What’s worse than a 2.5 million dollar HIPAA settlement? Knowing that it could have been avoided, that’s what.
The Department of Health and Human Services (HHS) oversees HIPAA enforcement. As part of this enforcement, HHS publishes official summaries of their completed cases. This one might give you nightmares.
Consider this Cautionary Tale…
On April 24, 2017, HHS released a summary of a case involving a remote cardiac monitoring company, CardioNet. One of the company’s employees left a laptop in their car overnight, just outside their house, which was stolen back in 2012. The laptop contained unsecured protected health information (PHI) for more than a thousand patients, accessible by anyone who possessed that laptop.
When the company followed procedure and reported this breach to HHS, it triggered an investigation into their compliance with HIPAA’s Security Rule. HHS found that the CardioNet had not employed a sufficient risk analysis and management process and had not created policies and procedures necessary to protect their patients’ health information.
In other words, they were not in compliance with HIPAA. HHS’s official headlines makes the message clear: “$2.5 million settlement shows that not understanding HIPAA requirements creates risk.”
An unfortunate event, for both the company and the patients involved. But how does this help to demonstrate how your practice can stay in compliance?
What Should Have Been Done Differently?
To begin with, this case illustrates two important elements of HIPAA compliance that are often overlooked.
First, HHS found the risk analysis and management process of the cardiac monitoring company to be insufficient.
This is the same risk analysis and management that is the cornerstone of compliance with the HIPAA Security Rule. A risk analysis must comprehensively analyze your office’s actual I.T. risks, threats, and vulnerabilities.
All devices that create, store, or transmit electronic PHI need to be included in your analysis. Depending on the complexity of your I.T. infrastructure, this can be quite an undertaking, but necessary nonetheless. Other circumstances can also influence what needs to be covered by the risk analysis.
For example, if you have an internet accessible website that delivers PHI to patients, you must consider an entirely new set of risks, threats, and vulnerabilities. The website and the PHI are now accessible over the public internet, which allows hackers from around the globe access to information if security measures are insufficient. A risk analysis must cover all points where electronic PHI is created, stored, or transmitted and it must be customized for your own I.T. structure.
This is the most important activity when it comes to compliance with HIPAA’s Security Rule.
Depending on the complexity of your I.T. structure, it may be well worth it to involve an I.T. professional and/or use a risk analysis tool.
Second, this case illustrates the consequences of one of the most common breach situations.
It involves a stolen electronic device that contained unsecured PHI. In 2012, the year the initial incident in this case occurred, approximately 40% of reportable breaches were the result of lost or stolen devices. While it does not cover all HIPAA requirements, taking steps to avoid a situation like this will go a long way to reduce potential legal and financial liability.
Again, the steps you should take depend primarily on your existing I.T. structure. The key is to make it impossible for the unauthorized person who found or stole the device to view or gain access the PHI. This can be accomplished in a variety of ways.
If you use an electronic health records exclusively and the device is only used to access the records without storing any PHI on its memory, then an unauthorized person could not reasonably access that information—assuming the electronic health records requires a login or some other sort of user authentication.
However, if PHI is stored on the actual device, the approach must be different. Two good and relatively inexpensive options in this scenario are full-drive encryption and/or the ability to wipe the device’s memory remotely. If implemented correctly, either of these options will make it practically impossible for the unauthorized person to access PHI.
In fact, had the cardiac company in the case correctly used any of these options, it is possible that they would not even have had to report it as a breach. There would not have been a compliance review and, perhaps most importantly, there could have been no fines or negative publicity at all.
As this case demonstrates, ignorance of the law is not a defense. However, every step closer to compliance reduces the potential legal and financial liability a practice may face. Performing sufficient risk analyses and ensuring that the PHI on your mobile devices can be secured after a loss or theft are not the only requirements, but they are two giant steps forward.
Train Your Team and Ensure Understanding of HIPAA’s Requirements
What should a small practice do to avoid unsuccessful audits and crippling HIPAA fines like this one? Training your team properly to understand and comply with HIPAA’s requirements remains your best precaution against violations. We’ve updated our own HIPAA training program at YourHIPAATraining.com in response to the most recent Phase II audit protocol used by HHS—so this is your chance to train based on HHS’ own enforcement standards.
Once trained, it’s equally important that you retrain frequently (once a year is recommended), train new hires immediately (not next week or next month), and ensure that your Security and Privacy Officer(s) understand and follow through with recommended steps for compliance. Fines like this one often could have been prevented.
Friendly Disclaimer: This information is general in nature and is not intended to provide legal advice or replace counsel about a specific HIPAA compliance issue with a specialized attorney. This material is meant to provide information that is believed to be current as of the date of this post.