A famous Jimi Hendrix quote goes:
I’ve been imitated so well I’ve heard people copy my mistakes.
Aspiring guitarists work hard to imitate Hendrix to this day. His music is well documented and played daily around the world. If you want to make a name for yourself duplicate him, even his mistakes.
What does that have to do with HHS Resolutions? Well, the exact opposite is true when it comes to HIPAA Breach resolutions.
Don’t copy other’s HIPAA mistakes because you don’t want to make a name for yourself with HHS.
HHS publishes resolution agreements when they complete an investigation that results in action. That means there are very detailed, published accounts of exactly what mistakes others made resulting in penalties with lots of zeros in them. Learning from other’s mistakes is usually easier than from your own. So let’s look at some of the mistakes and learn something from them.
A review of just three resolution examples makes it obvious they were all missing the basic parts of HIPAA compliance. (Summaries of the resolutions are included below.)
- They hadn’t done a proper risk analysis at all, never.
- There was no training documented for policies that did exist or the policies didn’t exist at all.
- They weren’t encrypting devices and they made no documentation of their decision to not encrypt.
- They weren’t sure how PHI that left their office would be protected.
- They didn’t have BAA’s in place for every vendor that had PHI access.
How do you learn from their mistakes?
- Do a proper Risk Analysis
- Have actual policies in place
- Have a training plan that is documented properly
- Don’t let PHI walk out your door unless you know it will be properly protected
- Encrypt your data or have a written, thought out explanation why you do not use encryption
- Make sure you have BAAs in place
- Have documentation that you made sure your BAs are compliant (or the BAA won’t matter too much)
Hospice of North Idaho (HONI)
Settled for $50,000 and agreed to a 2 year corrective action plan (CAP)
Investigation after HONI reported to HHS that an unencrypted laptop computer containing the ePHI of 441 patients had been stolen in June 2010.
- did not conduct an accurate and thorough analysis of the risk to the confidentiality of ePHI on an on-going basis as part of its security management process from the compliance date of the Security Rule to January 17, 2012
- did not adequately adopt or implement security measures sufficient to ensure the confidentiality of ePHI that it created, maintained, and transmitted using portable devices to a reasonable and appropriate level from the compliance date of the Security Rule to May 1, 2011
Settled for $1.5 million and agreed to a 3 year CAP
Investigation followed a breach report submitted by MEEI reporting the theft of an unencrypted personal laptop containing the ePHI of 3,526 patients.
- did not demonstrate that it conducted a thorough analysis of the risk to the confidentiality of ePHI on an ongoing basis as part of its security management process from the compliance date of the Security Rule to October 29, 2009.
- security measures were not sufficient to ensure the confidentiality of ePHI that it created, maintained, and transmitted using portable devices to a reasonable and appropriate level from the compliance date of the Security Rule to May 17, 2010.
- did not adequately adopt or implement policies and procedures to address security incident identification, reporting, and response from the compliance date of the Security Rule to March 8, 2010.
- did not adequately adopt or implement policies and procedures to restrict access to authorized users for portable devices that access ePHI or to provide it with a reasonable means of knowing whether or what type of portable devices were being used to access its network from the compliance date of the Security Rule to March 8, 2010.
- did not adequately adopt or implement policies and procedures governing the receipt and removal of portable devices into, out of, and within the facility from the compliance date of the Security Rule to May 17, 2010. MEEI had no reasonable means of tracking non-MEEI owned portable media devices containing its ePHI into and out of its facility, or the movement of these devices within the facility.
- did not implement an equivalent, reasonable, and appropriate alternative measure to encryption that would have ensured confidentiality of its ePHI or document the rationale supporting the decision not to encrypt.
Settled for $100,000 and a 1 year CAP
A report was made to HHS that the physician practice was posting clinical and surgical appointments for its patients on an Internet-based calendar that was publicly accessible.
- From April 14, 2003 to October 21, 2009, did not provide and document training of each workforce member on required policies and procedures
- From September 1, 2005 until November 1, 2009, failed to have in place appropriate and reasonable administrative and technical safeguards to protect the privacy of PHI
- From September 1, 2005 until November 30, 2009, did not implement required administrative and technical security safeguards for the protection of ePHI
- From September 1, 2005 until December 3, 2009, failed to obtain satisfactory assurances in business associates agreements from the Internet-based calendar and from the Internet-based public email providers that these entities would appropriately safeguard the ePHI