Missing the Target of HIPAA – Part 3

If you haven't read my previous two blogs on this topic I encourage you to do so.  The first blog stresses the importance of being risk management proficient over being a HIPAA “expert”. The second blog deals with being accountable in your work actions, which means not only are you responsible for your actions, but your actions can be independently verified.  These two “factors” can go a long way to protecting your organization from the risks of a breach and from substantial penalties and fines for failure to comply to HIPAA regulations.  A coworker forwarded an article to me that provides a good example of both of these traits, or rather the lack of them, but also emphasizes the next important step, training.

The National Law Review article published on April 27th stated that the U.S. Department of Health and Human Services' Office for Civil Rights (OCR) announced a settlement for a breach of electronic protected health information (ePHI).  This is the first settlement of a wireless health services provider, which totaled $2.5 million.  The Covered Entity (CE) reported a breach effecting 1,400 people due to a laptop being stolen from a car. Later that same year the CE reported an additional breach of 2,200 individuals.

The OCR audit found that the CE had 1) not performed a risk assessment, 2) lacked sufficient risk management processes and 3) had not adopted proper policies and procedures.

In addition to the fine, the OCR implemented a two-year compliance oversight program that includes the following corrective actions:

  1. Conduct a risk analysis of security risks and vulnerabilities.
  2. Implement a risk management plan to address and mitigate the security risks and vulnerabilities identified in the risk analysis.
  3. Update policies and procedures based on implementation of the risk management plan.
  4. Implement secure device and media controls with proper encryption protocols for portable devices and media.
  5. Review and revise its training program relating to the use, security, encryption, handling of mobile devices, and out-of-office transmissions.

 

The complete National Law Review article can be found at http://www.natlawreview.com/article/stolen-laptop-and-lack-understanding-hipaa-leads-to-25-million-settlement.

The first 3 corrective actions are standard elements of risk management, which define how to perform corrective actions 4 and 5.  Obviously, cybersecurity is a top priority, but workforce training, corrective action 5, is a key component of any organization’s security.

Your security is only as good as any single individual in your organization.  One person clicking on an unverified hyperlink can introduce ransomware to your systems, stop delivery of healthcare and potentially damage a practice beyond repair. Training strengthens accountability and enables efficient and effective risk management.  Regular up-to-date training and ongoing awareness campaigns emphasize the importance of security and maintains vigilance, helping to build a "human firewall".

These are standard deliverables for our customers and we support them throughout the process.  If you’d like to learn how we can help your organization better protect your customer’s ePHI and avoid costly fines, contact us at support@thirdrock.com.

Protect Your Patients.  Protect Your Practice. Protect Yourself™.

 

 

Ed Jones, PMP, CHSP
About the Author

Over 30 years of customer facing experience managing projects in healthcare, IT, process automation in a variety of tech industries, Ed has worked for start-ups to Fortune 100 companies. He has performed numerous complex and extensive risk assessments, and developed and managed the corresponding risk management strategies.

%d bloggers like this: