So, what’s new? Nothing… Risk Analysis, Policies & Procedures, Unencrypted Laptops, Security Incident Response and Reporting, Access Control, Device & Media Control — Hey, it’s starting to look like the HIPAA Security Rule. Here’s today’s big tip – Learn, Again, From an HHS Settlement Agreement!
OCR Collects Another $1.5M in Enforcement Revenues
Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, Inc. (collectively referred to as “MEEI”) Pays HHS $1.5M
Straight from the HHS/MEEI Resolution Agreement…
3. Factual Background and Covered Conduct
On April 21, 2010, HHS received notification from MEEI regarding a breach of its unsecured electronic protected health information (ePHI). On October 5, 2010, HHS notified MEEI of its investigation regarding MEEI’s compliance with the Privacy, Security, and Breach Notification Rules.
HHS’ investigation indicated that the following conduct occurred (“Covered Conduct”):
- MEEI did not demonstrate that it conducted a thorough analysis of the risk to the confidentiality of ePHI on an on-going basis as part of its security management process from the compliance date of the Security Rule to October 29, 2009. In particular, MEEI did not fully evaluate the likelihood and impact of potential risks to the confidentiality of ePHI maintained in and transmitted using portable devices, implement appropriate security measures to address such potential risks, document the chosen security measures and the rationale for adopting those measures, and maintain on an on-going basis reasonable and appropriate security measures.
- MEEI’s security measures were not sufficient to ensure the confidentiality of ePHI that it created, maintained, and transmitted using portable devices to a reasonable and appropriate level from the compliance date of the Security Rule to May 17, 2010.
- MEEI did not adequately adopt or implement policies and procedures to address security incident identification, reporting, and response from the compliance date of the Security Rule to March 8, 2010.
- MEEI did not adequately adopt or implement policies and procedures to restrict access to authorized users for portable devices that access ePHI or to provide it with a reasonable means of knowing whether or what type of portable devices were being used to access its network from the compliance date of the Security Rule to March 8, 2010.
- MEEI did not adequately adopt or implement policies and procedures governing the receipt and removal of portable devices into, out of, and within the facility from the compliance date of the Security Rule to May 17, 2010. MEEI had no reasonable means of tracking non-MEEI owned portable media devices containing its ePHI into and out of its facility, or the movement of these devices within the facility.
- MEEI did not adequately adopt or implement technical policies and procedures to allow access to ePHI using portable devices only to authorized persons or software programs from the compliance date of the Security Rule to June 15, 2010. MEEI did not implement an equivalent, reasonable, and appropriate alternative measure to encryption that would have ensured confidentiality of its ePHI or document the rationale supporting the decision not to encrypt.
Recommended HIPAA Audit Prep next actions:
- Study this and other HHS Settlement Agreements.
- Study the audit protocols and assess your compliance and audit readiness.
- If you need security incident procedures, consider using our Policies and Procedures Toolkits which include templates.
Wanna be even more ready for an audit or hip on HIPAA? Learn more…
The complete HIPAA Privacy, Security and Breach regulations are here.
If you’d like keep up to date on Audit Preparation, Risk Analysis or HIPAA-HITECH in general, please also consider (all optional!):
- Joining our AboutHIPAA LinkedIn Group: http://AboutHIPAALI.org
- Following me: http://www.twitter.com/ClearwaterHIPAA
- Subscribing to our eNewsletter: https://clearwatercompliance.com/newsletters/
- Attending a HIPAA HITECH live webinar: http://clearwatercompliance.com/live-educational-webinars/
Latest posts by Bob Chaput (see all)
- Making the case for comprehensive cyber-risk strategies: 10 startling facts that will spur C-suite action - August 8, 2016
- Building Capability and Capacity to Take on Healthcare’s Evolving Security Threats - August 5, 2016
- HIPAA Risk Analysis Tip – The Biggest Risk Management Surprises in the 2016 OCR Audit Protocol - April 11, 2016