So, what’s new?  Nothing… Risk Analysis, Policies & Procedures, Unencrypted Laptops, Security Incident Response and Reporting, Access Control, Device & Media Control — Hey, it’s starting to look like the HIPAA Security Rule.  Here’s today’s big tip – Learn, Again, From an HHS Settlement Agreement!

OCR Collects Another $1.5M in Enforcement Revenues

Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, Inc. (collectively referred to as “MEEI”) Pays HHS $1.5M

Straight from the HHS/MEEI Resolution Agreement…

3. Factual Background and Covered Conduct

On April 21, 2010, HHS received notification from MEEI regarding a breach of its unsecured electronic protected health information (ePHI). On October 5, 2010, HHS notified MEEI of its investigation regarding MEEI’s compliance with the Privacy, Security, and Breach Notification Rules.

HHS’ investigation indicated that the following conduct occurred (“Covered Conduct”):

  1. MEEI did not demonstrate that it conducted a thorough analysis of the risk to the confidentiality of ePHI on an on-going basis as part of its security management process from the compliance date of the Security Rule to October 29, 2009. In particular, MEEI did not fully evaluate the likelihood and impact of potential risks to the confidentiality of ePHI maintained in and transmitted using portable devices, implement appropriate security measures to address such potential risks, document the chosen security measures and the rationale for adopting those measures, and maintain on an on-going basis reasonable and appropriate security measures.
  2. MEEI’s security measures were not sufficient to ensure the confidentiality of ePHI that it created, maintained, and transmitted using portable devices to a reasonable and appropriate level from the compliance date of the Security Rule to May 17, 2010.
  3. MEEI did not adequately adopt or implement policies and procedures to address security incident identification, reporting, and response from the compliance date of the Security Rule to March 8, 2010.
  4. MEEI did not adequately adopt or implement policies and procedures to restrict access to authorized users for portable devices that access ePHI or to provide it with a reasonable means of knowing whether or what type of portable devices were being used to access its network from the compliance date of the Security Rule to March 8, 2010.
  5. MEEI did not adequately adopt or implement policies and procedures governing the receipt and removal of portable devices into, out of, and within the facility from the compliance date of the Security Rule to May 17, 2010. MEEI had no reasonable means of tracking non-MEEI owned portable media devices containing its ePHI into and out of its facility, or the movement of these devices within the facility.
  6. MEEI did not adequately adopt or implement technical policies and procedures to allow access to ePHI using portable devices only to authorized persons or software programs from the compliance date of the Security Rule to June 15, 2010. MEEI did not implement an equivalent, reasonable, and appropriate alternative measure to encryption that would have ensured confidentiality of its ePHI or document the rationale supporting the decision not to encrypt.

Recommended HIPAA Audit Prep next actions:

  1. Study this and other HHS Settlement Agreements.
  2. Study the audit protocols and assess your compliance and audit readiness.
  3. If you need security incident procedures, consider using our Policies and Procedures Toolkits which include templates.

Contact us for more information or to learn about a tailored Clearwater HIPAA Audit Prep WorkShop™ or the Clearwater  HIPAA Audit Prep BootCamp™ series.

Wanna be even more ready for an audit or hip on HIPAA? Learn more…

The complete HIPAA Privacy, Security and Breach regulations are here.

If you’d like keep up to date on Audit Preparation, Risk Analysis or HIPAA-HITECH in general, please also consider (all optional!):

Series Navigation<< HIPAA Audit Tips – OCR HIPAA Audits of Incident Reporting – Learn From CMSHIPAA Audit Tips – Don’t Confuse HIPAA Security Evaluation and Risk Analysis >>

Bob Chaput

CEO at Clearwater Compliance
Bob Chaput is widely recognized for his extensive and in-depth knowledge of healthcare compliance and cyber risk management, and is one of the industry’s leading authorities in healthcare information security today. As a leading authority safeguarding health data, Chaput has supported hundreds of hospitals and health systems to successfully manage healthcare’s evolving cybersecurity threats and ensure patient safety.