HIPAA fails continue to populate news headlines. Fresenius Medical Care North America (FMCNA), for instance, didn’t implement HIPAA’s risk assessment and risk management requirements, which resulted in 5 HIPAA breaches.
It took only a few thefts to force FMCNA to settle at $3.5 million with the Office for Civil Rights (OCR):
“Covered entities must take a thorough look at their internal policies and procedures to ensure they are protecting their patients’ health information in accordance with the law,” warned OCR Director Roger Severino.
And protecting your patients’ health information (PHI) involves accounting for all adverse events, including the possibility that your practice is victimized by crime. To be clear, incurring a breach due to victimization doesn’t solicit federal leniency. Most breaches, after all, are a direct result of victimization, whether the inciting incident involved a cyberattack or mother nature’s worst.
Bottom line: OCR’s FMCNA investigation revealed that the organization neglected to conduct a comprehensive risk assessment of potential risks to the confidentiality, integrity, and availability of its PHI. FMCNA is therefore responsible for the exposure caused by the victimization of theft.
Failing to comply in accordance with HIPAA laws ultimately adds insult to injury.
When’s the last time you examined your internal policies and procedures for holes? Is your PHI secure? Is your HIPAA compliance program and breach reporting protocol current, ironclad, and above reproach?
So much can go wrong on the frontlines of HIPAA security—and at great cost to your medical practice. At stake, in addition to civil monetary penalties, you stand to lose your reputation and patients’ trust. It can take years to recover from the fallout of a HIPAA violation—if your practice manages to recover. Regaining one’s financial footing isn’t always possible.
So why do so many of us read the HIPAA headlines and disregard the warnings? Surely those who have fallen had, at one time or another, said—‘It won’t happen to us.’
Lacking baseline knowledge of the efficacy of your security, privacy, and breach-notifications leaves you to blindly face each day, invested in operations and completely unaware of your security vulnerabilities.
Bottom line: You’re playing Russian roulette with the OCR, and sooner or later, that gun’s going to fire. Vulnerabilities inevitably become violations.
Take OCR Director Roger Severino at his word: “There is no substitute for an enterprise-wide risk analysis.”
It’s imperative to audit your practice’s administrative, physical, and technical compliance with the HIPAA Security Rule. In summary:
You want to identify all the PHI within your organization. This includes PHI you create, receive, maintain or transmit. Know the external sources of your PHI. Do your vendors and consultants create, receive, maintain or transmit e-PHI? You must identify every human, natural, and environmental threat to your information systems that contain e-PHI—and address these threats in a documented plan of actionable safeguards to eliminate risk of exposure.
Your risk assessment must fully align with guidelines. It’s wise to visit Guidance on Risk Analysis | HHS.gov. Here you’ll find two government-sponsored tools available to your organization:
But do not STOP at risk assessment, as so many others have!
Everyone knows there is no almost when it comes to HIPAA security. Still, far too many organizations fail to progress beyond the almost of risk assessment to the full-out, end-to-end implementation of risk management.
Such was the $4.3 million mistake made by the University of Texas MD Anderson Cancer Center, who had an encryption policy in place several years before three of its unencrypted devices were lost.
Remember: It’s just a matter of time before a vulnerability become a violation.
You’re familiar with the Robert Burns quote, how “the best-laid plans of mice and men often go awry”? Well, as the HIPAA headlines attest, plans are but good intentions unless someone follows up on the blueprint and builds the design.
Risk management means implementation—specifically, implementing your risk assessment action items.
Both mega organizations and small practices continue to make the same mistake, and both continue to pay the price. They have plans to complete every item identified in their risk assessment, but they haven’t gotten around to it. Worse, many practices, like FMCNA, haven’t entirely fulfilled the spectrum of requirements for their risk assessment—simply because they’re not clear on what’s involved.
How would you appraise your HIPAA know-how? Is your knowledge current and comprehensive? Have you identified all the security gaps in your systems and procedures and eliminated all the holes?
Download a FREE copy of What Your Practice Must Know About the HIPAA Privacy & Security Rules to build on your baseline knowledge of HIPAA compliance and effectively train your team.
Master HIPAA compliance with the industry’s best-selling handbook — the HIPAA Handbook 2018. Our nationally-recognized HIPAA compliance experts lay out best practices and walk you step-by-step through the dos and don’ts of compliance. We also address new target areas and introduce you to tools to nail down risk assessments, tighten up your EHR privacy and security, reassess your risk analysis plan, prep for audits, and more.
Stay on top of evolving regulations, new technologies, and security threats with current, to-the-point guidance in your monthly subscription to Health Information Compliance Alert. In every issue, our experts tackle challenging security scenarios across the spectrum of health IT to keep you in the know, help you train your staff, and equip you to implement protocols to preserve the integrity of your practice.