HIPAA Privacy and Security Enforcement Examplestoillustratewhyyoucan’taffordtogowrong.
$4.3 million
fine for Cignet Health of Maryland for multiple HIPAA violations
$1 million
settlement with Mass General Hospital regarding records
$865K+
settlement with UCLA Medical Center for snooping in celebrity records
$100K
settlement with a physician’s office for using insecure e-mail and calendar
$1.5 million
settlement with BC/BS of Tennessee for lost hard drives
$1.5 million
settlement with MEEI for lack of security for portable devices
HHS Is Serious About Enforcement
Breach
• Reporting your own violations may result in a compliance review
Complaint
• An individual reporting a suspected violation can trigger a compliance investigation
Random Audit
Could You Be The Subject Of Enforcement?
• HITECH §13411 requires HHS to periodically audit covered entities and business associates subject to HIPAA Privacy and Security rules, effective 2/17/10
The Kind Of Issues Behind Settlements And Fines Laptops and portable devices
Security and privacy issues that involve:
Insecure systems Improper handling of PHI
Enforcement Lessons and Priorities Information Security Management Process
Perform risk analysis and risk management
Prepare for incident handling and breach notification
Implement policies and procedures
Establish training and documentation
Perform internal audits and system reviews
Secure e-mail network for professional communications with PHI
Secure your laptops and portable devices
Use secure system implementati on and decommissio ning processes
Enforcement Lessons and Priorities Have complete policies and procedures Handle physical records properly
Properly shred discarded paper and dispose pill bottles Have good policies and procedures on how to work outside the office Apply sanctions for violations of HIPAA policies Handle individual requests for records properly
Privacy Rule Compliance
Don’t leave unsecured records in public areas
The Four-Step Follow-Up First: Secure Data at Rest & in Motion
Fourth: Follow Through
Second: Train Your Staff
Third: Establish Your Information
You r todo list …
Don’t be in denial – willful neglect costs more than compliance Review your policies and procedures per the rules Review the questions asked in prior HIPAA audits Do your information security risk analysis Get a third party opinion and/or review Make sure you can show policies have been applied Document, document, document! Conduct drills in audit and breach response Make corrections based on results Always have a plan for moving forward, and follow it!
8
To know more about visit HIPAA audit and compliance, visit www.complianceonline.com
Thank You