The importance of securing patient information cannot be overstated. The following report from Compliancy Group demonstrates the high cost of not having the proper security protocols in place for regulatory compliance as well as the necessary safeguards to protect PHI.
On March 17, 2016 the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) reached a settlement with the North Memorial Health System of Minnesota for $1.55 million after it improperly disclosed the protected health information (PHI) of almost 300,000 patients over the course of five months during 2011. Additionally, a larger fine of 3.9 million went to the Feinstein Institute for Medical Research.
In September of 2011, North Memorial reported that a laptop containing the electronic PHI (ePHI) of 6,697 patients had been stolen in July of 2011. During the course of OCR’s investigation, North Memorial also reported several other violations, including the fact that the organization didn’t have a documented Business Associate Agreement (BAA) with its billing company, Accretive, from March of 2011 through October of 2011. At that point, a BAA was finally provided, but the lapse had already resulted in the unlawful disclosure of the PHI of at least 289,904 patients from March to October while the BAA was not in place.
“Two major cornerstones of the HIPAA Rules were overlooked by this entity,” said Jocelyn Samuels, Director of OCR. “Organizations must have in place compliant Business Associate Agreements as well as an accurate and thorough risk analysis that addresses their enterprise-wide IT infrastructure.”
OCR determined that North Memorial had violated the HIPAA Privacy and Security Rules by allowing Accretive access to PHI, both electronic and physical, without a proper BAA in place. The Privacy and Security Rules also mandate that covered entities complete a risk analysis that addresses risks to ePHI, which North Memorial had also neglected to implement.
North Memorial has agreed to develop an intensive risk analysis and risk management plan that must be completed and reviewed within 180 days. New training initiatives also need to be extended to all employees as well, so that they can familiarize themselves with the new policies and procedures created as a result of the corrective action plan.
Additionally, a breach report filed on September 2nd 2012 by the Feinstein Institute, prompted another investigation. Officials at Feinstein reported that a laptop had been stolen from an employee’s car that contained the ePHI of 13,000 patients, including names, date of birth, social security numbers, and other medical information. It was later found that Feinstein lacked the required Policies and Procedures under HIPAA that would have implemented safeguards to restrict access by unauthorized users.
Even though OCR had originally been called in for the missing laptop, North Memorial was handed one of the largest fines in the history of HIPAA enforcement for an entirely unrelated–but equally serious–violation. OCR is taking new enforcement to serious heights through stricter settlements and sentencing, especially when PHI breaches affect this many individuals. Business Associates and Covered Entities alike are beholden to the same compliance standards. Implementing and maintaining effective Business Associate Agreements is more pressing now than ever before.
Apex understands the very real necessity of having all of the proper policies and procedures in place to keep practices like yours from facing prosecution and fines as described in this article. We have the people, the background, and the skills to help you protect yourself and your practices future. For a consultation with one of our advisor’s call (800) 310-2739 or email firstname.lastname@example.org today.