A Costly Lesson that Shows the Importance of Security Rule Compliance
A recent settlement demonstrates the importance of complying with and implementing HIPAA Security Rule requirements. The settlement, announced by the Office of Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS), goes all the way back to a breach report filed on June 9, 2011.
Metropolitan Community Health Services, doing business as Agape Health Services (the "organization"), filed a breach report on June 9, 2011, regarding the impermissible disclosure of protected health information (PHI) to an unknown email account. In total, the suspected breach affected 1,263 patients.
Noncompliance Identified by OCR Investigation
The OCR conducted an investigation and determined there was "longstanding, systemic noncompliance with the HIPAA Security Rule."The report issued by the OCR mentions the following specific findings:
- Failure to conduct any risk analyses
- Failure to implement any HIPAA Security Rule policies and procedures
- Failure to provide the workforce with security awareness training until 2016
The Final Cost
The organization agreed to pay $25,000 and adopt a comprehensive corrective action plan to settle the potential violations of the HIPAA Security Rule. Roger Severino, current OCR Director, made it clear that complying with HIPAA Rules is not optional by stating, "Healthcare providers owe it to their patients to comply with the HIPAA Rules. When informed of potential HIPAA violations, providers owe it to their patients to quickly address problem areas to safeguard individuals' health information."
Is Your Organization Compliant with Security Rule Requirements?
Healthcare organizations can learn essential lessons from these types of settlements. We have developed a list of five things your organization must do to ensure compliance with the HIPAA Security Rule.
Risk Analysis (SRA)
While there are several requirements under the HIPAA Security Rule, conducting, reviewing, and updating an SRA is perhaps the most crucial. It is important to remember an SRA should be thought of as an ongoing process for the organization. A process that should be continually improved upon to ensure the privacy and security of ePHI.In almost every OCR investigation that results in enforcement action, a failure to conduct an accurate and thorough SRA is a top finding.
An SRA and an inventory of all ePHI held by an organization go hand-in-hand. For an ePHI inventory to be complete, it must be accurate and up-to-date and include hardware, software, and other media where ePHI is stored, received, maintained, or transmitted. If an inventory contains only your organization's hardware, used to access ePHI, it will not be sufficient.
The OCR provides guidance on how an organization can gather relevant data to ensure that all ePHI is included in an inventory.
- Review past and/or existing projects that involved ePHI.
- Perform interviews of workforce members regarding the creation, receipt, transmission, and storage of ePHI.
- Review internal documentation and other data gathering techniques.
The bottom line is that regardless of the medium in which ePHI is created, received, maintained, or transmitted or its source or location, it must be included in the inventory.
3. Policies and Procedures
Healthcare organizations must have documented and implemented HIPAA Security Rule policies and procedures. This includes all required and addressable standards and implementation specifications. There is often confusion regarding the addressable implementation specifications of a specific SecurityRule standard and whether it must be implemented. Consider the following with the Security Rule's addressable implementation specifications:
- Implement the addressable implementation specification as it is written if it is reasonable and appropriate for the organization.
- Implement one or more alternative security measures to accomplish the same purpose if the implementation specification is not reasonable and appropriate.
- If the organization determines that it cannot implement the addressable implementation specification as written or a reasonable alternative, document the reasons.
Often the missing part in this evaluation process is trying to determine if an addressable implementation specification is reasonable and appropriate. All safeguards related to an addressable implementation specification should be established based on the organization's specific security framework. Documentation must be maintained that explains the organization's decision.
As mentioned by the OCR, a healthcare organization must ensure that its workforce receives "ongoing" security awareness training. Similar to an SRA, security awareness training is not something that is done once and never repeated. Security awareness training must be ongoing.
5. Risk Management Plan
Under the HIPAA Security Rule, risk management is a required implementation specification. This means that covered entities and business associates are required to "implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with 164.306(a) [(the General Requirements of the Security Rule)]."In other words, healthcare organizations must have a risk management plan that addresses all of the requirements in the HIPAA Security Rule.
While this is not an exhaustive list, the five requirements above are not optional. They are essential to an effective HIPAA compliance program. If implemented correctly, they will reduce the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by a healthcare organization. If a breach of ePHI occurs resulting from a stolen laptop, a cyberattack, or impermissible disclosure, implementing these five requirements will help healthcare organizations demonstrate their commitment to compliance with HIPAA requirements to the OCR.
Have questions? We are happy to help. Contact us by phone at 855-427-0427 or by email at firstname.lastname@example.org.