TriPoint Healthcare Solutions

Advising, Educating, and Operationalizing Privacy and Security in Healthcare

Breaking Down a HIPAA Corrective Action Plan and Settlement: It’s Not All About the Money

by 2 Comments 

Healthcare NewsThe headlines over the last week highlighted that an Oncology Practice in Indiana, Cancer Care Group, P.C., received a $750,000 fine for HIPAA non-compliance by the Office for Civil Rights.  After a laptop bag was stolen out of an employee’s car in 2012, the information of approximately 55,000 patients was breached, including names, addresses, date of birth, social security number, clinical information, and insurance information.  The laptop didn’t have any safeguards such as encryption applied to it, creating risk for those 55,000 patients.  In the settlement, the organization must pay a hefty $750,000 fine; HOWEVER, it is only part of the correction action settlement.  The organization must do a lot more than just pay the fine – causing additional costs and time commitments to the organization.  In addition, the corrective action plan is valid for 3 years from the effective date!!
Looking deeper into the corrective action plan (CAP) between Cancer Care Group and Department of Health and Human Services (HHS), they are also required to:
  • Conduct a HIPAA Risk Analysis within 90 days of the CAP effective date
    • Submit the Risk Analysis Report for approval to the HHS
    • If the Risk Analysis is not approved, Cancer Care Group will have 60 days to revise the Risk Analysis and submit to the HHS for approval
  • Implement an organization-wide risk management plan to address and mitigate any risks and vulnerability found during the risk analysis
    • Within 90 days of approval of the Risk Analysis from HHS, Cancer Care Group must submit the Risk Management Plan to HHS for approval.
    • If the Risk Management Plan is not approved, Cancer Care Group must update the Risk Management Plan and resubmit to HHS within 60 days.
    • One approved, Cancer Care Group must begin the implementation of the Risk Management Plan.
  • Review and revise policies and procedures relating to the HIPAA Security Rule
    • Based on the findings from the HIPAA Risk Analysis, Cancer Care Group must review and revise all policies and procedures relating the to the HIPAA Security Rule
    • All policies and procedures must be forward to HHS within 60 days of the approval of the Risk Management Plan
    • If policies and procedures are not approved by HHS, Cancer Care Group will have to revise and resubmit the policies and procedures within 30 days.
    • Within 30 days of approval of the policies and procedures from HHS, Cancer Care Group must implement the new policies and procedures.
  • Review and revise security rule training program based on the risk analysis findings
    • Revise and update the training program and submit for approval to HHS within 60 days of the approved Risk Analysis from HHS.
    • Within 30 days of approved training program from HHS, administer the approved training program to all Cancer Care Group workforce.
  • Any reportable events (failure of workforce member to comply with policies and procedures, security incident, potential data breach, etc.) must be promptly investigated and reported to HHS within 30 days of the awareness of the incident.
    • Notification must include: 1) a description of the event including relevant facts individuals involved and policies and procedure(s) impacted AND 2) description of actions taken and future actions planned
  • Provide HHS Annual Reports of the following for the CAP Timeframe (3 Years)
    • Updates or changes to the approved Risk Analysis or Risk Management Plan
    • Updates or changes to Cancer Care Group’s approved HIPAA policies and procedures
    • Summary of all Reportable Privacy and Security Events
    • Attestation by the appointed officer/owner at Cancer Care Group that he/she has appropriately reviewed the annual report to HHS and verification that the information is truthful and accurate.
In the event that you find your organization in the middle of a data breach that is being submitted to HHS, the proper steps should be taken to evaluate your current level of compliance.  It is best to try and identify risks and vulnerabilities to your organization immediately rather than waiting for the HHS to come and mandate that you evaluate your compliance.  From the above information, HHS doesn’t just ‘go away’ after the fine is appropriately paid.  Being linked and connected to the HHS for 3 years post settlement is intense and challenging.  Relying on approval from HHS of all aspects of the HIPAA Security Rule can overwhelming and stressful.  Don’t find yourself in this situation. 
Remember – your organization is the one responsible for compliance with the federal privacy and security requirements.  With the verge of Phase 2 of the HIPAA Audits starting soon, now is the time to get out and evaluate.  Waiting for the HHS to come in and tell you what to do, or worse, assess a fine is something that should be avoided!
Take time to evaluate your compliance, plan your mitigation strategies and take action for compliance!
Danika

Data Breach: It WILL NEVER Happen to Our Organization

by Leave a Comment

You choose your path: Be Prepared OR Be Scared.

Privacy security or safeguard diagram or flowchart written on a dry erase board as tips, advice or information on making your personal, sensitive data safe and secure

How many times have you heard an organization say “A data breach will never happen here,” “We are too small for a data breach to happen,” “It only happens to hospitals and insurance companies.”  The thought that a data breach will never happen to your organization can be your biggest mistake in the preparation and defense in the event that a data breach does occur.  If you asked all the organizations who have experienced a HIPAA data breach in the past 12 months, many of them would agree that they never believed that something like that could happen.

Healthcare covered entities and business associates need to plan and be prepared in the event a potential data breach does occur.  Policies, procedures, and processes should be established that can be immediately activated in the event that a potential breach occurs and needs to be stopped, investigated, and mitigated. 

Looking over the past week, we see data breaches are occurring at all types of healthcare facilities and for a variety of reasons.

  • Buffalo Heart Group, 500 to 600 impacted – Third Party working under a physician access information outside of the scope of the work to solicit patients with the movement of a physician to a new practice
  • Unity Recovery Group, Inc., Fewer than 1,000 impacted – improper disclosures of patient information to unaffiliated recovery services
  • New Jersey Medical Center, 1,400 Impacted – An e-mail with an spreadsheet meant for internal use was sent to an incorrect recipient
  • Beacon Health, unknown impacted – Victim to a sophisticated phishing attached that caused unauthorized access to e-mails with PHI
  • University of Rochester Medical Group, 3,400 Impacted – Former Nurse Practitioner took patient’s personal information with her when she left for another organization
  • HHC Jacobi Medical Center, 90,000 impacted – Improper access and transmission of files containing PHI to personal email account
  • Associated Dentists– theft of a laptop – one was encrypted and the other was not encrypted

One piece of advice to all healthcare organizations and business associates: Be Prepared.  Don’t follow the path of so many and think that a data breach will never occur within your organization. 

If you are not confident about your breach notification response plan, review and update the plan so that it makes sense for your organization.  Go through practice drills to assure the process gets practiced and is realistic in the event of a potential data breach occurring. 

If additional help is needed, reaching out to experts in the industry is always a great idea.  Having third party assistance in the creation and establishment of a process for your organization can help elevate some of the fears and challenges that healthcare covered entities face.

Be prepared, plan accordingly, and assure your breach investigation process is ready.  You never know when your organization maybe the next data breach – a good response plan can save your organization from unwanted reproductions that data breaches bring to organizations. 

“If you are failing to plan, you are planning to fail.” – Tariq Siddique

Danika

Recent Posts

Connect With Us

TriPoint Healthcare Solutions
dbrinda@tripointhealthcaresolutions.com
Phone: 612.325.9742
Fax: 763.322.5027