Avoid HIPAA Sanctions with Security Policies and Procedures
If you think your health care organization is immune to financial penalties following a violation of the Health Insurance Portability and Accountability Act (HIPAA), think again. Today, with the use of mobile phones, laptops, and other portable storage devices—more than ever—you need policies and procedures to safeguard private patient information, no matter how it’s used or accessed.
As an example of how implementing privacy and security policies and procedures is important, Robert A. Pelaia, Esq., CPC, CPCO, uses a recent (Jan. 2, 2013) HIPAA settlement case, which is the first case involving a breach of less than 500 individuals. The violation involved an Idaho hospice provider and the theft of an unencrypted laptop computer containing electronic protected health information (ePHI). The provider notified the U.S. Department of Health & Human Services (HHS) Office for Civil Rights (OCR), as required under 45 C.F.R. section 164.408, about the 441 patients affected. OCR investigated the incident and found that “the provider didn’t conduct a risk analysis to safeguard ePHI and there were no policies or procedures in place in regards to mobile device security, which is a requirement under HIPAA Security Rule,” according the Pelaia. “For the settlement, the provider had to pay HHS $50,000 and begin a corrective action plan.”
In cases that Michael D. Miscoe, Esq., CPC, CASCC, CUC, CCPC, CPCO, CHCC, has handled, and based on his discussions with the OCR investigators handling them, “the sufficiency of the Privacy and Security Policies and procedures is more of a concern to them than the breach is—especially where the entity is without fault (i.e. theft of data or disclosure by a business associate).” For this reason, Miscoe says, “It’s important for your health care organization to conduct a detailed risk analysis addressing every method of accessing or using PHI in your organization. This is then followed by development and review of appropriate policies and procedures. Because policies and procedures must address all the ways in which your specific organization uses, accesses, and discloses ePHI and PHI, it is unlikely that “off-the-shelf” products and consultant-generated products from a template” will be sufficient.
Miscoe recommends these tips to help protect and safeguard your PHI from potential security breaches:
- Policies and procedures should be drafted by legal counsel only after conducting a thorough risk analysis.
- Policies and procedures should be updated as methods of storage, access or use of ePHI, or PHI change. This is where having a Certified Professional Compliance Officer (CPCO™) is invaluable to ride herd over the policy and procedures to ensure they are current.
- Periodic (at least annually) formal review should occur to ensure that policies and procedures are being followed and accurately reflect how PHI is acquired, used, stored, and disclosed.
“Failure to take these steps, under the tier system of penalties in the Health Information Technology for Economic and Clinical Health (HITECH) Act,” Miscoe points out, “will likely mean the difference between a $100 fine and a $50K fine as in the case identified by Robert.”