According to the global information service, Experian, stolen health records in the wrong hands are worth far more than stolen credit card data. Healthcare organizations continue to improve their defenses to make it harder for hackers to succeed. However, according to Trent Peters, CIO of DataFile Technologies, consumers are far more likely to have medical information stolen as a result of internal risks at clinics such as a stolen laptop or falling prey to a phishing attack. Click here to read the full Kansas City Business Journal article about this important topic.
Sometimes healthcare regulations can seem like a moving target, constantly evolving and changing as we work to keep up with our increasingly connected world. Even in an environment of change, there are some constant trends, including the importance of protecting patient privacy and rights through an annual review of compliance with the HIPAA Privacy and Security rules, more commonly referred to as a Security Risk Analysis (SRA).
As healthcare becomes more technologically advanced, more emphasis is being placed on the importance of conducting a comprehensive SRA. In fact, recent Office of Civil Rights (OCR) audits will specifically review the SRAs of both Covered Entities and Business Associates. In June, Catholic Health Care Services of the Archdiocese of Philadelphia (a Business Associate) was fined $650,000 by Health and Human Services (HHS) for failure to conduct an “accurate and thorough” SRA. Just this month, we saw HHS issue a record $5.5 million fine to Advocate Health Care Network in part because of failure to conduct an appropriate Security Risk Analysis.
Jocelyn Samuels, Director of the OCR, emphasized the importance of a robust Security Risk Analysis, stating “We hope this settlement sends a strong message to Covered Entities that they must engage in a comprehensive risk analysis and risk management to ensure that individuals’ ePHI is secure. This includes implementing physical, technical and administrative security measures sufficient to reduce the risks to ePHI in all physical locations and on all portable devices to a reasonable and appropriate level.”
What’s your liability limit? Are you willing to accept penalties of $650,000? Or $5.5 million as we’ve seen in these cases for failure to complete a strong SRA? Many organizations conduct their SRA in house in an effort to check off a box to meet Meaningful Use program requirements. But is that the best option for you given the importance of compliance? As healthcare data experts, DataFile Technologies offers a comprehensive HIPAA compliance solution, which includes a team of experts conducting your Security Risk Analysis for you.
If you’d like to learn more about the DataFile Security Risk Analysis solution, please email Kathryn Ayers Wickenhauser, our Meaningful Use / HIPAA Compliance Consultant at Kathryn.Wickenhauser@DataFileTechnologies.com. Kathryn will provide a customized quote based on your total number of employees (including providers).
The Office for Civil Rights appears to be sending a stern and serious message to practices nationwide as the first stage of Meaningful Use wraps up. Less than four months after the Alaska DHHS’s $1.7 million settlement we reported on in August, another practice has been slammed with a $1.5 million fine for a potential breach of the Health Insurance Portability and Accountability Act.
Two years after alerting the OCR of their own security breach in the form of a stolen laptop, Massachusetts Eye and Ear Associates Inc. and its associated hospital Massachusetts Eye and Ear Infirmary (collectively referred to as “MEEI”) have agreed to pay the U.S. Department of Health and Human Services (HHS) $1.5 million to settle potential HIPAA violations.
According to reports, the laptop did not contain patient billing information, and none of the patients in question appear to have experienced any negative side effects as a result of the theft. Regardless, it was enough for the OCR to launch a full investigation as they fell down the rabbit hole of deficiencies and overlooked security gaps in MEEI’s system, exposing them in the following areas:
- Failing to conduct a thorough analysis of the risk to the confidentiality of ePHI maintained on portable devices
- Failure to implement security measures sufficient to ensure the confidentiality of ePHI that MEEI created, maintained and transmitted using portable devices
- Not adopting and implementing policies and procedures to address security incident identification, reporting and response
The OCR investigation revealed that these failures continued over an extended period of time, “demonstrating a long-term, organizational disregard for the requirements of the Security Rule,” according to the OCR.
Despite MEEI’s reported “disappointment” in the OCR’s pricey ruling (based on “lack of patient harm” and the hospital’s relatively low annual revenues), the fine stands – and should serve as a reminder that even smaller practices are at risk for crippling fines if found in non-compliance.
We can only anticipate that these audits – and subsequent fines – will become increasingly more frequent and severe. If you aren’t 100% sure your practice would be safe and sound in the face of a scrutinizing review, DataFile can help. We specialize in securing practices with comprehensive security risk analyses and even the option to outsource medical records management including the full transfer of HIPAA liability under the HITECH Act. Make sure your practice doesn’t get caught with red hands. Call us at 816.437.9134 for a free consultation.
In every practice’s nightmare come true, the Alaska Department of Health and Human Services had one misstep that sparked a full-blown audit – exposing all manner of skeletons in their electronic medical records system’s closet.
It started with a portable electronic storage device (or USB hard drive) getting stolen out of the vehicle of an employee of the Alaska DHHS. The USB potentially contained protected health information, and the Department of Health and Human Services’ Office of Civil Rights launched a thorough investigation of the Alaska DHHS to determine whether they were up to date on all current security precautions for their electronic medical systems.
The investigation uncovered, among other things, that the Alaska DHHS had not performed an acceptable security risk assessment on their system. Additionally, they had not implemented sufficient risk management measures, had not completed security training for Alaska DHSS workforce members, and had not implemented device and media controls.
“Covered entities must perform a full and comprehensive risk assessment and have in place meaningful access controls to safeguard hardware and portable devices,” OCR director Leon Rodriguez said in a statement.
After all was said and done, the Alaska DHHS settled for $1.7 million – a shockingly high number which will likely serve as a wake-up call for every practice putting off their security risk assessment or thinking they can get by with a less comprehensive test because they don’t think they will ever get audited.
With the first installment of Meaningful Use payments coming to an end this year (2012), practices are focused on how to ensure their full incentive payment. But as audits are being performed more frequently, and with that number expected to rise even more with the implementation of the Affordable Care Act (aka “Obamacare”) over the next few years, incentive payments seem to pale in comparison to these debilitating fines for non-compliance.
Here at DataFile, we offer a comprehensive security risk analysis that not only helps you check some of the measures on your Meaningful Use attestation, but also ensures you are audit-proof in the event of an investigation – no matter how intensive.
If your practice has been putting off performing a security risk assessment, stop waiting – you never know when a surprise visit from the OCR could have you shelling out massive fine payments. Contact us online or call one of our experts at DataFile at 816.437.9134 to find out more.