May 12th, 2016
The High Cost of HIPAA Violations
Health care organizations can’t afford to be careless about protecting the privacy and security of patient information. Even potential violations of the Health Insurance Portability and Accountability Act (HIPAA) can bring harsh consequences.
A recent case shows a practice running afoul of HIPAA’s Privacy Rule obligations — despite what seemed to be good intentions in entrusting patients’ protected health information (PHI) to an outside business associate.
The U.S. Department of Health and Human Services Office for Civil Rights (OCR), the agency responsible for enforcing HIPAA’s provisions, last month published details of a settlement involving Raleigh Orthopaedic Clinic, P.A. of North Carolina, a group practice and surgery center operator. Raleigh Orthopaedic agreed to pay $750,000 to settle charges that it failed to execute a business associate agreement with a third party prior to handing over PHI for approximately 17,300 patients.
Looking for a job in #nonclinicalhealthcare? Here’s what you should know about #HIPAA violations http://bit.ly/1TzYGfR
OCR’s investigation indicated that Raleigh Orthopaedic released patient X-rays and related PHI to an entity that promised to transfer the medical images to electronic media in exchange for harvesting silver from the X-ray film. However, the practice fell short in its HIPAA obligation because lack of a prior business associate agreement potentially left sensitive health information vulnerable to misuse or improper disclosure.
“HIPAA’s obligation on covered entities to obtain business associate agreements is more than a mere check-the-box paperwork exercise,” said OCR Director Jocelyn Samuels in a statement accompanying the settlement announcement. “It is critical for entities to know to whom they are handing PHI and to obtain assurances that the information will be protected.”
Aside from the monetary assessment, the settlement requires Raleigh Orthopaedic to institute a corrective action plan spanning several areas: establish a process to assess whether entities are business associates; designate an individual responsible for putting business associate agreements in place prior to PHI disclosure; create a standard template business associate agreement; maintain documentation of business associate agreements for at least six years beyond termination dates; and limit PHI disclosures to business associates “to the minimum necessary to accomplish the purpose for which the business associate was hired,” according to OCR.
Risk analysis is also essential
A month before the Raleigh Orthopaedic settlement, a separate OCR case involving a Minnesota health system revealed not only a business associate agreement shortfall, but a failure to conduct a risk analysis to address vulnerabilities to patient information.
North Memorial Health Care of Minnesota agreed to pay OCR nearly $1.6 million to settle potential HIPAA violation charges. An OCR investigation found that the health system allowed a business associate — without an executed agreement — to access its hospital database, which stored the electronic PHI of approximately 290,000 patients. North Memorial also failed to complete a risk analysis addressing potential vulnerabilities to the electronic PHI stored and transmitted across its IT infrastructure, including mobile devices.
Subsequently, an unencrypted laptop was stolen from a locked vehicle belonging to a business associate worker. OCR reported that the theft impacted the electronic PHI of about 9,500 individuals.
In addition to its payment, North Memorial must develop an organization-wide risk analysis and management plan, according to the settlement document. The health system also agreed to train appropriate workforce members on all provisions of and revisions to its corrective action plan.
HIPAA compliance assessment will continue
Hospitals, health systems, and medical practices can expect further scrutiny from OCR in regard to HIPAA compliance. The agency’s 2016 HIPAA Audit Program, currently underway, calls for OCR review of policies and procedures adopted and employed by covered entities and their business associates. Although OCR says it will consider a broad spectrum of audit candidates, all covered entities and business associates are eligible.
Job seekers looking at non-clinical health care positions need to be aware of HIPAA’s reach across the entire industry. Candidates should highlight HIPAA-related experience and training on their resume and during in-person interviews. Employers will give an edge to individuals who can step in quickly to proactively address and ensure compliance while carrying out their duties.
Get lined up with great career opportunities by contacting one of our recruiters. Click here to apply.