HHS settlement demonstrates importance of risk analysis

For some healthcare providers and organizations there is an "it won't happen to me" belief that gives them a false sense of security. Completing a risk analysis is something that generally isn't a priority for these organizations. For one healthcare organization, not completing a risk analysis and failing to have strong policies and procedures contributed to a breach of unsecured protected health information. Electronic protected health information (ePHI) was breached when a laptop bag was stolen from an employee's car resulting in a $750,000 HIPAA settlement. According to the U.S. Department of Health and Human Services (HHS) announcement, the laptop bag contained the employee's computer and unencrypted backup media. The computer contained the names, addresses, dates of birth, Social Security numbers, insurance information and clinical information of approximately 55,000 current and former patients. The HHS Office for Civil Rights (OCR) investigation found that the organization was in non-compliance with the HIPAA Security Rule prior to the breach. Specifically, the organization failed to conduct an enterprise-wide risk analysis. In addition, the organization failed to have a written policy specific to the removal of hardware and electronic media containing ePHI into and out of its facilities despite being a common practice within the organization. OCR Director Jocelyn Samuels said "organizations must complete a comprehensive risk analysis and establish strong policies and procedures to protect patients' health information. Ms. Samuels goes on to say "proper encryption of mobile devices and electronic media reduces the likelihood of a breach of protected health information." In addition to the fine, the organization was required to take corrective action with regard to HIPAA Privacy and Security rules. They were also required to take actions to come into compliance with the other provisions of the HIPAA Rules. How we can help This HHS settlement is an important reminder that HHS takes risk analysis and policies and procedures seriously. As we mentioned in a previous article, Healthcare Compliance Pros offers three options for conducting a SRA, identifying areas that should be addressed, corrected and where policies and procedures may be missing. Our SRA meets and exceeds HIPAA and meaningful use requirements for Stage 1, Stage 2, and beyond. If there are any updates that need to be included as part of the SRA process, we will take care of that for you to ensure you and your organization are in compliance with HIPAA and meaningful use requirements. If you would like more information about all of our SRA options, or if you have any compliance questions, please feel free to comment below or send us an email at [email protected].com or reach us by phone tollfree at 8554270427.