HIPAA Security Rule and Business Associate Agreement Compliance
by Michael Jenkins
Friday, January 16, 2015
In December of last year the Department of Health and Human Services Office for Civil Rights (OCR) announced a $150,000 settlement with a five-facility community mental health provider in Anchorage, Alaska after completing an investigation of HIPAA violations connected to a malware compromise of the provider’s IT network. OCR received notification from the facility of a breach of unsecured electronic protected health information (ePHI) affecting 2,743 patients and upon investigation found that the provider had failed to put in place compliance systems to address risks to the privacy of patient ePHI. In addition to the $150,000 settlement amount, the provider agreed to put in place a corrective action plan which requires it to report to the OCR on its HIPAA compliance efforts for two years. For more on the settlement see the HHS bulletin at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/acmhs/acmhsbulletin.pdf.
The settlement is likely a sign that OCR will be expanding its enforcement efforts related to HIPAA violations brought on by network security breaches from malware or hacking attacks. The settlement also signals that OCR enforcement efforts are making their way to smaller providers outside of major healthcare markets. Industry experts predict that OCR efforts related to the HIPAA Security Rule (45 CFR Part 160 and Subparts A and C of Part 164) will increase both due to complaints lodged with the OCR and due to random compliance audits.
As a covered entity or business associate of a covered entity, you should have all of your HIPAA compliance documentation organized and easily accessible should you be contacted by regulators. This documentation should include an up-to-date written HIPAA/HITECH Act compliance plan, records of HIPAA training programs conducted with staff, copies of business associate agreements that comply with the omnibus final rules which became effective in January of 2013. As you integrate new technologies into the workplace, do so in a way that complies with the Security Rule. Do not send ePHI in an unencrypted email. Do not store ePHI on an unencrypted file server. As ePHI makes its way to tablets and handheld devices, make sure that you are reviewing your policies and procedures to ensure you are addressing security and privacy issues.