Five achievable priorities are an efficient way to improve compliance and save you time and money.
In an ideal world, we have time and resources to do everything the experts recommend, from A to Z. In the real world, most people need to set priorities and do the most they can with the resources they have.
Based on enforcement settlements from the Office for Civil Rights (OCR) , there are five priorities that could do the most to lower your risks of a breach or an investigation, reduce costs, and preserve patient privacy.
Do an Enterprise-Wide Risk Analysis
The importance of an enterprise-wide risk analysis cannot be overstated. For organizations with one location, this simply means to be thorough, and be sure to evaluate any off-site locations of protected health information (PHI) whether held by a business associate, or on a server at a data security site you own. Any virtual private networks (VPNs) need to be kept secure, and included in the risk analysis.
For organizations with more than one office or patient care site, it is critically important to conduct a site-specific risk analysis for each site. One of the most visible settlements happened at the kidney care company, Fresenius Medical Care North America for $3.5 million.
There are other examples of high-visibility, high-cost settlements, all providing a lesson in the importance of risk analysis. Below are just four examples among many more, including organizations of all sizes and types.
- Premera Blue Cross – the second highest settlement in OCR history (after Anthem) – $6.85 million settlement for risk analysis and risk management failures, among other alleged HIPAA violations
- Excellus Health Plan – $5.1 million settlement for risk analysis and risk management failures, among other alleged HIPAA violations
- Oregon Health & Science University – $2.7 million settlement for the lack of an enterprise-wide risk analysis.
- Cardionet– $2.5 million settlement for an incomplete risk analysis and lack of risk management processes.
Conduct Risk Management Year-Round
After finishing the Risk Analysis, you must follow through with a Risk Management plan. Any gaps discovered in the Risk Analysis need to be addressed.
HIPAA requires every organization to have administrative, physical and technical safeguards to protect the privacy and security of PHI.
You are not expected to solve everything overnight, but there should be an orderly plan to implement the safeguards and make improvements. If you learn about risks and vulnerabilities in your organization and fail to act, OCR is likely to take a harder stand and insist on a higher fine.
There are many examples involving risk management failures but three of the larger ones are:
- Aetna Life Insurance Company – $1 million for failure “to perform periodic technical and nontechnical evaluations of operational changes affecting the security of their electronic PHI”
- Alaska Department of Health and Social Services – $1.7 million penalty for inadequacies in its risk management policies the failure to perform risk analysis and risk management failures.
- Jackson Health System – $2.15 civil money penalty for, among other things, failing to conduct enterprise-wide risk analyses and manage identified risks to a reasonable and appropriate level. (NOTE: this case was not a settlement, but a penalty payment after Jackson Health did not contest OCR’s findings.)
Follow the Patient Right of Access Rule
OCR made HIPAA Right of Access violations one of its key enforcement objectives in late 2019. Since then it has announced twenty-five separate settlements of right of access violations. These settlements have been with very small and large providers, ranging in settlements of $3,500 for a sole practitioner to $160,000 for a behavioral health clinic. The five most recent settlements can be viewed here.
Enter Business Associate Agreements
Nearly every covered entity has business associates – third-party vendors helping carry out the covered entity’s mission in healthcare. If a third party vendor “creates, receives, maintains or transmits” PHI, they are a HIPAA business associate and are separately liable for HIPAA compliance. But covered entities are responsible for entering business associate agreements with them, and conducting due diligence regarding their HIPAA policies and procedures.
A recent nightmare scenario involving a business associate breach happened at Ciox Health when a hacker broke in and accessed the PHI at 32 different covered entities at the same time. Although Ciox is responsible under HIPAA, those 32 covered entities are not off the hook. Each of them will be asked by OCR whether they had a business associate agreement in place, and whether they conducted due diligence. If not, they could also be found to have violated HIPAA, and subject to fines.
Access Controls for Electronic PHI
A central requirement of the HIPAA Security Rule is having technical and physical safeguards for protecting PHI. As a practical matter, this means allowing electronic access only to those staff who need it specifically for their job function, and facility access to areas where PHI may be held.
For electronic access it may require unique user identification, strong password policies, monitoring of access logs, and workforce training, among other things.
Numerous settlements have identified lack of access controls as potential violations. Two notable examples are:
- Anthem Inc. – Anthem has paid the largest settlement to date in OCR history – $16 million penalty for access control failures and other serious HIPAA violations.
- Memorial Healthcare System – $5.5 million penalty for insufficient electronic PHI access controls.
The HIPAA E-Tool® Has it All
If you need help with priorities, are serious about compliance but need to be mindful of budgets, The HIPAA E-Tool® is the best bet. We have everything you need, with step-by-step guidance to accomplish your goals and reduce your risks.