Tuesday, 23 January 2018 11:54

2017 HIPAA Cases: Here's the message Featured

Written by

At the start of each new year, it is always good to look back at federal settlements under the Health Insurance Portability and Accountability Act (HIPAA).  That is how you know matters most to the Feds in terms of privacy enforcement.

From 2017,  here is a short list of key messages:

  • It’s your job to understand HIPAA requirements.
  • Execute Business Associate Agreements with vendors and independent contractors with potential access to private health information.
  • Don’t rest easy because you have security policies; you also need to manage security processes for daily vigilance.
  • If you do experience a breach, report to the Feds in a timely manner.
  • Be sure to monitor activity on your databases.

Now let’s take these one by one, with examples illustrating each point.

Understanding HIPAA requirements:

In a case involving CardioNet, a provider of remote mobile monitoring of heart patients, the Feds said that a lack of understanding of HIPAA creates risk.  CardioNet paid the cost of such ignorance in a $2.5 million settlement, stemming from a laptop stolen from an employee’s vehicle, and containing private health information.  Read the Press Release.

  • Business Associate Agreements:

In April, the Feds put out a news alert with the headline, No Business Associate Agreement? $31K Mistake.

It’s was as if to say “Gotcha”  -- albeit in a small settlement by HIPAA standards.  The case involved a children’s digestive health center.  As the Feds were investigating one of the center’s Business Associates, they discovered the absence of a Business Associate agreement, which was the health center’s responsibility to execute. Read the Resolution Agreement and Corrective Action Plan - PDF.

  • Security management:

In a case involving unauthorized access to health information,  Memorial Healthcare System (MHS) paid the Feds $5.5 million to settle potential violations.  Private health information had been impermissibly accessed and disclosed through login credentials of a former employee of an affiliated physician’s office.  For a year’s time, the unauthorized access took place on a daily basis -- and without detection due to a failure to monitor of database activity.  Read the Resolution Agreement.

  • Timely breach response:

A case involving Children’s Medical Center of Dallas (Children’s) stemmed from impermissible disclosure of unsecured, electronic health information and non-compliance with HIPAA standards over many years, according to the Feds. The Feds issued a notice to Children’s, which included instructions for how Children’s could file a request for a hearing. Children’s did not request a hearing. Children’s paid a civil penalty of $3.2 million, and the Feds called out the issue of timely response. Read the Press Release.

  • Monitor databases:

This is essential to HIPAA compliance.  In a case resulting in a $2.3 million settlement,  the Federal Bureau of Investigation (FBI) notified  21st Century Oncology, Inc. (21CO)

on two separate occasions that patient information was illegally obtained by an unauthorized third party.  Evidence included 21CO patient files purchased by an FBI informant. Among other things, the Feds determined that 21CO failed to implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. Read the News Release.

The vast majority of HIPAA cases are resolved through corrective action plans that the Feds monitor.  While that means no fine, you'll still have the Feds hovering over you for a while.

Read 63 times Last modified on Friday, 02 February 2018 13:52
More in this category: « Just Who Is a Business Associate?

2 comments

  • Comment Link best proxy site Thursday, 15 February 2018 07:18 posted by best proxy site

    We're a bunch of volunteers and opening a brand new scheme in our community. Your web site offered us with valuable information to paintings on. You've performed a formidable activity and our whole community will probably be grateful to you.

  • Comment Link Oscar Stanke Monday, 12 February 2018 06:53 posted by Oscar Stanke

    There's noticeably a bundle to find out about this. I assume you made sure nice points in options also.

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.

10 Step HIPAA Plan

  • Step 1: Confirm you are a covered entity +

    What's Inside:
    Lists of who is generally covered and who is not, plus contact for inquiries.
  • Step 2: Provide leadership +

    What's Inside:
    • 7-page HIPAA basics
    • 62-page guide to security and privacy of ePHI
    • Compliance Charter Template
  • Step 3: Document processes, findings, and actions +

    What's Inside:
    Templates for Security Policies and Procedures
  • Step 4: Conduct a security risk analysis +

    What's Inside:
    INTRODUCTORY:
    • Guides
    • Short videos
    • Interactive quizzes on risk assessment and contingency preparation
    • 10 common myths

    ADVANCED:
    Interactive tutorial – 156 questions with fill-able PDFs for Windows or iPad. All material from federal sources.
  • Step 5: Develop an action plan +

    What's Inside:
    INTRODUCTORY:
    • 11-page overview on ePHI for small practices
    • 4-page Q&A addresses email with patients
    • Checklists

    ADVANCED:
    Toolkit on 45 implementation specifications
  • Step 6: Manage and mitigate risks +

    What's Inside:
    • Overview of expectations
    • Annual Work Plan Template
  • Step 7: Prevent breaches +

    What's Inside:
    • Form for reporting brief notification
    • Links to details on the notification process and what constitutes a breach.
    • Suite of Training Materials
  • Step 8: Communicate with patients +

    What's Inside:
    FOR ALL:
    Privacy notice templates to help achieve meaningful consent, in English & Spanish.

    INTRODUCTORY:
    Professionals' guide covering 2013 updates on communications.

    ADVANCED:
    Electronic toolkit with patient education and meaningful consent sample materials.
  • Step 9: Update or execute Business Associate Agreements (BAAs) +

    What's Inside:
    • Sample Business Associate Agreement (BAA) provisions
    • Suite of BA Management Tools
  • Step 10: Attest to Compliance with Security Objectives +

    What's Inside:
    INTRODUCTORY:
    • Tip sheets
    • Short videos
    • Overviews

    ADVANCED:
    • 94-page guide on the EHR incentive program
    • Beginners' toolkit on reporting to the government

    All from federal sources.
  • 1

Login

Member Access