Two recent reports should make providers stop, take notice and make sure their practice's policies and procedures are up-to-date.
The first one involves a HIPAA Breach settlement of a company with facilities in several states. The OCR memo stated "In addition to a $3.5 million monetary settlement, a corrective action plan requires the FMCNA covered entities to complete a risk analysis and risk management plan, revise policies and procedures on device and media controls as well as facility access controls, develop an encryption report, and educate its workforce on policies and procedures." The following failures were outlined in the report:
- Failure "to conduct an accurate and thorough risk analysis of potential risks and vulnerabilities to the confidentiality, integrity, and availability of all of its ePHI."
- They "impermissibly disclosed the ePHI of patients by providing unauthorized access for a purpose not permitted by the Privacy Rule."
- Failure "to implement policies and procedures to address security incidents."
- Failure "to implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain ePHI into and out of a facility; and the movement of these items within the facility.
- Failure "to implement policies and procedures to safeguard their facilities and equipment therein from unauthorized access, tampering, and theft, when it was reasonable and appropriate to do so under the circumstances.
- Failure "to implement a mechanism to encrypt and decrypt ePHI, when it was reasonable and appropriate to do so under the circumstances."
Every healthcare practice needs to review these six items and ensure that they have taken the appropriate steps to ensure compliance. A Risk Analysis must be conducted annually. It is essential that the previous items are addressed and that you have appropriate policies and procedures in place - which brings us to the next issue.
The second incident involved a ransomware attack on a large EHR company. Approximately 1,500 practices were essentially shut down and in some cases unable to even schedule appointments. While this attack could not have been prevented by those healthcare practices, it shines light on one important HIPAA provision - a disaster plan. The HIPAA Security Officer is responsible for testing and implementing a contingency and disaster recovery plan. Those practices who have complied with HIPAA by having a viable contingency plan are are more effectively able to face situations like this.
To help providers maintain compliance, Find-A-Code's Complete and Easy HIPAA Compliance publication includes, as part of its downloadable, editable templates, a Contingency Plan Procedure (includes a disaster recovery plan) and a Policies and Procedures document.