“Every healthcare organization under HIPAA is responsible for the protection of patient data, regardless of whether they use a vendor to process or store their patient records. If your EHR vendor claims you don’t have to worry about HIPAA compliance, don’t believe them – it’s just not true,” stated by Tod Ferran, a security analyst at SecurityMetrics, Inc. in an article he wrote for Healthcare IT News.
A lot of healthcare entities mistakenly think that if they are covered for EHR HIPAA compliance, then that coverage extends to all of HIPAA’s regulations as well. But, as experts have shown in recent years, HIPAA compliance and EHR compliance are two completely different umbrellas, even if you may be caught in the same storm. Ferran warns healthcare providers that the new HIPAA Security Rule requires that systems are required to be protected against 75 specific security controls. Ferran goes on to state that in order to ensure that your organization’ procedures, policies, and security measures are designed to protect patient health information (PHI) and defend against regulatory penalties, it is important for organizations to “assess their security programs as a whole,” rather than just “simply checking a box”.So, how can an organization protect itself and do everything in its power to safeguard HIPAA compliance? Ferran recommends that organizations take the following actions right away:
- Implement a regular, weekly routine, starting with as few as 30 minutes each session to meet and discuss priorities
- Implement intrusion prevention
- Install anti-malware
- Utilize identity management
- Integrate data-loss prevention tools
- Designate a HIPAA compliance officer or team member
- Conduct annual HIPAA security risk analyses
- Check organizational policies and procedures against HIPAA requirements
- Encrypt patient health information (PHI)
- Use a key accessible only by authorized individuals
- Implement workstation security
In his concluding statement, Ferran recommended that “No matter how small or long established, it’s critical for healthcare entities to understand what they are doing to protect patient data, what they are not doing, and what they should be doing in the future.”
To read Ferran’s full article, visit Healthcare IT News.
In late 2009, the HIPAA breach notification requirement was initiated, which mandated that “HIPAA covered entities and their business associates provide notification following a breach of unsecured protected health information (PHI).” Since that time, more than 32 million people have had their PHI violated in HIPAA privacy and security breaches. In response to the violations, The Office for Civil Rights (OCR), as the HIPAA enforcement arm of the Department of Health and Human Services, imposed more than $26 million in fines against healthcare organizations who have compromised PHI. As part of the ongoing harsh enforcement crackdown, the OCR determined that the following breaches deserved the most severe fines:
5. WellPoint – $1.7 Million
In July of 2013, managed care company WellPoint failed to perform a suitable technical evaluation when upgrading software and disregarded a user verification measure for their web-based patient database. These mishandlings of technology resulted in a breach of 612,402 records made accessible to unauthorized internet users over a period of five months.
4. Concentra Health Services – $1.73 Million
While Concentra’s breach only affected 870 individuals, less than WellPoint’s breach, their fine imposed in April 2014 by OCR was one of the largest. What began as an investigation into a stolen, unencrypted laptop, soon revealed that Concentra failed to enforce encryption policies on close to 28 percent of their laptops. Possibly the biggest surprise in Concentra’s case was that an inventory assessment of Concentra’s PHI-containing non-encrypted laptops was not completed until 2013, more than 4 years after the HIPAA breach notification requirement became instated.
3. CVS Pharmacy – $2.25 Million
In January 2009, OCR found that CVS pharmacies were committing possibly one of the most egregious HIPAA offenses by disposing of PHI in public dumpsters. Alongside the OCR investigation, the Federal Trade Commission also investigated the CVS on its safety policies. The breach by CVS pharmacies was so severe that OCR was not even able to determine the number of individuals affected by the violation.
2. Cignet Health Center – $4.3 Million
The OCR’s investigation into the Maryland-based health center was two-pronged, including denial of medical record access and denial of investigation requests. From 2008 to 2009, Cignet denied 41 patient requests for their medical records, resulting in a fine of $1.3 million. During further investigation by the OCR, Cignet refused to respond to OCR investigation requests for documentation and access, which OCR then responded to with a $3 million fine.
1. New York Presbyterian Hospital and Columbia University – $4.8 Million
The largest fine imposed for a HIPAA breach occurred in May of 2014, when a Columbia University physician attempted to deactivate a personal computer server on the New York Presbyterian and Columbia network containing PHI. Because the personal computer was not set up with appropriate technical safeguards, the deactivation resulted in ePHI being available on Google. The breach was not discovered by the entity, as is normally the case, but rather by a family member who saw their deceased partner’s PHI online and reported the complaint to the hospital. The record belonged to one of 6,800 individuals affected in the breach.
Simple mistakes can equal big fines. So, what are some good easy HIPAA tips:
- Implement best practices for HIPAA and conduct ongoing risk analysis.
- Update your HIPAA compliance training and/or risk assessments to prevent big holes in your PHI security.
- Workforce training and HIPAA policy awareness will go a long way in protecting your organization’s PHI and ensuring privacy and security.
Read the full article at Healthcare IT News. Do you have other questions that you’d like to ask? If you’re wondering how to get started with a HIPAA Compliance Program, or would like to revitalize your current program to stay protected, visit the HIPAA Tool Kit for more information.
According to Data Privacy Monitor and FierceHealthIT, Jerome B. Meites, Office of Civil Rights Chief Regional Counsel for the Chicago Area, said at an American Bar Association Conference that the OCR’s clampdown on HIPAA violations over the next year will be unlike anything we’ve seen in recent years.
While HIPAA violation fines have been rather small compared to most estimates of yearly totals, the OCR will be looking to send a strong message through higher-profile cases that will create a resounding impact on the healthcare industry. The OCR wants the industry to know that HIPAA is not a law to be reckoned with.
In the last year, OCR has imposed record fines on many healthcare entities so as to push the agenda. Since June 1, 2013, nine settlements have amounted to more than $10 million. As the OCR continues their audits, they have said that there will be fewer onsite visits, but a much sharper focus and a heavier hand. Meites also told the American Bar Association Conference that the OCR has a list of more than 1,200 candidates that may be audited in the coming year.
As the number of exposed health records – since federal reporting began in 2009 – has risen to 31.7 million people, it is highly important that each and every organization have a custom HIPAA compliance plan that will suit their individual needs and protect all healthcare privacy and security rights.
Read the full article at FierceHealthIT. How you can mitigate the risks of HIPAA violation crackdowns? Compliagent’s HIPAA Tool Kit provides an all-in-one solution for covering HIPAA Compliance Needs. Find out more at HIPAA Tool Kit.
HIPAA TOOLKIT BLOG 