A health management company that provides diagnostic and laboratory developed tests has agreed to pay $25,000 to the Office for Civil Rights (OCR) at the US Department of Health and Human Services (HHS) and to implement a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. The health management company is based in Georgia, and is certified under the Clinical Laboratory Improvement Amendments of 1988 (CLIA).
In December 2017, OCR initiated a compliance review of the health management company to determine its compliance with the HIPAA Privacy and Security Rules. OCR’s investigation found systemic noncompliance with the HIPAA Security Rule, including failures to conduct an enterprise-wide analysis, implement risk management and audit controls, and maintain documentation of HIPAA Security Rule policies and procedures.
The Acting OCR Director stated, “The failure to implement basic Security Rule requirements makes HIPAA-regulated entities attractive targets for malicious activity, and needlessly risks patients’ electronic health information. This settlement reiterates OCR’s commitment to ensuring compliance with rules that protect the privacy and security of protected health information.”
In addition to the monetary settlement, the health management company also agreed to a vigorous corrective plan that includes three years of monitoring.
The resolution agreement and corrective action plan may be accessed here.
Compliance Perspective
Issue
It is essential that all healthcare workers understand HIPAA requirements and how they must secure protected health information (PHI). The Privacy Rule allows access to information needed to ensure high quality healthcare and to protect the public, while ensuring an individual’s health information is properly protected. All staff members at all levels must demonstrate understanding of the HIPAA Privacy Rule and how to protect PHI. Additional information is available in the Med-Net Corporate Compliance and Ethics Manual, Chapter 5 Privacy Plan, PP2.0 Privacy Policy and Procedure.
Discussion Points
- Review policies and procedures related to HIPAA, PHI, and Privacy. Ensure that they address how health information exchanges should be conducted between healthcare associates.
- Train all staff on HIPAA, PHI, and Privacy upon hire, annually, and when any issues arise. Document that these trainings occurred and file the signed training document in the employees education file.
- Periodically audit to ensure that facility’s policies and procedures for HIPAA, PHI, and Privacy are being followed by all staff and that each one demonstrates understanding and competency.
FOR MORE INFORMATION ON THIS TOPIC VIEW: PRIVACY IS EVERYONE’S RESPONSIBILITY.
