If you think your practice’s policies and procedures from 2003 are compliant with current law, please keep reading.
As many health care providers know, on January 25, 2013, the U.S. Department of Health and Human Services (“HHS”) published the final rule outlining significant changes to the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy, Security and Enforcement Rules mandated by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act. The final rule went into effect September 23, 2013. However, many health care organizations have not updated their policies and procedures.
On December 26, 2013, HHS announced its first settlement with a covered entity–Adult & Pediatric Dermatology, P.C., of Concord, Mass., (“APDerm”)–for not having policies and procedures in place to address the breach notification provisions of the HITECH Act.
“The HHS Office for Civil Rights (OCR) opened an investigation of APDerm upon receiving a report that an unencrypted thumb drive containing the electronic protected health information (ePHI) of approximately 2,200 individuals was stolen from a vehicle of one its staff members. The thumb drive was never recovered. The investigation revealed that APDerm had not conducted an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality of ePHI as part of its security management process. Further, APDerm did not fully comply with requirements of the Breach Notification Rule to have in place written policies and procedures and train workforce members. ” Article.
Many practices believe that their old policies and procedures contained in a binder on a shelf are sufficient to withstand scrutiny from HHS. This is simply not true. If you haven’t updated your policies you practice will be subject to increased penalties in the event of a data breach and HHS investigation.
APDerm settled with HHS for $150,000 and agreed to a corrective action plan requiring AP Derm to develop a risk analysis and risk management plan to address and mitigate any security risks and vulnerabilities, as well as to provide an implementation report to OCR. Article.
Health care organizations must be proactive to continually review, update, and implement updated policies and procedures to attempt to prevent a devastating data breach. Moreover, staff must be continually trained on applicable policies and procedures.
As the HITECH Act compliance date was September 23, 2013, please do not hesitate to contact us for assistance with reviewing and updating your organization’s policies and procedures, as well as assistance with training your staff.
Tell us how your organization stays compliant? Share your ideas with us by clicking on the comment button below. We’d love to hear from you.
Get “News You Can Use” delivered directly to your e-mail inbox. Click here to Subscribe.