October 28, 2021

Volume XI, Number 301

Advertisement
Advertisement

October 28, 2021

Subscribe to Latest Legal News and Analysis

October 27, 2021

Subscribe to Latest Legal News and Analysis

October 26, 2021

Subscribe to Latest Legal News and Analysis

Coming to a Medical Practice near You: HIPAA and Hi-Tech Audits (Health Insurance Portability and Accountability Act)

On December 26, 2013, the U.S. Health and Human Services Office of Civil Rights (“OCR”) announced its first settlement with a covered entity for not having policies and procedures in place to address the breach notification provisions of the Health Information Technology for Economic and Clinical Health (“HITECH”) Act. Adult & Pediatric Dermatology, P.C., (“the Practice”) of Concord, Massachusetts agreed to settle potential violations with a $150,000 penalty and corrective action plan.

In 2011, the Practice notified OCR that an unencrypted thumb drive containing the electronic protected health information (“ePHI”) of approximately 2,200 individuals was stolen from a staff member’s vehicle. OCR launched a subsequent investigation and found that the Practice had failed to conduct an accurate and thorough analysis of the potential risks and vulnerabilities of confidential ePHI as part of its security management process.  Further, the Practice did not fully comply with requirements of the Breach Notification Rule to have in place written policies and procedures and train workforce members.

The Final Omnibus Rule has been discussed at length on this blog (here and here) and compliance was mandated by September 23, 2013. Providers should already have policies and procedures implemented to correspond with the Final Rule, reflect current technology, and address ePHI. The OCR’s December settlement, however, serves as a startling reminder that providers of every size are being audited. No entity is too small and medical practice practitioners are gravely mistaken if they think they are off OCR’s radar.

The importance of HIPAA risk analysis cannot be stressed enough. The Practice failed to have a risk analysis and paid the costly consequences. Not only is an analysis required as the first step in HIPAA Security Rule compliance, but it is also a Core Measure of Stage 1 and 2 “Meaningful Use.”

The Practice’s troubles began over a lost thumb drive. Does your practice use thumb drives? How about laptops? Mobile phones? Have you accounted for the use and misuse of these devices in your HIPAA risk analysis? On Thursday, we will review the risks associated with these devices and how encryption of ePHI can help insulate your practice from liability.

© 2021 by McBrayer, McGinnis, Leslie & Kirkland, PLLC. All rights reserved.National Law Review, Volume IV, Number 35
Advertisement

About this Author

Christopher J. Shaughnessy, Health Care Attorney, McBrayer Law Firm
Associate

Christopher J. Shaughnessy is an attorney at McBrayer, McGinnis, Leslie & Kirkland, PLLC. Mr. Shaughnessy concentrates his practice area in health care and is located in the firm's Lexington office. He has extensive experience in the health care law industry. Mr. Shaughnessy represents institutions such as hospitals and nursing homes as well as individual medical professionals, including physicians, mid-level practitioners and nurses. He also represents small offices and large offices that are part of large networks. Some of the services he commonly provides are in the following...

859-554-4414
Advertisement
Advertisement
Advertisement