HIPAA Rules and Regulations are a reality, and healhtcare providers must be compliant, by law. If the correct steps are taken and a reasonable investments in time and money are made, medical practices can ensure that they are on the right track to meet any HIPAA Privacy and Security Rules compliance and avoid embarrassing investigation, costly fines and possibly even loss of business.
You may remember the HIPAA Privacy and Security Rules Compliancy is a must David Ruchman posted here last May. At that time we mentioned a small firm that was in violation of the Rules while keeping their appointments information in public calendars. A concerned patient notified the HHS about this, a after a lengthy investigation, due to the violations, the firm agreed to pay a $100,000 fine as well as correct any issues within their practice so they can become HIPAA Privacy and Security Rules compliant.
Idaho State University was in violation of HIPAA rules
Almost a year since that article, in the 5/21/2013 news release from U.S. Department of Health & Human Resources (HHS), HHS announced that Idaho State University (ISU) has agreed to pay $400,000 to settle alleged violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. The settlement involves the breach of unsecured electronic protected health information (ePHI) of approximately 17,500 patients , due to the disabling of firewall protections at servers maintained by ISU. OCR’s investigation indicated that ISU’s risk analyses and assessments of its clinics were incomplete which led to inadequate estimate of potential risks or vulnerabilities. ISU also failed to assess the likelihood of potential risks occurring, nor did it apply proper security measures, policies and procedures for routine review of their information system. Overall, the breach could’ve been identified much sooner, if not prevent it altogether.
“Risk analysis, ongoing risk management, and routine information system reviews are the cornerstones of an effective HIPAA security compliance program,”- states Leon Rodriguez, Director of OCR.
In addition to paying the hefty fine of $400,000 ISU has agreed to a comprehensive corrective action plan to address the issues uncovered by the investigation and its failure to ensure uniform implementation of required HIPAA Security Rule protections at each of its covered clinics. In addition to financial loss, this case put a stain on ISU reputation, not to mention disruption to day-to-day business.
Make sure your organization does not find itself in similar position!
How to become HIPAA Privacy and Security Rules compliant
If you are in New Jersey/New York area and looking for a reputable, reliable Managed IT Services company, give us a call at 201-493-1414 to discuss your needs and schedule a Security Risk Assesment. IT Services and Computer Support for Healthcare is one of our core specialties.
September 23, 2013 is a HIPAA deadline. Several steps should be taken in order to move toward being compliant. The first thing to do is to reach out to your IT provider and see what they have done to ensure you are compliant. Get written documentation explaining exactly what steps have been taken to help ensure your compliance.
Risk Analysis and Management
Be proactive. If you have not done so yet, please have your IT department schedule and perform a Security Risk Analysis for your organization; if you do not have a formal IT department, reach out to a reputable local company and schedule a Risk Assessment, and then an ongoing Risk Management monitoring to keep up with ever evolving security threats.
Internal HIPAA Policies
At the practice, create formal HIPAA compliance policy. The changes that you make in your office should be documented procedures. Each employee should have a handout to reference in case he needs clarification. Also, stay on top of updates from HHS and hold regular education sessions for staff to review HIPAA procedures and policies. This will ensure that your employees are reminded of how to stay in compliance with this important HIPAA Privacy and Security Rules laws.
Have your Managed IT Services provider help ensure that you have an adequate, high-quality firewall in place at all your facilities involvied with ePHI. Your IT department or Managed IT Services provider should setup procedures for any and all Personal Identifiable Information (PII) to be encrypted if stored in a database and any emails containing PII are encrypted before they leave the facility.
Cloud Vendors Security
Ensure your all cloud application vendors being on board with HIPAA compliance – for example, if you run case management software in location outside of your facility, request documentation proving that your vendors follows rules and guidelines to stay HIPAA compliant.
According to HIPAA Omnibus Final Rule released in January 2013, if you are a health care HIPAA Covered Entity, you need to be sure that all of your Business Associates, and all of their sub-contractors that may come in contact with your Protected Health Information (PHI,) commit to achieving full compliance by the September 23, 2013 HIPAA deadline. Even though Business Associates are now directly responsible for HIPAA violations, you are still responsible for your Business Associates, and you risk large penalties if they don’t comply.
HIPAA Rules and Regulations are a reality, and healthcare providers must be compliant, by law. If the correct steps are taken and a reasonable investments in time and money are made, medical practices can ensure that they are on the right track to meet any HIPAA Privacy and Security Rules compliance and avoid embarrassing investigation, costly fines and possibly even loss of business.
IT Services and Computer Support for Healthcare is one of our core specialties. If you are in New Jersey/New York area and looking for a reputable, reliable Managed IT Services company, give us a call at 201-493-1414 to discuss your needs and schedule a Security Risk Assesment.