OCR began its second round of HIPAA audits by notifying randomly selected Covered Entities and Business Associates (BAs) that they had been selected for review to ensure compliance with the HIPAA Privacy, Security, and Breach Notification Rules. During the notification process, OCR also reported record settlements with HIPAA violators. The most recent is a $2.2 million settlement with New York Presbyterian Hospital (NYP) for unauthorized disclosure of two patients’ protected health information (PHI) to film crews and staff during the filming of “NY Med,” an ABC television series. OCR will monitor NYP for two years to ensure compliance with its HIPAA obligations. The NYP settlement followed on the heels of OCR’s $750,000 settlement with Raleigh Orthopaedic Clinic, P.A. of North Carolina for handing over PHI for approximately 17,300 patients to a potential business partner without first executing a Business Associate Agreement (BAA), in violation of the HIPAA Privacy Rule. Raleigh was also required to revise its HIPAA policies and procedures to (a) establish a process for assessing whether entities are BAs; (b) designate an individual to ensure BAAs are in place prior to disclosing PHI; (c) create a standard template BAA; (d) establish a standard process for retaining BAA documentation for at least six years; and (e) limit disclosures of PHI to any BA to the minimum necessary to accomplish its contractual duties.
NYP and Raleigh are only the latest in a series of settlements over the last 60 days. They follow OCR’s $3.9 million settlement with the Feinstein Institute for Medical Research. Feinstein, a not-for-profit biomedical research institute, violated the HIPAA Privacy Rule as a result of losing a laptop with 13,000 names of research participants, dates of birth, addresses, social security numbers, diagnoses, laboratory results, medications, and medical information relating to potential participation in a research study. Shortly before OCR’s Feinstein settlement, it announced another settlement with North Memorial Health Care of Minnesota for $1.5 million in relation to HIPAA violations stemming from failure to enter into a BAA with a major contractor and failing to address the risks and vulnerabilities to its patient information.
Connect With A HIPAA Compliance Expert.Contact Us Today
14 Tips and Lessons Learned From the Settlements
- Ensure that HIPAA is included in reports to executive and Board oversight committees.
- Conduct a complete security risk analysis that addresses ePHI vulnerabilities to the confidentiality, integrity, and availability.
- Ensure that security management processes adequately address potential ePHI risks and vulnerabilities.
- Develop a corrective action plan to promptly address any identified weaknesses.
- Ensure that laptops and mobile devices are properly encrypted and password protected.
- Implement policies and procedures governing receipt and removal of laptops containing ePHI and for controlling access to ePHI by workforce members and users.
- Keep track of mobile devices and employee access as basic security requirements.
- Train the workforce on all developed or revised policies and procedures.
- Implement adequate policies and procedures for authorizing access to ePHI.
- Implement safeguards to restrict access to unauthorized users.
- Ensure that research programs meet HIPAA compliance standards for participating patients.
- Maintain a list of all BAs, including contact information.
- Verify that all BAs have signed BAAs.
Subscribe to blog