HIPAA AUDITS COMING IN 2015

January 6, 2015 at 1:42 pm | Posted in Department of Public Health, ePHI, Health and Human Services, HIPAA | Leave a comment
Tags: , , , ,

The Office of Civil Rights  in the Department of Health and Human Services has announced that, among other entities such as healthcare providers, it will audit approximately 100 employer sponsored health plans and 50 business associates in 2015. It is reported that:

  • Covered entities and business associates will have two weeks following receipt to respond to the initial data requests. OCR will not consider data submitted late.
  • OCR will conduct audits remotely through “desk audits.” Desk audits will be made using an updated audit protocol which OCR has not yet made available.
  • Audit participants will not have an opportunity to provide clarifications or supplemental information after responding to the initial data request.

Within 60 days following their submissions, audit participants will be presented with a draft version of OCR’s final report for review prior to publication. If your health plan has access to an employee’s protected health information (PHI), at a minimum, the following should be done:

  • Adopt written HIPAA policies and procedures addressing the HIPAA privacy, security, and breach notification rules;
  • Designate a HIPAA privacy official and a HIPAA security official;
  • Conduct a detailed analysis of the risks and vulnerabilities of electronic PHI;
  • Train those members of your workforce who have access to PHI.
  • Identify any HIPAA Business Associates, make sure you have a HIPAA Business Associate agreement with them and alert them to your expectations of them in regards to safekeeping your plan’s PHI

 

 

Failure to Secure PHI and Two Stolen Laptops Results in $1,975,220 in HIPAA Violation Fines

April 23, 2014 at 1:25 pm | Posted in Compliance, ePHI, Health and Human Services, HIPAA, Regulations | Leave a comment
Tags: , , , , ,

The HHS Office of Civil Rights (OCR) announced that is has levied $1,975,220 in HIPAA fines against Concentra Health Services and QCA Health Plan Inc. for their failure to encrypt PHI stored on two laptops that were stolen.

Both Concentra and QCA, who self reported the stolen laptops, had undergone a HIPAA risk analysis and were aware…but did nothing…to secure the PHI stored on the laptops. The Concentra laptop was stolen from an employee’s office. The QCA laptop was stolen from an employee’s car. Concentra was fined $1,725,220 and QCA was fined $250,000.

“Covered entities and business associates must understand that mobile device security is their obligation,” said Susan McAndrew, OCR’s deputy director of health information privacy. “Our message to these organizations is simple: encryption is your best defense against these incidents.”

A copy of the HHS OCR press release is here:
http://www.hhs.gov/news/press/2014pres/04/20140422b.html

Dermatology Clinic Pays $150,000 HIPAA Fine for Lost Thumb Drive with Unencrypted Patient Information

December 30, 2013 at 10:26 am | Posted in Compliance, ePHI, Federal Laws, Health and Human Services, Health Care, HIPAA, Regulations | Leave a comment
Tags: , , , , , , , , , , , ,

The HHS Office of Civil Rights (OCR) reports that a Concord, MA, dermatology clinic has agreed to pay a $150,000 fine as a settlement of  alleged violations of HIPAA privacy, security, and breach notification provisions. OCR announced that: “This case marks the first settlement with a covered entity for not having policies and procedures in place to address the breach notification provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act, passed as part of the American Recovery and Reinvestment Act of 2009 (ARRA).” The clinic lost, and never recovered, an unencrypted thumb drive with protected health information for approximately 2,200 patients.

The OCR investigation concluded that the clinic did not (1) conduct an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality of ePHI as part of its security management process; and (2) did not fully comply with requirements of the breach notification rule to have in place written policies and procedures and train workforce members. In addition to paying the $150,000 fine, the clinic also agreed to create a corrective action plan consisting of a risk analysis and risk management components to address and mitigate any additional potential security risks and vulnerabilities.

The resolution agreement and press release can be found on the OCR website at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/apderm-agreement.html

Create a free website or blog at WordPress.com.
Entries and comments feeds.