Consider the Cost of HIPAA Noncompliance — Part 3

Posted on 26 Nov, 2018 |comments_icon 0|By Elizabeth

What Your Practice Must Know About the HIPAA Privacy & Security Rules

HIPAA fails continue to populate news headlines. Fresenius Medical Care North America (FMCNA), for instance, didn’t implement HIPAA’s risk assessment and risk management requirements, which resulted in 5 HIPAA breaches.

It took only a few thefts to force FMCNA to settle at $3.5 million with the Office for Civil Rights (OCR):

  • FMC Duval had two desktop computers stolen during a break in. The organization reported that one of the devices held the ePHI of 200 individuals. The OCR found that FMC Duval “failed to implement policies and procedures to safeguard its facilities and the equipment therein from unauthorized access, tampering, and theft.”
  • FMC Magnolia Grove also experienced a theft but reported that an unencrypted USB drive was stolen. Nonetheless, “FMC Magnolia Grove failed to implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain ePHI into and out of a facility,” said the OCR.
  • FMC Ak-Chin had a hard drive from a desktop computer go missing. While a workforce member reported the missing drive and notified the Area Manager, the Area Manager did not report the incident to the corporate risk management department.

“Covered entities must take a thorough look at their internal policies and procedures to ensure they are protecting their patients’ health information in accordance with the law,” warned OCR Director Roger Severino.

And protecting your patients’ health information (PHI) involves accounting for all adverse events, including the possibility that your practice is victimized by crime. To be clear, incurring a breach due to victimization doesn’t solicit federal leniency. Most breaches, after all, are a direct result of victimization, whether the inciting incident involved a cyberattack or mother nature’s worst.

Bottom line: OCR’s FMCNA investigation revealed that the organization neglected to conduct a comprehensive risk assessment of potential risks to the confidentiality, integrity, and availability of its PHI. FMCNA is therefore responsible for the exposure caused by the victimization of theft.

Failing to comply in accordance with HIPAA laws ultimately adds insult to injury.

Could Your Practice be the Next Headline?

When’s the last time you examined your internal policies and procedures for holes? Is your PHI secure? Is your HIPAA compliance program and breach reporting protocol current, ironclad, and above reproach?

So much can go wrong on the frontlines of HIPAA security—and at great cost to your medical practice. At stake, in addition to civil monetary penalties, you stand to lose your reputation and patients’ trust. It can take years to recover from the fallout of a HIPAA violation—if your practice manages to recover. Regaining one’s financial footing isn’t always possible.

So why do so many of us read the HIPAA headlines and disregard the warnings? Surely those who have fallen had, at one time or another, said—‘It won’t happen to us.’

Get Your Affairs in Order with the All-essential Risk Assessment

Lacking baseline knowledge of the efficacy of your security, privacy, and breach-notifications leaves you to blindly face each day, invested in operations and completely unaware of your security vulnerabilities.

Bottom line: You’re playing Russian roulette with the OCR, and sooner or later, that gun’s going to fire. Vulnerabilities inevitably become violations.

Take OCR Director Roger Severino at his word: “There is no substitute for an enterprise-wide risk analysis.”

It’s imperative to audit your practice’s administrative, physical, and technical compliance with the HIPAA Security Rule. In summary:

  1. Assess your administrative processes to ensure the security of your patients’ PHI. How effective are these processes? Are your procedures and policies documented? Is your staff trained on HIPAA security requirements?
  2. Assess your physical premises to verify that proper security safeguards are in place. Are your health records kept in locked cabinets? Do you have an alarm system for the physical premises? Do documented policies dictate and track the movement of portable devices containing PHI within and outside your facility?
  3. Perform regular technical assessment audits to secure the electronic transmission, storage, access, and engagement with PHI. This step is rather involved, but, briefly: Is your password management HIPAA-compliant? Is all network activity log-in monitored? Is your firewall effective and up to date? What kind of antivirus software are you employing? Are your portable devices encrypted? Is your staff trained on HIPAA security measures, including the ability to recognize and avoid phishing scams or accidentally deploying malware?

You want to identify all the PHI within your organization. This includes PHI you create, receive, maintain or transmit. Know the external sources of your PHI. Do your vendors and consultants create, receive, maintain or transmit e-PHI? You must identify every human, natural, and environmental threat to your information systems that contain e-PHI—and address these threats in a documented plan of actionable safeguards to eliminate risk of exposure.

Your risk assessment must fully align with guidelines. It’s wise to visit Guidance on Risk Analysis | Here you’ll find two government-sponsored tools available to your organization:

  • The NIST HIPAA Security Toolkit Application, developed by the National Institute of Standards and Technology (NIST), is intended to help organizations better understand the requirements of the HIPAA Security Rule, implement those requirements, and assess those implementations in their operational environment. Target users include, but are not limited to, HIPAA covered entities, business associates, and other organizations such as those providing HIPAA Security Rule implementation, assessment, and compliance services.
  • The Office of the National Coordinator for Health Information Technology (ONC) and the HHS Office for Civil Rights (OCR) have jointly launched a HIPAA Security Risk Assessment (SRA) Tool. The tool’s features make it useful in assisting small and medium-sized health care practices and business associates in complying with the Health Insurance Portability and Accountability Act (HIPAA) Security Rule.

But do not STOP at risk assessment, as so many others have!

Follow Through with Comprehensive Risk Management or Pay the Price

Everyone knows there is no almost when it comes to HIPAA security. Still, far too many organizations fail to progress beyond the almost of risk assessment to the full-out, end-to-end implementation of risk management.

Such was the $4.3 million mistake made by the University of Texas MD Anderson Cancer Center, who had an encryption policy in place several years before three of its unencrypted devices were lost.

Remember: It’s just a matter of time before a vulnerability become a violation.

You’re familiar with the Robert Burns quote, how “the best-laid plans of mice and men often go awry”? Well, as the HIPAA headlines attest, plans are but good intentions unless someone follows up on the blueprint and builds the design.

Risk management means implementation—specifically, implementing your risk assessment action items.

Both mega organizations and small practices continue to make the same mistake, and both continue to pay the price. They have plans to complete every item identified in their risk assessment, but they haven’t gotten around to it. Worse, many practices, like FMCNA, haven’t entirely fulfilled the spectrum of requirements for their risk assessment—simply because they’re not clear on what’s involved.

How would you appraise your HIPAA know-how? Is your knowledge current and comprehensive? Have you identified all the security gaps in your systems and procedures and eliminated all the holes?

Learn More

It’s time to take the warnings seriously. If those in the headlines weren’t immune, neither are you.

Download a FREE copy of What Your Practice Must Know About the HIPAA Privacy & Security Rules to build on your baseline knowledge of HIPAA compliance and effectively train your team.

Master HIPAA compliance with the industry’s best-selling handbook — the HIPAA Handbook 2018.  Our nationally-recognized HIPAA compliance experts lay out best practices and walk you step-by-step through the dos and don’ts of compliance. We also address new target areas and introduce you to tools to nail down risk assessments, tighten up your EHR privacy and security, reassess your risk analysis plan, prep for audits, and more.

Stay on top of evolving regulations, new technologies, and security threats with current, to-the-point guidance in your monthly subscription to Health Information Compliance Alert. In every issue, our experts tackle challenging security scenarios across the spectrum of health IT to keep you in the know, help you train your staff, and equip you to implement protocols to preserve the integrity of your practice.



Elizabeth works on an array of projects at TCI, researching and writing about modern reimbursement challenges. Since joining TCI in 2017, she has also covered the nuts and bolts of cybersecurity, compliance with federal laws, and how to tap into the advantages of telehealth services.

More from this author

View More

Leave a Reply

Newsletter Signup