HIPAA Privacy and Security Enforcement

Examples to illustrate why you can’t afford to go wrong.

HHS Is Serious About Enforcement

$4.3 million

fine for Cignet Health of Maryland for multiple HIPAA

violations

$1 million

settlement with Mass General Hospital regarding records

$865K+settlement with UCLA Medical

Center for snooping in celebrity records

$100Ksettlement with a physician’s

office for using insecure e-mail and calendar

$1.5 million

settlement with BC/BS of Tennessee for lost hard drives

$1.5 million

settlement with MEEI for lack of security for portable devices

Could You Be The Subject Of Enforcement?

Breach•Reporting your own violations may result in a compliance review

Complaint

•An individual reporting a suspected violation can trigger a compliance investigation

Random Audit

•HITECH §13411 requires HHS to periodically audit covered entities and business associates subject to HIPAA Privacy and Security rules, effective 2/17/10

The Kind Of Issues Behind Settlements And Fines

Security and privacy issues that

involve:

Laptops and portable devices

Insecure systems

Improper handling of PHI

Perform risk analysis and

risk management

Prepare for incident

handling and breach

notification

Implement policies and procedures

Establish training and

documentation

Perform internal

audits and system reviews

Secure e-mail network for professional

communications with PHI

Secure your laptops and

portable devices

Use secure system

implementation and

decommissioning

processes

Enforcement Lessons and Priorities

Information Security Management Process

Have complete policies and procedures

Handle physical records properly

Don’t leave unsecured records in public areas

Properly shred discarded paper and dispose pill bottles

Have good policies and procedures on how to work outside the office

Apply sanctions for violations of HIPAA policies

Handle individual requests for records properly

Enforcement Lessons and Priorities

Privacy Rule Compliance

The Four-Step Follow-UpFirst: Secure Data at Rest & in Motion

Second: Train Your Staff

Third: Establish

Your Information

Fourth: Follow

Through

8

Your to-do list…

Don’t be in denial – willful neglect costs more than compliance

Review your policies and procedures per the rules

Review the questions asked in prior HIPAA audits

Do your information security risk analysis

Get a third party opinion and/or review

Make sure you can show policies have been applied

Document, document, document!

Conduct drills in audit and breach response

Make corrections based on results

Always have a plan for moving forward, and follow it!

Thank You

To know more about visit HIPAA audit and compliance, visit www.complianceonline.com