Another day another CE gets whacked for millions for a preventable breach. Further, if you read between the lines the CE likely got whacked for willful neglect as well because it appears to be missing basic policies and procedures. What's the excuse here? Hubris! Surely an organization of this size should have had the basics in place. Either the C-Suite was OK with thumbing its nose at the law or the compliance officer was grossly negligent. Agreeing to pay $3.5M is no small change in addition to whatever the organization had to spend on breach notification, which was likely a lot more.
I seriously doubt that North Memorial Health Care of Minnesota was "guilty" of just these two violations post its breach, rather these are two that OCR happened to focus on to justify the $1.55M settlement.
If you read the CAP you will see additional action items that North Memorial must complete in order to comply.
Our article this month is entitled: Revisiting BYOD & Security of Mobile Devices.
It has been about three years since we last wrote about BYOD. During that time all of our predictions have certainly come true and then some. Further, there have been no shortage of lost or stolen devices to confirm our hypothesis that BYOD would wreak havoc in the healthcare workplace (i.e. vis-a-vis potential breaches of PHI). In this article we actually want to be more proactive regarding actually proposing a reasonable, low cost, high value add, (partial) solution to the problem. However, we understand for reasons to be discussed below that this solution is almost certainly not going to be implemented except where there exist visionary (health information technology or "HIT") leaders at the very top of organizations...
Looking for a simplified way to train your staff on HIPAA Breach Notification? For a limited time, we are offering our Breach Notification Training Module F*R*E*E* when you sign up for our monthly newsletter (also free). Go here to get your free training now!
HIPAA Documentation Training -You might think that compliance with HIPAA is mostly about documentation. If so, you would be partly correct, but you would be missing the big picture entirely. There is a significant amount of documentation required to comply with HIPAA because the Rules (Privacy, Security, and Breach Notification) require that you perform a significant number of tasks. It is recording the performance of these tasks that drives the majority of HIPAA documentation.
We like to use the HIPAA equation as a metaphor for what an organization needs to have in place for each requirement in the Rules. If you have policies, processes, and tracking mechanisms in place for each requirement then you have visible, demonstrable evidence of compliance and you are on your way to establishing a culture of compliance.
Tracking process results, at the granularity level of a requirement, is what drives HIPAA documentation. Sure, you will have to develop policies and document your processes but this documentation pales in comparison to tracking process results.
This training module walks you through all the HIPAA documentation requirements Rule-by-Rule: (1) Privacy Rule; (2) Security Rule; and (3) Breach Notification Rule.
You can find this product on the HIPAA Survival Guide store by clicking here.