Have you ever heard the saying “the job is not complete until the paperwork is done?” Covered Entities and Business Associates should be cognizant of the importance of finalizing and implementing HIPAA policies and procedures, and conducting adequate analysis and risk management plans. HIPAA policy requirements ensure that entities assess potential risk and vulnerabilities to the confidentiality, integrity, and availability of ePHI (See 45 C.F.R. § 164.308(a)(1)(ii)(A).
In January 2012 HHS Office for Civil Rights (OCR) investigation into an impermissible disclosure by CardioNet revealed that they had an insufficient risk analysis and risk management process in place at the time of the theft of an employee’s laptop. Additionally, CardioNet’s HIPAA policies and procedures for implementing the standards of the HIPAA Security Rule were in draft format and had not been implemented. Further, the organization was unable to produce any final HIPAA policies or procedures regarding the implementation of safeguards for ePHI, including those for mobile devices.
Mobile devices in the health care industry remain particularly vulnerable to theft and loss. Failure to implement mobile device security by Covered Entities and Business Associates puts individuals’ sensitive health information at risk. This disregard for security can result in a serious HIPAA breach, which affects each individual whose information is left unprotected. In the case of CardioNet, there were 1,391 impermissible disclosures, resulting in a settlement of $2.5 million. This fine may have been reduced if their HIPAA policies were finalized!
What can Covered Entities and Business Associates do to implement HIPAA Policies protecting the confidentiality of ePHI?
- Conduct a HIPAA Risk Analysis: Covered entities and business associates are required to conduct a risk analysis to assess potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. See 45 C.F.R. § 164.308(a)(1)(ii)(A).
- Develop a vigorous risk management plan: Covered entities and business associates must implement HIPAA policies and procedures that address deficiencies identified in the risk analysis. See 45 C.F.R. § 164.308(a)(1)(i)(B).
- Finalize HIPAA Policies and Procedures: Covered entities and business associates must finalize and formally implement their HIPAA policies and maintain records proving that policies have been approved and distributed to staff members. Consider creating a HIPAA Policy Manual which might streamline the process for annual review and approval.
- Establish Device and Media Controls: Covered entities and business associates must have policies and procedures governing receipt and removal of hardware and electronic media containing ePHI within and outside of the entity’s facility. See 45 C.F.R. § 164.310(d) and HHS tips and information to help you protect and secure health information when using mobile devices.
- Train Staff Members: A significant number of breaches are caused by employees leaving mobile devices unattended in their vehicles. Most of these incidents can be alleviated just by consistently reminding staff to maintain control over their devices and annual training on HIPAA policies and procedures.
Average Settlements for Civil Monetary Penalties
The average settlement for civil monetary penalty has increased significantly. It went from approximately $1.1 million in 2015 to an average of $1.8 million in 2016 and is currently at $2 million to date in 2017 and OCR’s enforcement shows no signs of slowing down. Compliance with HIPAA Policies is best monitored via a periodic HIPAA Risk Analyses. Less costly than any breach!