OCR Settlement, a 3-year CAP

Do you want to be the company that is known for a systemic non-compliance problem? No way, but in Peachstate Not A Peachy OCR Settlement, Episode 307 of the Help Me With HIPAA Podcast Donna and David goes in detail of how the acting OCR Director describes how Peachstate Clinical Laboratories failed to implement basic Security Rule requirements and needlessly risked patients’ electronic health information. Not a good situation to be in.

Looking at the settlement fine of $25,000 really doesn’t gain a lot of attention to the case, but what does is the Corrective Action Plan (CAP) OCR included with the fine. If you are a regular listener of the Help Me With HIPAA podcast, then you have heard that failure to conduct a proper Security Risk Analysis (SRA) is the #1 thing organizations do wrong. Guess what Peachstate Clinical Laboratories failed to do? Correct, they did not do a proper SRA. If you don’t do an SRA then you won’t have a thorough Risk Management Plan. Another important item that all organizations should have is written Policy and Procedures that cover the HIPAA Breach, Privacy and Security Rules.

This should all sound familiar. If you are thinking you don’t have time to do this, OCR will help you find the time. That is what a CAP is all about. In the case of Peachstate Clinical Laboratories, OCR added a 3 year Corrective Action Plan that requires a proper SRA, Risk Management Plan, Policies and Procedures, reporting of workforce violations, creating a full training plan, etc. Oh, and it is not that Peachstate Clinical Laboratories have 3 years to complete these steps, they have 30 days to 90 days to get certain tasks done, the rest of the time is proving to OCR that they are maintaining the program. Basically, OCR will be in your “breaches” for a long time. So, needless to say, you may want to find the time you say you don’t have.