Two settlements in the last week show that failure to comply with HIPAA can be costly. The Office for Civil Rights (OCR) continues to pursue organizations who are not in compliance. Taken together these settlements offer basic lessons on how to comply and prevent costly fines.
In one case, the Center for Children’s Digestive Health with seven clinics in Illinois was fined $31,000 for failing to have a business associate agreement with its record storage company holding protected health information (PHI). Today OCR announced a $2.5 million settlement with CardioNet, a wireless health services provider that monitors cardiac data for patients. A laptop was stolen from a workforce member’s car at home, and 1,391 individuals’ electronic PHI was breached. This is the first settlement with a wireless health service provider. The size of the settlement reflects the size of CardioNet’s failings – an insufficient risk analysis/risk management plan; policies and procedures in draft form, not finalized; and inadequate safeguards for electronic PHI.
Below is a basic checklist to evaluate if you are on the right track. If you need help, check out The HIPAA E-Tool® which is the most complete and legally rigorous safeguard you can find anywhere.