What does Anchorage Community Mental Health Services (ACMHS) in Alaska, Cancer Care Group (CCG) in Indiana, Triple S (SSS) in Puerto Rico, New York-Presbyterian Hospital (NYP) and Columbia University (CU)? Answer: All of these organizations had to pay fines/settlements and implement a HIPAA corrective action plan with similar elements.
|
ACMHS |
CCG |
SSS |
NYP |
CU |
|
| Payment | $150,000 | $750,000 | $3,500,000 | $3,300,000 | $1,500,000 |
| Findings |
|
|
|
|
|
| No Risk Analysis |
X |
X |
X |
X |
X |
| Lack of Written Policies |
X |
X |
|
X |
X |
|
|
|
|
|
|
|
| Corrective Actions |
|
|
|
|
|
| Risk Assessment |
X |
X |
X |
X |
X |
| Risk Management Plan |
X |
X |
X |
X |
X |
| Review/Revise Policies |
X |
X |
X |
X |
X |
| Revise training program |
X |
X |
X |
X |
X |
According to OCR Director Jocelyn Samuels, “Organizations must complete a comprehensive risk analysis and establish strong policies and procedures to protect patients’ health information …. Further, proper encryption of mobile devices and electronic media reduces the likelihood of a breach of protected health information.” Do not be mistaken thinking that these are the only cases taking place. The above cases are simply a random selection we chose to prove our point and share information with you. The point is based on a simple phrase we have used in the past: “if you are going to play the game make sure you follow the rules.” In terms of the SSS case in Puerto Rico, which is the most recent settlement, OCR Director Jocelyn Samuels stated, “OCR remains committed to strong enforcement of the HIPAA Rules,” She also added: “This case sends an important message for HIPAA Covered Entities not only about compliance with the requirements of the Security Rule, including risk analysis, but compliance with the requirements of the Privacy Rule, including those addressing business associate agreements and the minimum necessary use of protected health information.” HIPAA Audits are a reality and based on what we found OCR’s plans for 2016 is to increase the number of enforcement actions in 2016. In addition to that we were able to confirm that:
- FCi Federal from Ashburn Virginia will be conducting the audits in behalf of OCR;
- Audits will focus on both covered entities and business associates;
- The bulk of the audits will be desk audits, but OCR will be doing some on-site audits.
Our answer to all these events is simple: 1. We have updated our Risk Analysis tools as of December 1st, 2015 and will be training additional affiliates on the same so we can perform these analyses at a reasonable cost with qualified experts. 2. We are launching our second generation Compliance Software in January 2016. The basics of the software include:
- Policies and Procedures on line that are updated throughout the year;
- Ability to customize or add Organization specific procedures as needed;
- Forms to document required actions covered in the policies;
- Monthly Actions to guide and document implementation actions;
- On line basic training for all team members;
- Monthly Security Reminders.
So rather than been scared and ignoring these requirements learn from the experience of others and contact an experienced partner to assist you with the navigation of these waters.