HHS is on a roll! In April there were two settlement agreements announced on two different sides of the spectrum. I don't think anyone was too sure how HHS was going to proceed in this arena after the appointment of Tom Price but early indications seem to be full steam ahead.
The first settlement agreement was for $31,000. Not a huge fine by OCR standards but a sizable amount of money nonetheless. The noteworthy part of this offense is that the investigation started at the Business Associate level -- not at the practice itself. However the findings at the Business Associate lead to an investigation of the practice. The reason for the settlement? The investigation found that the practice started disclosing PHI to the business associate without a Business Associate Agreement in place. The vendor was storing legacy printed medical records.
The second settlement agreement was for quite a bit more: $2,500,000. This was a more classic incident - a stolen employee laptop that contained ePHI. However, OCR really brought the hammer in this instance. The company was missing technical safeguards on the laptop. In addition, their HIPAA policies and procedures had never been finalized and were sitting in a draft status. Roger Severino, director of OCR was quoted as saying that the disregard for security was a major factor in this fine.
Moral of the stories? It's more important than ever to have finalized HIPAA policies & procedures and to have documentation that your employees have reviewed them. Be sure to have technical safeguard in place and a police for mobile laptops/devices that access ePHI. And finally, be sure to have Business Associate Agreements in place with all 3rd party vendors who access PHI.
All of these things can seem overwhelming for a small practice but never fear! NeoCloud Consulting has a comprehensive HIPAA Compliance package. All implementations start with a Risk Assessment to find any policy gaps and fix them. Our web-based system also automates employee attestation, policy review, training and more! The technical safeguards are a part of our managed service packages as well. Whether you're a Covered Entity or a Business Associate, we can help protect your business from compliance issues!
If you'd like to know more about our offerings, please contact us!