The Department of Health and Human Services (HHS) recently issued a press release highlighting the potential financial consequences of an improper HIPAA compliance program. HHS fined a doctor $100,000 and placed him on two years of monitoring for his failure to adopt a corrective action plan for breaches to sensitive information under the Health Insurance Portability and Accountability Act (HIPAA) Security Rule.

What is at risk?

This is a stark reminder that it is not enough to report a HIPAA breach. A covered entity or business associate must have an internal evaluation of its security plan for potential risks, an established security measure to reduce such risks and vulnerabilities, and adopt a strategy for proper security measures after a breach occurs.  All of this needs to be in place before a breach occurs.  Otherwise, an organization is exposed to significant financial penalties, and restrictive oversight that slows operations.

What can you do to make sure you are in compliance?

The National Institute of Standards and Technology has come out with the NIST HIPAA Security Toolkit Application, and The Office of the National Coordinator of Health Information Technology (ONC) and the HHS Office for Civil Rights (OCR) have jointly launched a HIPAA Security Risk Assessment (SRA) Tool. Both can be found on the HHS.gov website and are great starting points to help organizations assess and implement security programs. Internally, the following efforts may include:

1. Senior leaders assess their security program with their IT department;
2. Train employees to understand handling of PHI and ePHI;
3. Develop and maintain reporting and stop gap strategies for security breaches; and
4. A clear documented program outlining the organization’s efforts to protect PHI and ePHI for potential audits.

How We Can Help

Our firm can first determine whether your organization requires compliance with HIPAA, review your security programs to monitor, protect, store PHI/ePHI, and train your employees how to handle sensitive information. We can also provide clear guidance on how to develop, report, and protect against breaches under HIPAA. Finally, we can serve as defense to any compliance violations brought against your organization.

¹ https://www.hhs.gov/about/news/2020/03/03/health-care-provider-pays-100000-settlement-ocr-failing-   implement-hipaa.html