Last year, we saw one of the largest settlements to date. As a result of the settlement, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) reiterated the importance of compliance with HIPAA Security Rule requirements; specifically, the importance of engaging in a comprehensive risk analysis and risk management to ensure individual's electronic protected health information (ePHI) is secure.
In a nutshell, Advocate Health Care Network (Advocate) failed to:
- conduct an accurate and thorough assessment of the potential risks and vulnerabilities to all of its ePHI;
- implement policies and procedures and facility access controls to limit physical access to the electronic information systems housed within a large data support center;
- obtain satisfactory assurances in the form of a written business associate contract that its business associate would appropriately safeguard all ePHI in its possession; and
- reasonably safeguard an unencrypted laptop when left in an unlocked vehicle overnight.
Jocelyn Samuels, OCR Director said covered entities "must engage in a comprehensive risk analysis and risk management plan;" which includes "implementing physical, technical, and administrative security measures sufficient to reduce the risks to ePHI in all physical locations and on all portable devices to a reasonable and appropriate level."
In the end, Advocate agreed to pay a settlement amount of $5.55 million and adopt a comprehensive corrective action plan.
What can we learn from this settlement?
OCR takes compliance with HIPAA requirements seriously and failing to comply with these requirements can be costly. This is why Healthcare Compliance Pros is dedicated to helping practices develop a comprehensive compliance program based upon custom policies and procedures that meet HIPAA Privacy and HIPAA Security laws. We understand it's not a question of if; it's a question of when: failing to comply with HIPAA requirements could result in a settlement for an organization. We are here to help you and your organization.
Please let us know if you have any questions or require assistance with how to best comply with HIPAA requirements: by email [email protected] or by phone 855-427-0427.