. Visit Medical Office Manager to register today. (Remember: Registration is free for premium members.)
| Editor’s picks: | ||
 Beware of HIPAA-related text messaging risks
|
 HIPAA security can fail if the office doesn’t take common-sense precautions |
 Get ready for HIPAA breach before it happens |
