It is likely you have seen headlines and possibly read a few articles about the risks and liabilities that physicians are exposed to if they don’t adequately comply with the myriad of requirements under the HIPAA Privacy and Security Rules: “Don’t Neglect Business Associate Agreements” reads one headline, “Closing HIPAA Compliance Gaps: Getting your Policies in Order,” or “The Top Ten HIPAA Violations and How to Prevent Them” read a couple of others. In addition to articles like those just listed, which aim to educate providers and the medical community about HIPAA requirements and how to comply, are the articles that describe the hefty fines or other consequences that are levied when things go wrong: “Medical Center to Settle Alleged HIPAA violation for $218,000” or “Pharmacy Pays $130,000 to settle HIPAA Violations” or “Hospital Employee Receives 20 Month Jail Term for HIPAA Violations.” The numerous articles that appear about HIPAA on a daily basis serve to bring our attention to and reinforce the importance of proactive compliance with HIPAA and its implementing regulations.
To emphasize the immediacy of this issue, simply look at what happened just this September, when the U.S. Department of Health and Human Services (HHS) settled with a cancer care physician group for a $750,000 fine and a corrective action plan for the group, which is effective for three years and requires the group to regularly submit reports to HHS. Back in 2012, the physician group reported a HIPAA security breach to the Office for Civil Rights (OCR), the HHS division which enforces the HIPAA Privacy and Security Rules. The breach occurred when an employee of the group was the victim of a theft during which a laptop bag containing a laptop and backup media for a computer server was stolen from the employee’s car. The backup media, which was not encrypted, contained Protected Health Information (PHI) for 55,000 individuals. Following the physician group’s report of the incident, OCR conducted an investigation of the physician group and determined that the group was generally non-compliant with the HIPAA Security Rule. Among the requirements with which the physician group failed to comply were a total lack of a written policy to address and control the removal of electronic media from its office locations and a failure to conduct an enterprise-wide risk analysis when the laptop and backup media were stolen.
Had the physician group had a policy in place regarding electronic media, as they should have, and conducted a regular risk analysis, as they should have, it is very possible the group could have avoided the breach altogether, or at the very least avoided the steep penalty and significant reporting requirements that accompany the corrective action plan. Covered Entities and Business Associates which are subject to the HIPAA Privacy and Security Rules must make sure to have such written policies in place and regularly conduct a risk assessment to determine potential vulnerabilities to the organization. Contact Frier Levitt for assistance in making sure your practice complies with these and other HIPAA requirements.
