Having policies and procedures in place is good, as long as you have audit controls to ensure they’re being implemented. Memorial Healthcare Systems (MHS) in South Florida did not. Late last week, the U.S. Department of Health and Human Services (HHS) announced that MHS has paid $5.5 million to settle potential violations of the HIPAA Privacy and Security Rules and agreed to implement a robust corrective action plan.
MHS reported to the HHS Office for Civil Rights (OCR) that the protected health information (PHI) of 115,143 individuals had been accessed by its employees without permission and then disclosed to affiliated physician office staff. The login credentials of a former employee of an affiliated physician’s office had been used to access the ePHI maintained by MHS on a daily basis without detection from April 2011 to April 2012.
PrivaPlan President David Ginsberg says the key takeaway from the HHS news release is this: “Although it had workforce access policies and procedures in place, MHS failed to implement procedures with respect to reviewing, modifying and/or terminating users’ right of access, as required by the HIPAA Rules. Further, MHS failed to regularly review records of information system activity on applications that maintain electronic protected health information by workforce users and users at affiliated physician practices, despite having identified this risk on several risk analyses conducted by MHS from 2007 to 2012.”
An excellent part of any HIPAA compliance program is to conduct an internal mock audit periodically to ensure that HIPAA policy and procedures are in place and being followed throughout your organization.
PrivaPlan can perform a mock HIPAA Privacy and Breach Notification audit using the OCR protocol, as well as our unique audit methodology. This can be conducted as either a desktop or onsite analysis. The audit will provide a list of gaps or deficiencies and recommendations on improvement. The results of our audit can be combined with your HIPAA security risk analysis and other testing to establish a robust risk management plan for compliance.
Contact us at email@example.com or call 877-218-7707.