September 12, 2016
Protecting Your Entire Organization
Businesses often fail to see the importance of developing strategies that meet both Privacy and Security requirements. Whether it’s meeting HIPAA requirements through various procedures, training programs, or compliance solutions, a business should always ensure that electronic Protected Health Information (ePHI) remains secure at all times.
From limiting the amount of sensitive patient health information that certain employees can access to training employees how to handle and communicate sensitive information, the organization’s high-ranking figures should develop protocols to ensure client data protection. Both Privacy-based and Security-based processes need to be covered when dealing with compliance regulations, and often certain crossover areas go unrecognized, as a specific procedure will often only apply to one of the two needs. Develop an organization-wide strategy to cover the entire spectrum.
It’s when a business or organization fails to cover a specified area in need of protection that severe censures and ramifications from the Department of Health & Human Services begin rolling in. From hefty fines levied against the organization to public condemnation and community backlash — the list of consequences for not following HIPAA mandates goes on.
In 2016, the Office of Civil Rights (OCR) slammed the Advocates Health Care Network (AHCN) with a massive fine of $5.5 million, while the University of Mississippi Medical Center was hit with a $2.75 million fine. That’s more than $8 million in HIPAA fines between just two organizations.
Here are some of the findings against both the Advocates Health Care Network and UMMC…
Advocates Health Care Network
The OCR began an investigation against AHCN in 2013 when three separate data breaches affected more than 4 million individuals.
The OCR found that the AHCN failed to:
- “conduct an accurate and thorough assessment of the potential risks and vulnerabilities to all of its ePHI”
- “implement policies and procedures and facility access controls to limit physical access to the electronic information systems housed within a large data support center”
- “obtain satisfactory assurances in the form of a written business associate contract that its business associate would appropriately safeguard all ePHI in its possession”
- “reasonably safeguard an unencrypted laptop when left in an unlocked vehicle overnight”
The Advocates Health Care Network is the “largest fully-integrated health care system in Illinois”, which includes more than 250 treatment locations.
University of Mississippi Medical Center
Back in 2013, the OCR discovered that a password-protected laptop was missing from the UMMC. The OCR later found that ePHI stored on a network drive was also vulnerable, affecting an estimated 10,000 patients.
The OCR found that the UMMC failed to:
- “implement its policies and procedures to prevent, detect, contain, and correct security violations”
- “implement physical safeguards for all workstations that access ePHI to restrict access to authorized users”
- “assign a unique user name and/or number for identifying and tracking user identity in information systems containing ePHI”
- “notify each individual whose unsecured ePHI was reasonably believed to have been accessed, acquired, used, or disclosed as a result of the breach”
The University of MIssissippi’s Medical Center “provides patient care in four specialized hospitals on the Jackson campus and at clinics throughout Jackson and the state”.
As you can see from the aforementioned HHS penalties above, not following HIPAA requirements can cost businesses and organizations far more than any security solution or privacy plan would cost to implement. These steps are just the minimums to ensure that your organization doesn’t fall victim to a million dollar-plus HIPAA penalty, as there are far more solutions that will not only ensure your compliance with federal regulations, but also provide ease-of-mind to all of your users, clients, and employees.
Regardless of how you go about your own business processes, make sure to always create a comprehensive, wide-ranging strategy that covers both Privacy & Security measures.
We currently offer a free trial of our HIPAA Compliant secure email solution for you to try out today!
Written by Peter J. Schaub
President & CEO, NeoCertified