“Every healthcare organization under HIPAA is responsible for the protection of patient data, regardless of whether they use a vendor to process or store their patient records. If your EHR vendor claims you don’t have to worry about HIPAA compliance, don’t believe them – it’s just not true,” stated by Tod Ferran, a security analyst at SecurityMetrics, Inc. in an article he wrote for Healthcare IT News.
A lot of healthcare entities mistakenly think that if they are covered for EHR HIPAA compliance, then that coverage extends to all of HIPAA’s regulations as well. But, as experts have shown in recent years, HIPAA compliance and EHR compliance are two completely different umbrellas, even if you may be caught in the same storm. Ferran warns healthcare providers that the new HIPAA Security Rule requires that systems are required to be protected against 75 specific security controls. Ferran goes on to state that in order to ensure that your organization’ procedures, policies, and security measures are designed to protect patient health information (PHI) and defend against regulatory penalties, it is important for organizations to “assess their security programs as a whole,” rather than just “simply checking a box”.So, how can an organization protect itself and do everything in its power to safeguard HIPAA compliance? Ferran recommends that organizations take the following actions right away:
- Implement a regular, weekly routine, starting with as few as 30 minutes each session to meet and discuss priorities
- Implement intrusion prevention
- Install anti-malware
- Utilize identity management
- Integrate data-loss prevention tools
- Designate a HIPAA compliance officer or team member
- Conduct annual HIPAA security risk analyses
- Check organizational policies and procedures against HIPAA requirements
- Encrypt patient health information (PHI)
- Use a key accessible only by authorized individuals
- Implement workstation security
In his concluding statement, Ferran recommended that “No matter how small or long established, it’s critical for healthcare entities to understand what they are doing to protect patient data, what they are not doing, and what they should be doing in the future.”
To read Ferran’s full article, visit Healthcare IT News.
In late 2009, the HIPAA breach notification requirement was initiated, which mandated that “HIPAA covered entities and their business associates provide notification following a breach of unsecured protected health information (PHI).” Since that time, more than 32 million people have had their PHI violated in HIPAA privacy and security breaches. In response to the violations, The Office for Civil Rights (OCR), as the HIPAA enforcement arm of the Department of Health and Human Services, imposed more than $26 million in fines against healthcare organizations who have compromised PHI. As part of the ongoing harsh enforcement crackdown, the OCR determined that the following breaches deserved the most severe fines:
5. WellPoint – $1.7 Million
In July of 2013, managed care company WellPoint failed to perform a suitable technical evaluation when upgrading software and disregarded a user verification measure for their web-based patient database. These mishandlings of technology resulted in a breach of 612,402 records made accessible to unauthorized internet users over a period of five months.
4. Concentra Health Services – $1.73 Million
While Concentra’s breach only affected 870 individuals, less than WellPoint’s breach, their fine imposed in April 2014 by OCR was one of the largest. What began as an investigation into a stolen, unencrypted laptop, soon revealed that Concentra failed to enforce encryption policies on close to 28 percent of their laptops. Possibly the biggest surprise in Concentra’s case was that an inventory assessment of Concentra’s PHI-containing non-encrypted laptops was not completed until 2013, more than 4 years after the HIPAA breach notification requirement became instated.
3. CVS Pharmacy – $2.25 Million
In January 2009, OCR found that CVS pharmacies were committing possibly one of the most egregious HIPAA offenses by disposing of PHI in public dumpsters. Alongside the OCR investigation, the Federal Trade Commission also investigated the CVS on its safety policies. The breach by CVS pharmacies was so severe that OCR was not even able to determine the number of individuals affected by the violation.
2. Cignet Health Center – $4.3 Million
The OCR’s investigation into the Maryland-based health center was two-pronged, including denial of medical record access and denial of investigation requests. From 2008 to 2009, Cignet denied 41 patient requests for their medical records, resulting in a fine of $1.3 million. During further investigation by the OCR, Cignet refused to respond to OCR investigation requests for documentation and access, which OCR then responded to with a $3 million fine.
1. New York Presbyterian Hospital and Columbia University – $4.8 Million
The largest fine imposed for a HIPAA breach occurred in May of 2014, when a Columbia University physician attempted to deactivate a personal computer server on the New York Presbyterian and Columbia network containing PHI. Because the personal computer was not set up with appropriate technical safeguards, the deactivation resulted in ePHI being available on Google. The breach was not discovered by the entity, as is normally the case, but rather by a family member who saw their deceased partner’s PHI online and reported the complaint to the hospital. The record belonged to one of 6,800 individuals affected in the breach.
Simple mistakes can equal big fines. So, what are some good easy HIPAA tips:
- Implement best practices for HIPAA and conduct ongoing risk analysis.
- Update your HIPAA compliance training and/or risk assessments to prevent big holes in your PHI security.
- Workforce training and HIPAA policy awareness will go a long way in protecting your organization’s PHI and ensuring privacy and security.
Read the full article at Healthcare IT News. Do you have other questions that you’d like to ask? If you’re wondering how to get started with a HIPAA Compliance Program, or would like to revitalize your current program to stay protected, visit the HIPAA Tool Kit for more information.