Earlier this week, the University of Texas MD Anderson Cancer Center was ordered to pay a staggering $4,348,000.00 in order to resolve HIPAA violations from data breaches occurring in 2011, 2012, and 2013.The extremity of the penalties is explained by the fact that the data breaches were completely preventable. Generally, covered entities and business associates under the Health Insurance Portability and Accountability Act (HIPAA) are required to ensure confidentiality, integrity, and availability of all electronic protected health information (ePHI) that is created, received, maintained, or transmitted, and protect that information from reasonably anticipated threats and impermissible uses.
We provide insights and analysis for physicians, nurses, chiropractors, dentists, physical therapists and other health professionals on issues impacting their practices.
Just ask Cornell Prescription Pharmacy about disposal of unshredded paper pharmacy records containing protected health information (PHI), and you will hear that this pharmacy paid $125,000 plus it has entered a Resolution Agreement with the OCR. Not only is this pharmacy paying a significant penalty, it will be under a corrective action plan to correct deficiencies in their HIPAA compliance program and must submit the members of their workforce to receive training on that program within 30 days of implementing the policies and procedures.
If you ever wonder if you should be concerned about HIPAA compliance, think about this latest Office of Civil Rights (OCR) settlement with New York Presbyterian Hospital (NYP) and Columbia University Medical Center (CU).
OCR issued an update regarding two important HIPAA settlements involving theft of unencrypted laptops. The first involved Concentra Health Systems report of a breach that an unencrypted laptop was stolen from the Springfield Missouri Physical Therapy Center. After concluding that Concentra had previously recognized its lack of encryption in multiple risk analyses, its efforts to protect patient PHI remained vulnerable due to incomplete and inconsistent encryption. As a result, Concentra agreed to pay OCR $1,725,220 to settle the violations and will be implementing a corrective action plan to remediate the findings.
HIPAA requires that covered entities conduct a risk assessment of their healthcare organization. A risk assessment helps these organizations ensure compliance with HIPAA’s administrative, physical and technical safeguards. A risk assessment also helps reveal areas where an organization’s protected health information (PHI) could be at risk. The Office for Civil Rights released tools to assist covered entities. The Security Risk Assessment (SRA) Tool application lets a covered entity take a self-directed tour of HIPAA standards and helps conduct a risk assessment at the covered entity’s own pace. The tool shows each HIPAA standard that must be addressed and provides space to document how the covered entity will meet or plan to meet the current standard.