In an article concerning a breach investigation a copy of the information requested in the OCR letter was included. The items were to be supplied within 20 days. When I showed the list to others they had a look similar to this one…..
The list was overwhelming alone but more surprising to the group was the reason the single provider practice was receiving the request. A BA that had signed a BAA and said they were “HIPAA Certified” allowed registration form data for 50 patients to be accessible publicly on the web. To make it worse, a patient notified the provider of the issue, it wasn’t something the provider or BA found for themselves.
There are so many points for small providers and business associates to learn in this story it would take more than a blog article. That is true for all CEs and BAs but especially the ones who claim they are “so small they will never have to worry about the OCR”. Oh yeah, and the ones who say they will get to it later – maybe next year. (We have heard that line since 2012 from some groups who are running out of time to get around to it this year since 2 years later it is going to be next year again.)
Here are some of the high points that really should be emphasized based on the information in that letter.
- No CE or BA is too small to end up in a OCR audit or breach investigation. This was a single provider oral surgeon.
- Signing a BAA and telling you they are “HIPAA Certified” isn’t enough assurance from your BAs. They should be vetted more than just their word for it. Ask for details about their compliance. In this case, the people setting up the website form clearly didn’t concern themselves with securing PHI.
- Your BAA should include some indemnification for both parties. The CE has no recourse to recoup the legal fees, fines, notification costs, reputation rebuilding costs, etc from the BA.
- The documentation requested from OCR is extensive – a list of 19 different items. But, many had multiple documents required in the single line item. Phrases such as “Evidence of” and “before and/or after the incident” are included in several items looking for proof of compliance activities and reviews.
- The required information must be available immediately, not something you throw together when asked. They have 20 days to gather that long list of details and documentation.
- A three-ring binder of paper isn’t going to cut it. The report mentioned that the provider’s own lawyers laughed at them when they brought a large three-ring binder into the office. The amount of information required to show that you are actually following those procedures that say you will monitor and test things is more detail than a single manual ever holds. This was a single provider with less than 10 employees and a binder of information just wasn’t enough.
- Just because someone tells you information on your website is secure you definitely need to confirm every part of the security of that PHI data between the patient entering the information all the way to your EHR/PM. At least have the BA who is maintaining the site give you documentation concerning the PHI and how it is being secured from any vendor who stores it in the entire process. Every time there is an update to the website, you should update your documentation accordingly. Otherwise, no one is looking to be sure the changes didn’t expose PHI.
Start sooner rather than later. Make HIPAA part of your regular business routines. No provider is “too small” for HIPAA to be done properly any longer.