By Margaret Scavotto, JD, CHC
Director of Compliance Services
Management Performance Associates
On July 18, the Office for Civil Rights (OCR) announced a new HIPAA settlement: an academic health center and research university in Oregon will pay $2.7 million to resolve HIPAA privacy and security violation allegations.
OCR investigated the university after it received three breach reports, involving:
- two unencrypted laptops
- one unencrypted flash drive
OCR investigated the university’s HIPAA compliance, and found several issues:
- While the university had conducted multiple risk analyses, these analyses did not address all of the university’s ePHI.
- Vulnerabilities identified in the risk analysis were not mitigated on a reasonable timeline.
- Security policies and procedures were lacking.
- Encryption was identified as a risk, but had not been implemented.
- ePHI for more than 3,000 individuals was stored on a cloud-based server which did not have a business associate agreement with the university.
What could we be missing?
HIPAA compliance is comprehensive, and growing more so every day. If these allegations are true, it would not be the first time a provider overlooked a business associate or a source of ePHI when assessing security risks. Could this happen to you? When it comes to any kind of compliance, more heads are better than one. Use your Compliance Committee to review your HIPAA risks, and identify any areas your organization has overlooked. Do you use a cloud? If so, is there a BAA in place? Are there any other service providers that need to be addressed? Does your security risk assessment include all sources of ePHI? Have you added any new ePHI sources or means of transmittal since your last assessment (such as texting)?
It’s official….the OCR has already doubled its 2015 settlement amounts
In 2015, the OCR entered six HIPAA settlements, totaling $5,100,000. As of July 18, 2016, the OCR has entered 8 HIPAA settlements this year, totaling $12,014,800. That’s right, the OCR has more than doubled its settlement total, and the year is only half over. Providers and business associates alike can expect this enforcement to continue. Your HIPAA security risk assessment, policies and procedures, training and audits will be your defense if you ever face a breach or an audit.HIPAA alert: Is your Security Officer's head in The Cloud?Click To Tweet