While HIPAA covers a wide range of issues the basic organization is a triad consisting of periodic risk assessment, updated polices, and documented staff training. The lack of any one of these will result in an audit failure and substantial fines.
Posted October 29, 2015 by Jack Anderson
The $750,000 fine for HIPAA violations by Cancer Care Group shows that physician practices are not exempt from the rules but the Corrective Action Plan (CAP) is more instructive. The CAP tells us what they needed to do to prevent the fine: "The CAP emphasizes general HIPAA compliance and the importance of conducting the security risk analyses at regular or as-needed intervals, implementing responsive risk management plans, and updating training materials and policies and procedures." http://www.healthlawupdate.com/2015/10/hipaa-fine-underscores-ocrs-focus-on-physician-group-compliance/
Posted October 19, 2015 by Jack Anderson
Core measure 15 requires a HIPAA risk assessment and HHS states "In fact, in our audits of providers who attested to the requirements of the EHR Incentive Program, this objective and measure are failed more frequently than any other requirement."
Posted October 13, 2015 by Jack Anderson
Got an up to date HIPAA risk assessment? Got an up to date, written, set of policies and procedures? Got documented staff training? If not HIPAA auditors or your business partners "gotcha".
Posted September 25, 2015 by Jack Anderson
HHS audits for business associates will start in 2015 but they are the tip of the iceberg. Audits by covered entities are a much greater threat to business associates.
Posted September 14, 2015 by Jack Anderson
I just read, Why HIPAA Matters: Medical ID Theft and the Human Cost of Health Privacy and Security Incidents by Daniel Solove, who is a professor at George Washington Law school and it certainly rang true to me.
Posted August 31, 2015 by Jack Anderson
Intermedix, a medical billing company and business associate, was sued for not protecting PHI which caused a breach and failing to notify patients of the breach.
Posted August 17, 2015 by Jack Anderson
The HITECH Act was supposed to help create richer and deeper pools of patient data and to protect them with stricter HIPAA rules. With over 100 million patient records breached in the first half of 2015 the protection part is not working.
Posted August 6, 2015 by Jack Anderson
You only need to be HIPAA compliant in a manner that is reasonable and appropriate to your organization. For a small organization this could mean that over 1/3 of the rules may not apply to you, but the question is, which ones?
Posted July 30, 2015 by Jack Anderson
If you want to have the quickest of tests for whether your organization is HIPAA compliant check for the three legs of the stool; risk assessment, updated policies and procedures, and staff training on the updated policies and procedures.
Posted July 21, 2015 by Jack Anderson