The Office for Civil Rights (OCR) notorious “Wall of Shame”, summarizes Resolution Agreements and Press Releases of those companies who have been fined and found in violation of some part of the Health Insurance Portability and Accountability Act (HIPAA) or Health Information Technology for Economic and Clinical Health Act (HITECH).
HIPAA's privacy rule defines workforce as "employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity, is under the direct control of such entity, whether or not they are paid by the covered entity." It further directs that training include "all workforce members on its privacy policies and procedures, as necessary and appropriate to carry out their function." The security rule states, "all members of its work force (including management.)"
After reviewing 14 violations from 2014 through 2015, totaling over $14,398,200 in fines, it appears that each of the violations leads back to an employee’s actions or lack of inaction. Here is a sampling of violations:
$215,000 -- Electronic protected health information (ePHI) of 7 individuals were accessed by unknown parties after the ePHI had been inadvertently moved to a publicly accessible server maintained by the County. Skagit County, Washington.
$1,975,220 -- OCR opened a compliance review of Concentra Health Services (Concentra) upon receiving a breach report that an unencrypted laptop was stolen from one of its facilities, the Springfield Missouri Physical Therapy Center.
$4,800,000 -- The investigation revealed that a breach at New York Presbyterian Hospital/Columbia University Medical Center operated a shared data network and a shared network firewall. Cause of the breach was when a physician employed by CU who developed applications for both NYP and CU attempted to deactivate a personally-owned computer server on the network containing NYP patient ePHI. Because of a lack of technical safeguards, deactivation of the server resulted in ePHI being accessible on internet search engines.
$125,000 -- Parkview Health System, Inc. employees, with notice that the retiring physician was not at home, left 71 cardboard boxes of these medical records unattended and accessible to unauthorized persons on the driveway of the physician’s home, within 20 feet of the public road.
$800,000 -- Cornell Prescription Pharmacy (Cornell) were found to have unsecured documents containing the protected health information (PHI) of 1,610 patients in an unlocked, open container on Cornell’s premises.
$750,000 -- Cancer Care reported a breach of electronic protected health information (ePHI) after a laptop bag was stolen from an employee’s car. The bag contained the employee’s computer and unencrypted backup media, which contained the names, addresses, dates of birth, Social Security numbers, insurance information and clinical information of approximately 55,000 current and former Cancer Care patients.
$850,000 -- Lahey Hospital and Medical Center (Lahey) notified OCR that a laptop was stolen from an unlocked treatment room. The laptop was on a stand that accompanied a portable CT scanner; the laptop operated the scanner and produced images for viewing through Lahey’s Radiology Information System and Picture Archiving and Communication System. The laptop hard drive contained the protected health information (PHI) of 599 individuals.
It is clear from each of these violations, an employee or employees of these entities may have been able to deliver a different outcome. All employees from the executives to those employees in the front office, are required to protect the Protected Health Information (PHI) of their patients. Whether the entity is ignoring the implementation the required policies and procedures, or the employee decides not to follow the adopted policies, safeguarding patient PHI is not an option.
Leadership should create a culture of compliance for their entity, along with a roadmap of compliance training and communication.
Keys to compliance are:
Annual training is required of all staff.
Develop a responsive communication process to address questions that arise after training and in an ongoing manner.
Develop a reference repository of up-to-date policies and procedures.
Develop a process for evaluating training program effectiveness, reliability, and validity.
Develop a verification process to ensure that users have completed security awareness training before receiving access to electronic PHI.
Periodic reminders included in sign-on security reminders.
Banners and screen savers.
Fliers or handouts.
Embracing and promoting a culture of compliance is your greatest asset for adhering to the required regulatory safeguards.
Judith Lindsay, CHP and CEO of JAL Consult tackles all the elements of HIPAA compliance puzzle. Successfully assisting organizations to make sense of it all by implementing the correct policies and procedures that are reasonable and appropriate for their entity. Judith provides consulting, training and is available for speaking engagements. To read more about the world of compliance subscribed to JAL’s insightful newsletter at www.jalconsultantsaz.com OR follow JAL on Twitter @ judithconsult
Personal Information Collected Online
•Personal Information means personally identifiable information such as information provided via forms, surveys, applications or other online fields including name, postal or email addresses, telephone, fax or mobile numbers, or account numbers.
•Before or at the time of collecting personal information, JAL will identify the purposes for which the information is being collected.
•JAL will collect and use personal information solely for the purpose of fulfilling specific contracted engagements or for other compatible purposes, unless consent is obtained from the company and/or individual concerned or as required by law.
•JAL will retain personal information as long as necessary for the fulfillment of a specific contract or for a specific purpose.
•JAL will collect personal information as deemed lawful and where appropriate with the knowledge and/or the consent of the individual or company.
•Personal data should be relevant to the extent of necessary purposes and should be accurate, complete and up-to-date.
•JAL will protect personal information by reasonable safeguards against loss or theft, as well as unauthorized access, disclosure, copying, use or modification.
•JAL will make readily available to customer’s information about our policies and practices relating to the management of personal information. Terms and Conditions
JAL is committed to conducting our business in accordance with these principals in order to ensure that the confidentially of personal information is protected and maintained. By accessing this website, you are agreeing and bounded by these Website Terms and Conditions of Use, all applicable laws and regulations. If you do not agree with these Terms and Conditions, you are prohibited from using or accessing this website. The materials contained in this Web Site are protected by all applicable copyright and trade mark laws.
Our Online Notices are subject to change. Please review it periodically. If we make changes, we will revise the “Last Updated” date at the top of this Notice. Any changes will become effective the date the revised Notice is posted on the Site.