The resolution agreement with Adult & Pediatric Dermatology seems like the problems have mostly been heard before. It isn’t new, they seem to all have a similar verse. Therefore, I nominate the Herman’s Hermits tune I’m Henry the VIII, I Am as the official theme song to be played when the next one is announced.
Actually, maybe they just need the Peter Noone shout out part, “Second verse, same as the first!”
The same verse in practically all the resolutions include something like:
The Covered Entity did not conduct an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality of ePHI as part of its security management process until…..
OCR mentions it is also a common theme in the audits performed in 2012. It isn’t likely to change based on what we hear in the conversations both with clients, networking and online conversations. It really isn’t something new nor is it something I haven’t mentioned in this blog several times ( see articles: HIPAA Security Rule Step #1: Perform a Risk Analysis, Got your EHR check? Better have your HIPAA Risk Analysis too, HIPAA Penetration Testing?n Jimi Hendrix and HHS Resolutions and more).
What is unique about this resolution, though, is the second issue mentioned.
The Covered Entity did not fully comply with the administrative requirements of the Breach Notification Rule to have written policies and procedures and train members of its workforce regarding the Breach Notification requirements until February 7, 2012.
Now that is a bit of a new tune. Some sites we talked with afterwards said something along the lines of “I am sure that is in our stuff somewhere”. Is it? Are you sure? Go right now and pull your HIPAA Breach Response Plan. Or, better yet go ask some of your workforce about Breach Notification requirements and see how they do.
I know the first thing most of our clients do is just pick up the phone and call us before they even pull whatever written procedures they may have to review. We are slowly making progress but this resolution made us double up our efforts concerning this specific issue. I have encouraged everyone to make another pass on that topic since this was so clearly stated in this recent resolution.
Simple questions to start your review:
- Do you have a response plan?
- Do you have it written down?
- Do you have some idea of what it says?
- Does your response team know they are on the response team?
- Does it have a checklist or a plan for where to start if there is a breach to assess?
- Does it list all the appropriate contacts you think you will need?