Since the compliance date of April 2003, Over 89,045 HIPAA complaints were received in the HHS Office of Civil Rights. What were the results? Nearly 22,000 complaints were resolved through investigation and enforcement. Close to 10,000 complaints were investigated where no violations were founded and nearly 52,000 complaints were closed and were not eligible for enforcement.
The HHS Office of Civil Rights spends most of its efforts investigating the following:
1) Impermissible uses and disclosures of PHI (Personal Health Information)
2) Lack of safeguards of PHI
3) Lack of patient access to their PHI
4) Uses or disclosures of more than the minimum necessary
5) Lack of administrative safeguards of ePHI
Some of the problems identified in the above include:
1) Failure to conduct a Risk Analysis (RA) in response to a new environment
a) BCBSTN – changed offices
b) WellPoint – installed software upgrade
2) Failure to conduct an accurate and thorough RA that incorporated all IT equipment, applications, and data systems utilizing ePHI
a) New York Presbyterian Hospital
3) Workforce Members
a) Failure to train and/or train on an ongoing basis
b) Failure to “apply appropriate sanctions”
c) Failure to install security measures to monitor unauthorized access
i. UCLA case – workforce members repeatedly snooping on patients between 2005-2008
d) Failure to implement appropriate policies and procedures for authorizing access to patient data base
4) Technical/Security Failures
a) Failure to take inventory of equipment that accesses PHI
b) Failure to implement processes to assess and monitor the equipment that accesses PHI
c) Failure to implement appropriate security measures
d) Failure to follow existing policies and procedures on information access management
i. New York Presbyterian Hospital
Why have a policy?
a) Protect clients/patient rights
b) Instill professionalism throughout your enterprise
c) Protect your organization from liability
d) Protect your employees from liability
Find us on LinkedIn, Facebook and www.wilsontechgroup.com