hipaa enforcement examples
TRANSCRIPT
HIPAA Privacy and Security Enforcement
Examples to illustrate why you can’t afford to go wrong.
HHS Is Serious About Enforcement
$4.3 million
fine for Cignet Health of Maryland for multiple HIPAA
violations
$1 million
settlement with Mass General Hospital regarding records
$865K+settlement with UCLA Medical
Center for snooping in celebrity records
$100Ksettlement with a physician’s
office for using insecure e-mail and calendar
$1.5 million
settlement with BC/BS of Tennessee for lost hard drives
$1.5 million
settlement with MEEI for lack of security for portable devices
Could You Be The Subject Of Enforcement?
Breach•Reporting your own violations may result in a compliance review
Complaint
•An individual reporting a suspected violation can trigger a compliance investigation
Random Audit
•HITECH §13411 requires HHS to periodically audit covered entities and business associates subject to HIPAA Privacy and Security rules, effective 2/17/10
The Kind Of Issues Behind Settlements And Fines
Security and privacy issues that
involve:
Laptops and portable devices
Insecure systems
Improper handling of PHI
Perform risk analysis and
risk management
Prepare for incident
handling and breach
notification
Implement policies and procedures
Establish training and
documentation
Perform internal
audits and system reviews
Secure e-mail network for professional
communications with PHI
Secure your laptops and
portable devices
Use secure system
implementation and
decommissioning
processes
Enforcement Lessons and Priorities
Information Security Management Process
Have complete policies and procedures
Handle physical records properly
Don’t leave unsecured records in public areas
Properly shred discarded paper and dispose pill bottles
Have good policies and procedures on how to work outside the office
Apply sanctions for violations of HIPAA policies
Handle individual requests for records properly
Enforcement Lessons and Priorities
Privacy Rule Compliance
The Four-Step Follow-UpFirst: Secure Data at Rest & in Motion
Second: Train Your Staff
Third: Establish
Your Information
Fourth: Follow
Through
8
Your to-do list…
Don’t be in denial – willful neglect costs more than compliance
Review your policies and procedures per the rules
Review the questions asked in prior HIPAA audits
Do your information security risk analysis
Get a third party opinion and/or review
Make sure you can show policies have been applied
Document, document, document!
Conduct drills in audit and breach response
Make corrections based on results
Always have a plan for moving forward, and follow it!
Thank You
To know more about visit HIPAA audit and compliance, visit www.complianceonline.com