What's the Cost of Losing a Laptop? $1.5 Million.

HHS announced today that it resolved a HIPAA security breach matter with two Massachusetts providers for $1.5 million.  In compliance with the Breach Notification Rule, the Massachusetts providers reported the theft of an unencrypted laptop containing ePHI.  Lest there be any lingering doubt as to the importance of compliance with the Security Rule, OCR Director Leon Rodriguez stated "In an age when health information is stored and transported on portable devices such as laptops, tablets, and mobile phones, special attention must be paid to safeguarding the information held on these devices . . . This enforcement action emphasizes that compliance with the HIPAA Privacy and Security Rules must be prioritized by management and implemented throughout an organization, from top to bottom.”  In addition to the settlement payment, the Massachusetts providers agreed to a corrective action plan that will be overseen by an independent monitor for the next three years.

 

Let the Audits Begin . . .

Following the mandate set forth in HITECH, OCR has just announced that it's piloting a HIPAA compliance audit program beginning this month in order to assess HIPAA compliance efforts.  During this pilot phase, which is expected to last through December 2012, OCR will audit up to 150 covered entities from "as wide a range of types and sizes of covered entities as possible."  At least for now, Business Associates will not be included in the pilot program.  OCR has engaged KPMG LLP to conduct the audits, and has made public a sample initial notification letter.  

Each audit will include a request for documents and information, a site visit, and a draft audit report.  Covered entities will have the ability to comment on the auditor's report before its finalized.  While OCR states that it primarily will be using the audit reports to help develop technical assistance and evaluate the efficacy of corrective action plans, OCR is retaining the right to initiate a compliance review to evaluate any serious compliance issues uncovered during this process.  At the conclusion of the pilot program, OCR will "broadly share best practices gleaned through the audit process and guidance targeted to observed compliance challenges."  What happens after the pilot program, however, remains to be seen.            

Be Smart About Using Your Smart Phone in Practice: Understand and Manage the Risks Involved in Using Smart Phones and Tablets in Medical Practice

Thousands of people lose or have their smart phones and other portable devices stolen every day. While most people worry only about the irritation of replacing their phone in such a situation, when a health care professional loses a portable device containing patient information, the irritation of replacing the phone is the least of their worries. With the government handing out million dollar plus penalties for the mistreatment of patient information, now is the time to ensure your practice is best positioned to deal with the inevitable loss of a smart phone.

To view the presentation slides from speakers Erin McAlpin Eiselein, Partner at Davis Graham & Stubbs LLP, and Dr. Marion Jenkins, CEO of QSE Technologies, which were presented last Thursday, July 14th, at a seminar and cover best practices for health care providers who use smart phones and tablets in their medical practice, please click here. Learn how to minimize risk and avoid potential liability under the federal and state privacy and security laws so that the loss of a phone does not turn into the loss of your practice.

OCR Strikes Again: Mass General Pays $1 Million to Settle HIPAA Violations

On the heels of the Cignet Health civil monetary penalty for $4.3 million only two days ago, the OCR has announced today that Mass General, one of the country's oldest and largest hospitals, has agreed to pay HHS $1 million to settle potential HIPAA violations.  The incident leading to this settlement involved an employee who brought documents on the subway with her, as she intended to work on them at home.  Unfortunately for Mass General, those documents contained PHI of 192 individuals and the employee accidentallty left the documents on the subway.  In addition to the million dollar payment, Mass General also agreed to enter into a Corrective Action Plan, which requires the hospital to develop additional privacy policies and procedures, ensure that employees complete additional HIPAA training, and provide HHS with semi-annual reports for the next three years.  The settlement agreement and Corrective Action Plan are available here.

It's a First - HIPAA Violation Costs Cignet Health $4.3 million

HHS imposed the first civil monetary penalty for a HIPAA violation against Cignet Health.  The $4.3 million penalty arose from Cignet's failure to allow 41 patients access to their medical records.  It was then exacerbated by Cignet's refusal to cooperate with the OCR's investigation.  Cignet's willful neglect of its obligation to cooperate with the government investigation ultimately cost it $3 million on top of the $1.3 CMP imposed for the underlying access violation.  Lest there be any lingering doubt, ignoring a government investigation won't make it go away!