Chasing down HIPAA violations isn’t just about enforcing compliance, it’s about the government collecting big bucks.
Earlier this year, the U.S. Department of Health and Human Services’ Office of Civil Rights (“OCR”), the branch charged with enforcement of HIPAA’s Privacy and Security Rules, settled with Florida-based Memorial Health System (“MHS”) for $5.5 million.
The charge? Alleged violations of the Privacy and Security Rules arising from the failure to properly control access to patients’ protected health information (“PHI”).
MHS operates six hospitals, an urgent care center, a nursing home, and a variety of ancillary health care facilities. It’s also affiliated with physicians’ offices through a HIPAA Organized Health Care Arrangement.
OCR alleged that the PHI of over 100,000 patients had been impermissibly accessed by MHS employees and impermissibly disclosed to affiliated physicians’ office staff. Of those, 80,000 individuals’ PHI had been accessed by a single former employee whose login credentials hadn’t been terminated.
In a Success in Motion video, I previously discussed another OCR settlement, that one involving no alleged actual HIPAA breach, but only a potential breach.
That case involved Saint Elizabeth’s Medical Center, a hospital in Brighton, Massachusetts, that paid over $200,000 to OCR settle. The medical center’s employees were using hundreds of online applications to store or submit patients’ PHI. As a result PHI could have been disclosed.
In fact, it’s been reported that in the average large hospital setting there can be up to 900 cloud-based sharing apps being used by hospital employees. Who even knew there were that many cloud-based sharing applications!
The point here is that no matter what you think about HIPAA compliance, that it’s all make-work or even pure B.S., HIPAA is real and so is its enforcement.
Compliance with the Privacy and Security Rules takes both documentation and (surprise!) actual implementation.
And, it takes a large dose of introspection and auditing. What works in your particular instance, in the context of your ASC, other facility, or medical group? What is actually going on, day-to-day, in terms of PHI access and use among your employees, medical group partners, and subcontractors? Are their actions resulting in actual, or even in potential, HIPAA violations?
Compliance isn’t dry. It’s alive and active. And, the penalties for blowing it off or mistakenly blowing it are substantial.