New HIPAA On-Site & Business Associate Audits

Early this year the Office for Civil Rights announced that it would be conducing approximately 400 remote “desk audits” of HIPAA Covered Entities and Business Associates. The agency said it would be using its staff rather than outsourcing audits as before.

Quiet until this month, HealthcareInfoSecurity reports that OCR will be conducting on-site audits in addition to approximately 200 desk audits. The enforcement agency is waiting for software to be finished that will streamline the audit process. Then they say they will audit physicians, dentists, and health plans, requesting evidence of risk assessments, policies, and privacy practices. On-site audits will be more extensive.

One HIPAA Deadline Left

DeadlineWhen the HIPAA Omnibus Final Rule was introduced in 2013 it gave Covered Entities and Business Associates until September 23, 2013 to comply. However, it gave Covered Entities another year to update the existing Business Associate Agreements they already had in place. So, by September 22, 2014, if you haven’t already, make sure all of your Business Associate Agreements have the new language introduced in 2013.

 

 

Recent Enforcements

As usual, some breaches just make you shake your head in wonderment. Parkview Health System agreed to pay the OCR $ 800,000 after its employees left 71 boxes of medical records in a doctor’s driveway even though they knew she was not at home. Approximately 5,000 – 8,000 medical records were left within 20 feet of a public road, near a popular shopping area.

doctor-handcuffsA significant case against LabMD, an Atlanta medical lab, was brought by the Federal Trade Commission. The FTC alleged in 2009 that LabMD breached over 9,000 records by saving a 1,719-page spreadsheet on a publicly-accessible file sharing network. It also said it found records of LabMD patients in the hands of identity thieves. LabMD countered that the FTC overstepped its authority to enforce data security standards. Meanwhile, LabMD has shut down its business.

In May, OCR fined two New York hospitals a total of $ 4.8 million for accidently linking patient records to Internet search engines.  This happened when a doctor was trying to deactivate a personally-owned server from a network shared by the hospitals. There are many lessons here. One is the fact that even though HIPAA fines are limited to $ 1.5 million, multiple fines can be assessed for a single incident. Also, what was a doctor doing managing a personally-owned server on a hospital network. We have said many times that doctors aren’t IT specialists any more than IT specialists are doctors.

Recent Huge Data Breach

CHS location map

Community Health Systems, which owns, leases, or operates 206 acute-care hospitals in 29 states, breached 4.5 million records of patients it said contains no medical information. However, the data did contain information valuable to identity thieves- names, birth dates, and Security Numbers. Read our article about this incident.