All we hear about these days is the Department of Health and Human Services (“HHS”) issuing and imposing large fines as a result of HIPAA data breaches. BUT, the community of Monroeville, Pa. was found to not have breached HIPAA regulations!?! How can this be?
“The Monroeville breach dates back 2011-2012, when its 911 dispatch center allowed unauthorized users from five fire stations to easily access patient medical records from late 2011 to August 2012. Depending on emergency call type, effected patient data may have included names, driver’s license numbers, birth dates and medical histories.” Article. HHS determined that Monroeville, its dispatch center, police department and fire department do not provide healthcare services and found that they were not HIPAA covered entities.
HHS’ determination that the community was not a covered entity is the reason for the “no breach” determination.
Healthcare providers and entities need to determine whether the entities they are working with are covered by HIPAA, and its applicable rules and regulations.
Many healthcare providers, and entities that provide services, may unwittingly designate themselves as “covered entities” or “business associates” when they may not actually fall within the technical definitions. Entities that are navigating the complex HIPAA rules should work closely with healthcare counsel to recognize which obligations they must follow, and determine whether they can escape potential liability if they are not truly covered by HIPAA. If your entity is covered by HIPAA, you need to make sure you have the proper policies and procedures in place, and your staff are properly trained.
If your organization needs assistance with protecting its data – we can help. For assistance CLICK HERE.
Get “News You Can Use” delivered directly to your e-mail inbox. Click here to Subscribe.