Business Associate Sued in HIPAA Breach

Business associates are starting to become aware of their liability in a HIPAA breach.

In this case the business associate is accused of being negligent by not preventing an employee from stealing PHI. The employee was convicted of fraud for the incident dating back to 2012 but the breach wasn’t reported until 2015.
Clearly the auditors will have plenty of places to look and plenty of things to reveal but they will probably start with the basics; risk assessment, written policies and procedures, and training. This is the triumvirate, the three legged stool, the trinity of HIPAA compliance. Each of them breaks down further when the auditor examines the risk assessment to see when it was done, what protocol was used, and whether risks were remediated and whether that was documented.
Next they will look at the written policies and procedures. Are they customized to the organization and up to date with current standards? Are staff members able to access them easily?
Training will be carefully scrutinized as well. Were staff members, especially the one who committed the fraud, trained on the organization’s policies and procedures and was this documented?
Breach notification is obviously going to be a major focus. According to the HHS “Wall of Shame” this breach was reported as this:
City of Philadelphia Fire Department Emergency Medical Services Unit, PA, Healthcare Provider, 81463, 04/02/2015, Unauthorized Access/Disclosure, Desktop Computer, Paper/Films
So the timeline is that the breach happened at Intermedix in 2012, the thief pleaded guilty in 2013 and was sentenced to 30 months in Federal prison. A patient who was transported in an ambulance belonging to the City of Philadephia and who was billed by Intermedix was informed in April of 2015 by the fire department that his medical records had been stolen. Obviously this was not the result of a robust and up to date breach notification plan at Intermedix.
You don’t want to be on the business end of an HHS audit and you especially don’t want to be there if you don’t have documented proof that you did all the right things but breach happens. Think of the basics; up to date risk assessment based on the NIST protocol, written policies and procedures tailored to your organization, and documented training of your staff.
If you need a cost effective and efficient method contact either Jack@compliancehelper.com or Jack.K@acr2solutions.com