Recent OCR Actions Make Implementing HIPAA Safeguards Imperative for Organizations
The United States Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced a HIPAA settlement of $2.2 million and a requirement for MAPFRE Life Insurance Company of Puerto Rico (MAPFRE) to implement a corrective action plan. This action was based on the impermissible disclosure of unsecured electronic protected health information (ePHI).
On September 29, 2011, MAPFRE filed a breach report with OCR indicating that a USB data storage device (described as a “pen drive”) containing ePHI was stolen from its IT department, where the device was left overnight without safeguards. The device included complete names, dates of birth, and Social Security numbers that affected 2,209 individuals. MAPFRE was able to identify the breached ePHI by reconstituting the data on the computer on which the USB data storage device was attached. OCR’s investigation found noncompliance with the HIPAA Rules, specifically a failure to conduct its risk analysis and implement risk management plans, contrary to its prior representations; a failure to deploy encryption or an equivalent alternative measure on its laptops and removable storage media; and a failure to implement or delay in implementing other corrective measures.
Mobile Devices Are Often the Main Cause of HIPAA Breaches
Carrie Kusserow, a HIPAA expert, notes that most HIPAA breaches still commonly occur as a result of poor controls over mobile devices, specifically laptop computers, and a failure to properly encrypt and password protect protected health information (PHI). She also reminds everyone that in 2016, OCR began its second round of audits. OCR sent email notifications to a random sample of Covered Entities (CEs) and Business Associates (BAs) to inform them that they had been selected for an audit. These audits are to ensure CE and BA compliance with the HIPAA Privacy, Security, and Breach Notification Rules that include mobile device compliance. The audits are being performed after a record-breaking year of settlements and can be expected to generate more findings and settlements.
The HIPAA Security Rule requires CEs to conduct a risk assessment to ensure compliance with HIPAA’s administrative, physical, and technical safeguards. It also helps reveal areas where an organization’s PHI may be at risk. The OCR official guidance is available online to assist in this effort.
Connect With A HIPAA Compliance Expert.Contact Us Today
17 Tips on Implementing HIPAA Compliance Requirements
- Ensure policies/procedures govern receipt and removal of laptops containing ePHI.
- Verify workforce member and user controls for gaining access to ePHI.
- Ensure laptops and mobile devices are properly encrypted and password protected.
- Conduct a complete security risk analysis that addresses ePHI vulnerabilities.
- Implement safeguards to restrict access to unauthorized users.
- Engage outside experts to independently verify Privacy/Security Officers are meeting their obligations.
- Validate effectiveness of internal controls, policies, and procedures.
- Ensure identified risks have been properly addressed with corrective action measures.
- Review adequacy of security processes to address potential ePHI risks and vulnerabilities.
- Ensure that the hotline is set up to receive HIPAA-related calls.
- Verify that the Code of Conduct covers reporting of HIPAA violations.
- Ensure an up-to-date list of BAs, which includes contact information.
- Verify that all BAs have signed business associate agreements.
- Train the workforce on HIPAA policies and procedures, including reporting violations.
- Investigate complaints, allegations, and reports of non-compliance promptly and thoroughly.
- Develop corrective action plans to promptly address any weaknesses identified.
- Follow the basics in prevention of information security risks and PHI breaches.