Health care organizations and their business associates must be ever vigilant to protect the privacy of individually identifiable health information under HIPAA – the Health Insurance Portability and Accountability Act of 1996. And we like to assume that most organizations are doing a good job and take that responsibility as seriously as the federal government expects.
While technological innovation and web-based programs strive to make our lives – and work – easier, they also present new challenges in regard to the protection of protected health information (PHI). One Massachusetts hospital recently learned this the hard way to the tune of a $218,400 settlement with the U.S. Department of Health and Human Services Office of Civil Rights. The hospital must also adopt a corrective action plan to address deficiencies in its HIPAA compliance program.
Modern Healthcare describes how hospital employees used an Internet-based document-sharing app to store documents containing electronic protected health information (ePHI) of approximately 500 individuals – without having analyzed the risks associated with that practice. In a separate incident, the hospital also reported a former employee had stored PHI records of almost 600 individuals on a stolen personal laptop and USB flash drive.
This is a cautionary tale for all those who use cloud-based services and are responsible for protecting PHI under the law – including not only HIPAA-covered entities but also those “business associates” that perform certain functions or activities that involve the use or disclosure of PHI on behalf of, or in providing services to, a covered entity.
In another example, Modern Healthcare reports the case of a five-physician medical practice that in 2012 agreed to a $100,000 settlement for failing to have HIPAA-required business associate agreements with providers of their Internet-based calendar and email services.
Are you doing all you can to protect health information privacy? Learn more about the HIPAA rules for covered entities and business associates here.
Dana Coleman is a Vice President at Lovell Communications. Connect with Dana at Dana@lovell.com or @lovelldc
What does your Form 990 say about your nonprofit hospital? Read more for communications guidance on what to say — and what to do when there’s not enough spa...