Monday, 30 January 2017 08:42

2016 HIPAA cases give insights into HIPAA audits

Written by

With the onset of federally mandated enforcement of patient privacy laws, it’s a good time to review lessons from HIPAA cases announced in 2016. Common themes clearly prevail.

In reviewing these lessons, keep in mind that the feds continue to clarify the stricter rules in place since 2013 under the Health Information Portability and Accountability Act (HIPAA). Since federal audits began only last year, gray areas continue to muddle the murky waters.

Here are some overriding messages from recent federal cases and news releases:

1. Risk Assessment

Make this a top priority, and include all remote facilities in your assessment. Also account for the security of mobile devices and databases in the homes and cars of employees, including telecommuters. Multiple settlements drive home this point. Also remember that you need proper policies and procedures in place as part of risk analysis and mitigation.

Example: The case of St. Joseph Health (SJH), which operates hospitals, home health agencies, hospice care, outpatient services, skilled nursing facilities, community clinics and physician organizations in California, Texas and New Mexico. SJH agreed to pay $2.14 million in a settlement with the U.S. Office for Civil Rights (OCR), relating to a report that files containing electronic protected health information (ePHI) became publicly accessible through internet search engines from 2011 until 2012. A server SJH purchased included a file sharing application, and the default setting allowed anyone with an internet connection to access the data, potentially breaching the privacy of nearly 32,000 patients.

The feds said: Although SJH hired a number of contractors to assess risks and vulnerabilities, evidence indicated a “patchwork” approach falling short of “enterprise-wide risk analysis.”

2. Business Association Agreements

Again, multiple cases reinforce this as a big priority. The point is that if any outside person or vendor can potentially access private information about your patients, then you need to hold those vendors or individuals to the same rules that apply to you. You need formal agreements with them. Also know that HIPAA audits extend to business associates.

Example: The Archdiocese of Philadelphia agreed to pay $650,000 to settle potential privacy violations relating to the theft of a mobile device containing protected health information for 412 nursing home residents. In this case, Catholic Health Care Services (CHCS), an agency of the Diocese, performed IT services as a business associate to six skilled nursing facilities. The potential breach happened as a result of a theft of a CHCS-issued employee iPhone, which was unencrypted and not password protected. The information on the iPhone included social security numbers, information about diagnoses, medications and treatments, and names of family members and legal guardians.

The feds said: CHCS had no policies addressing the removal of mobile devices containing patient information from its facility, and no risk analysis or risk management plan.

Click here to read more about what happened.

3. Smaller providers

You’re on hook, too. HIPAA-covered providers of all types and sizes are subject to audits. Last fall, OCR announced it is now working with its regional offices to “more widely investigate the root causes of breaches affecting fewer than 500 individuals.” The regional offices will still have discretion on which smaller breaches to investigate, but each office will increase its efforts to address these smaller breaches.

4. Insider threats

In a recent newsletter, OCR discussed the “insider threat” as one of the largest threats to the security of patient information within organizations. The agency noted that even some cyberattacks may be insider-driven.

According to a recent survey, conducted by Accenture and HfS Research, 69% of organizations surveyed reported experiences with malicious activity on the part of insiders, including current or former employees, contractors and business associates.

Keep in mind, whenever patient information reaches unauthorized ears and eyes, nothing stops it from getting on social media. And yes, that does happen, especially among patients who are most vulnerable and unsuspecting.

Click here for more about how to guard against insider threats, and recommendations for preventing abuses.

Read 1030 times Last modified on Thursday, 02 February 2017 11:31


  • Comment Link Ingrid Friday, 15 June 2018 22:09 posted by Ingrid

    hello there and thank you for your information – I've definitely picked up something new from right here.
    I did however expertise several technical issues using this website, as I
    experienced to reload the web site lots of times previous to I could get it to
    load properly. I had been wondering if your web hosting is OK?
    Not that I'm complaining, but sluggish loading instances times will sometimes affect your placement in google and
    can damage your high-quality score if advertising and marketing with Adwords.
    Anyway I am adding this RSS to my e-mail and could look out for
    a lot more of your respective fascinating content.
    Make sure you update this again very soon.

  • Comment Link Lea Tuesday, 12 June 2018 12:13 posted by Lea

    Wonderful goods from you, man. I've take into account your
    stuff prior to and you're just extremely excellent.

    I actually like what you have obtained here, certainly like what you are
    saying and the way by which you assert it. You are making it entertaining and you still care for to stay it smart.
    I can not wait to read much more from you. This is really a
    wonderful site.

  • Comment Link becca_luna Tuesday, 05 June 2018 03:22 posted by becca_luna

    There are some of you out there who probably haven’t heard of This is one of those must see sites. It’s full of extremely attractive ladies. You’re going to want to put down your sandwich when visiting this site. It’s impossible to focus on anything but the babes they have to offer.

  • Comment Link nike zoom Tuesday, 22 May 2018 02:49 posted by nike zoom

    I must point out my respect for your kind-heartedness for folks that actually need help with this important question. Your special dedication to getting the message all around became remarkably effective and has helped folks much like me to attain their aims. Your personal invaluable help denotes so much to me and far more to my peers. With thanks; from all of us.

  • Comment Link bape hoodie Monday, 21 May 2018 23:27 posted by bape hoodie

    My spouse and i were quite fortunate when Raymond could deal with his research through the entire precious recommendations he gained using your web site. It is now and again perplexing to just find yourself giving for free information and facts which often some others may have been making money from. So we know we need you to appreciate for that. Those explanations you made, the easy blog navigation, the relationships you will make it possible to foster - it is most wonderful, and it's really assisting our son in addition to us imagine that that issue is thrilling, which is certainly extraordinarily vital. Thank you for the whole lot!

  • Comment Link adidas yeezy boost Monday, 21 May 2018 20:21 posted by adidas yeezy boost

    I want to show my thanks to this writer just for bailing me out of such a trouble. Just after looking through the the net and seeing solutions which were not productive, I assumed my entire life was over. Being alive without the presence of solutions to the issues you have solved through your blog post is a critical case, as well as the kind which could have adversely damaged my career if I hadn't come across the website. That understanding and kindness in maneuvering the whole thing was precious. I'm not sure what I would've done if I had not discovered such a thing like this. It's possible to at this moment relish my future. Thanks for your time very much for your reliable and amazing guide. I won't be reluctant to refer your web page to anyone who should receive support on this matter.

  • Comment Link chrome hearts Monday, 21 May 2018 17:54 posted by chrome hearts

    Thank you a lot for providing individuals with an extremely brilliant possiblity to read articles and blog posts from this blog. It is often very useful and also stuffed with a great time for me personally and my office colleagues to search your site nearly three times in one week to read the newest guides you have got. And of course, I'm also usually satisfied with your superb suggestions you serve. Some 3 areas in this post are clearly the most effective we have ever had.

  • Comment Link adidas yeezy Monday, 21 May 2018 15:34 posted by adidas yeezy

    Thanks so much for giving everyone remarkably pleasant chance to discover important secrets from this website. It's always so nice and as well , packed with fun for me personally and my office fellow workers to visit your website not less than thrice every week to read through the latest tips you have got. And indeed, I'm usually pleased with your striking principles you give. Some two ideas on this page are in fact the finest we've ever had.

  • Comment Link adidas ultra boost Monday, 21 May 2018 14:22 posted by adidas ultra boost

    Thanks for all your valuable labor on this website. My mum enjoys making time for investigation and it is obvious why. Most people hear all about the compelling mode you create important solutions by means of your web blog and even welcome contribution from some other people about this matter plus our own girl is in fact starting to learn so much. Have fun with the remaining portion of the new year. Your conducting a great job.

  • Comment Link jordan shoes Monday, 21 May 2018 13:08 posted by jordan shoes

    I precisely wished to thank you very much yet again. I do not know the things I would've handled without the actual creative concepts documented by you over that topic. This was a terrifying matter in my view, but spending time with a professional way you managed it took me to weep for fulfillment. Now i am grateful for the information and then expect you really know what a powerful job you happen to be doing teaching other individuals through a blog. Probably you've never got to know all of us.

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.

10 Step HIPAA Plan

  • Step 1: Confirm you are a covered entity +

    What's Inside:
    Lists of who is generally covered and who is not, plus contact for inquiries.
  • Step 2: Provide leadership +

    What's Inside:
    • 7-page HIPAA basics
    • 62-page guide to security and privacy of ePHI
    • Compliance Charter Template
  • Step 3: Document processes, findings, and actions +

    What's Inside:
    Templates for Security Policies and Procedures
  • Step 4: Conduct a security risk analysis +

    What's Inside:
    • Guides
    • Short videos
    • Interactive quizzes on risk assessment and contingency preparation
    • 10 common myths

    Interactive tutorial – 156 questions with fill-able PDFs for Windows or iPad. All material from federal sources.
  • Step 5: Develop an action plan +

    What's Inside:
    • 11-page overview on ePHI for small practices
    • 4-page Q&A addresses email with patients
    • Checklists

    Toolkit on 45 implementation specifications
  • Step 6: Manage and mitigate risks +

    What's Inside:
    • Overview of expectations
    • Annual Work Plan Template
  • Step 7: Prevent breaches +

    What's Inside:
    • Form for reporting brief notification
    • Links to details on the notification process and what constitutes a breach.
    • Suite of Training Materials
  • Step 8: Communicate with patients +

    What's Inside:
    FOR ALL:
    Privacy notice templates to help achieve meaningful consent, in English & Spanish.

    Professionals' guide covering 2013 updates on communications.

    Electronic toolkit with patient education and meaningful consent sample materials.
  • Step 9: Update or execute Business Associate Agreements (BAAs) +

    What's Inside:
    • Sample Business Associate Agreement (BAA) provisions
    • Suite of BA Management Tools
  • Step 10: Attest to Compliance with Security Objectives +

    What's Inside:
    • Tip sheets
    • Short videos
    • Overviews

    • 94-page guide on the EHR incentive program
    • Beginners' toolkit on reporting to the government

    All from federal sources.
  • 1


Member Access