Here is something covered entities need to know: the U.S. Department of Health and Human Services’ (HHS) Office of Civil Rights has collected some serious HIPAA settlement money from the healthcare industry during 2016.
10 HIPAA violations during 2016
The organizations reported the loss or compromise of ePHI (electronic personal health information), via internal breaches, through the Internet, or on unsecured personal servers, laptops and devices.
Consequently, since the beginning of 2016, HHS has collected large sums of money as the result of ten breaches or HIPAA violations. The latest was a whopping $5.55 million hit on Advocate Health Care for three incidents affecting about 4 million patients. Read all about it on the HHS web page.
CAPs micromanage, monitor, and require lots of reporting
The money settlement came with more strings attached: an agreed corrective action plan (CAP). The CAP amounts to a detailed path towards HIPAA compliance, milestones, proofs and reports.
The CAP that Advocate had to sign up for appears in Appendix A in their settlement. Beginning with paragraph V, this CAP should be required reading for every organization’s HIPAA privacy and security officer.
HIPAA second round audits under way
Any organization needing to get its HIPAA act together had better act fast. . The second round of HIPAA audits began in July 2016. Organizations on the audit list have already received desk audit notices. For a description of the audit process, see this Health IT Security online news item.
Do a HIPAA gut-check
Essentially, HIPAA auditors are looking for is evidence of a robust HIPAA compliance program. Affirmative answers to the following questions are significant evidence that an organization is HIPAA compliant:
- Are local policies and procedures as regarding privacy and security up to date? Read this HHS.gov summary as a starting point.
- Are authorizations for release of health information in plain language and HIPAA compliant? Here is a link to an HIPAA-compliant release consent form for a third-party Medicare appeal.
- Is the organization’s privacy and security officer expressly designated and named? CFR 164 320 requires a covered entity “designate a security official who is responsible for developing and implementing its security policies and procedures.”
- Is there a sanctions policy in place, either included in or referenced by the written HIPAA policies and procedures? Here is an example of a HIPAA violation sanctions policy in effect at the County of San Bernardino Department of Behavioral Health.
- Is the covered entity’s security risk assessment treated as a roadmap to HIPAA compliance, and not simply a checklist? Here is a link to the Intrinium website to coordinate and schedule a risk assessment.
- How complete and well documented is workforce training in HIPAA? Auditors will ask for samples of the training material.
- Is the organizational listing of business associate agreements current and comprehensive? If you have subcontractors who do medical billing, for example, they must be covered by a business associate agreement, and you must maintain a current and up-to-date roster.
- Are business associate agreements in place and HIPAA compliant? One underlying philosophy of HIPAA is that covered entities cannot delegate their responsibilities to third parties, and the third parties must operate under a HIPAA-compliant contract.
- Is a notice of privacy practices up to date and does it meet the Omnibus Final Rule requirements? Protecting personal and health information and informing patients of their rights are the main goals of HIPAA.
- Is there a breach response plan in place? Among other things, the plan must set in place a sequence of notifying affected individuals, HHS, and media outlets through press releases.
Looking for help with HIPAA?
HIPAA compliance and risk assessment is one of Intrinium’s specialties. If the foregoing ten questions only raised 20 more, we have the answers and solutions. Fill in the “contact us” box on the previously linked page and we’ll get busy helping you towards your goal of full HIPAA compliance.