The headlines over the last week highlighted that an Oncology Practice in Indiana, Cancer Care Group, P.C., received a $750,000 fine for HIPAA non-compliance by the Office for Civil Rights. After a laptop bag was stolen out of an employee’s car in 2012, the information of approximately 55,000 patients was breached, including names, addresses, date of birth, social security number, clinical information, and insurance information. The laptop didn’t have any safeguards such as encryption applied to it, creating risk for those 55,000 patients. In the settlement, the organization must pay a hefty $750,000 fine; HOWEVER, it is only part of the correction action settlement. The organization must do a lot more than just pay the fine – causing additional costs and time commitments to the organization. In addition, the corrective action plan is valid for 3 years from the effective date!!
Looking deeper into the corrective action plan (CAP) between Cancer Care Group and Department of Health and Human Services (HHS), they are also required to:
-
Conduct a HIPAA Risk Analysis within 90 days of the CAP effective date-
Submit the Risk Analysis Report for approval to the HHS -
If the Risk Analysis is not approved, Cancer Care Group will have 60 days to revise the Risk Analysis and submit to the HHS for approval
-
-
Implement an organization-wide risk management plan to address and mitigate any risks and vulnerability found during the risk analysis-
Within 90 days of approval of the Risk Analysis from HHS, Cancer Care Group must submit the Risk Management Plan to HHS for approval. -
If the Risk Management Plan is not approved, Cancer Care Group must update the Risk Management Plan and resubmit to HHS within 60 days. -
One approved, Cancer Care Group must begin the implementation of the Risk Management Plan.
-
-
Review and revise policies and procedures relating to the HIPAA Security Rule-
Based on the findings from the HIPAA Risk Analysis, Cancer Care Group must review and revise all policies and procedures relating the to the HIPAA Security Rule -
All policies and procedures must be forward to HHS within 60 days of the approval of the Risk Management Plan -
If policies and procedures are not approved by HHS, Cancer Care Group will have to revise and resubmit the policies and procedures within 30 days. -
Within 30 days of approval of the policies and procedures from HHS, Cancer Care Group must implement the new policies and procedures.
-
-
Review and revise security rule training program based on the risk analysis findings-
Revise and update the training program and submit for approval to HHS within 60 days of the approved Risk Analysis from HHS. -
Within 30 days of approved training program from HHS, administer the approved training program to all Cancer Care Group workforce.
-
-
Any reportable events (failure of workforce member to comply with policies and procedures, security incident, potential data breach, etc.) must be promptly investigated and reported to HHS within 30 days of the awareness of the incident.-
Notification must include: 1) a description of the event including relevant facts individuals involved and policies and procedure(s) impacted AND 2) description of actions taken and future actions planned
-
-
Provide HHS Annual Reports of the following for the CAP Timeframe (3 Years)-
Updates or changes to the approved Risk Analysis or Risk Management Plan -
Updates or changes to Cancer Care Group’s approved HIPAA policies and procedures -
Summary of all Reportable Privacy and Security Events -
Attestation by the appointed officer/owner at Cancer Care Group that he/she has appropriately reviewed the annual report to HHS and verification that the information is truthful and accurate.
-
In the event that you find your organization in the middle of a data breach that is being submitted to HHS, the proper steps should be taken to evaluate your current level of compliance. It is best to try and identify risks and vulnerabilities to your organization immediately rather than waiting for the HHS to come and mandate that you evaluate your compliance. From the above information, HHS doesn’t just ‘go away’ after the fine is appropriately paid. Being linked and connected to the HHS for 3 years post settlement is intense and challenging. Relying on approval from HHS of all aspects of the HIPAA Security Rule can overwhelming and stressful. Don’t find yourself in this situation.
Remember – your organization is the one responsible for compliance with the federal privacy and security requirements. With the verge of Phase 2 of the HIPAA Audits starting soon, now is the time to get out and evaluate. Waiting for the HHS to come in and tell you what to do, or worse, assess a fine is something that should be avoided!
Take time to evaluate your compliance, plan your mitigation strategies and take action for compliance!
Danika