Recent fines from the Department of Health and Human Services (HHS) should raise physicians and their staff's eyebrows. From not having a business associate agreement to not understanding HIPAA requirements in relation to risk, HHS is taking a tougher stance on cybersecurity and HIPAA.
While it's hard to believe that more than four years have passed since the Omnibus Rule was published in the Federal Register (78 Fed. Reg. 5566 (Jan. 25, 2013), what's not hard to believe is that HIPAA enforcement is a priority for the HHS and that there have been increased fines.
Here are a list of some violations and fines for April 2017:
•April 24, 2017 – Failing to implement a security management process to secure protected health information cost Metro Community Provider Network (MCPN), a federally-qualified health center (FQHC) of Denver, Colorado $400,000. Additionally, a corrective action plan was implemented.
•April 20, 2017 – Failing to have a signed Business Associate Agreement in place cost Center for Children's Digestive Health (CCDH) $31,000 after an investigation of their business associate, FileFax, Inc., which stored records containing protected health information (PHI) for CCDH. The parties began exchanging PHI as far back as 2003; yet, neither party could produce a signed business associate agreement (BAA) prior to Oct. 12, 2015. A corrective action plan was also implemented.
•April 12, 2017 – Failing to meet a variety of facets of the HIPAA Privacy and Security Rule requirements lead to the first fine involving a wireless health services provider. In this instance a resolution agreement and corrective action plan were put in place.
According to the HHS, "In January 2012, CardioNet reported to the HHS Office for Civil Rights (OCR) that a workforce member's laptop was stolen from a parked vehicle outside of the employee's home. The laptop contained the ePHI of 1,391 individuals. OCR's investigation into the impermissible disclosure revealed that CardioNet had an insufficient risk analysis and risk management processes in place at the time of the theft. Additionally, CardioNet's policies and procedures implementing the standards of the HIPAA Security Rule were in draft form and had not been implemented. Further, the Pennsylvania–based organization was unable to produce any final policies or procedures regarding the implementation of safeguards for ePHI, including those for mobile devices."
Physicians can learn a lot from these incidents, but there are four main takeaways. First, be sure to do, or at least go schedule, an annual risk assessment. Next, it is important for staff to go through training annually on all things HIPAA related. Third, be sure to have agreements in place with all business associates to protect both parties. And, finally, you need to be sure that all of the policies and procedures at your practice are up-to-date. Following these four important steps can save a practice time and money.