How are proper privacy and security controls, risk assessments, remediation/mitigation, policies and procedures, and training are all part of providing safe treatment to your patients? If your patients’ PHI is stolen and used maliciously, the accuracy of their medical record moving forward could be compromised. Left undetected, such inaccuracies could lead to lethal errors when that patient sees another provider or requires emergency treatment.
These measures are not confined to the four walls of your practice, unfortunately. Effective third-party risk management is becoming more important every day. This is evident by the sharp increase in small practices, local governments, and their service providers, such as IT support service vendors, experiencing both small and large breaches as well as system compromises from such things like ransomware attacks.
Over the past 12 to 18 months, audits and enforcement from The Department of Health and Human Services Office for Civil Rights (OCR) have focused more and more on effective privacy and security programs that include signing business associate agreements with applicable service providers, routine and documented security assessments and risk analysis, and addressing any issues found. Corrective actions can include activities like revising policies and procedures, updating security and process controls, as well as effective routine training.
Approximately $14,500,000 of the $31,800,000 in fines issued by the OCR since January 2018 were linked to risk assessment deficiencies, failure to implement and follow policies and procedures, and/or lack of signed business associate agreements. These enforcements included both large and small covered entities and business associates. One of the most recent enforcements for $3,000,000 was imposed on Touchstone Medical Imaging. OCR’s investigation of a breach, which was discovered by the FBI, not Touchstone, found that Touchstone “failed to conduct an accurate and thorough risk analysis of potential risks and vulnerabilities to the confidentiality, integrity, and availability of all of its electronic PHI (ePHI), and failed to have business associate agreements in place with its vendors, including their IT support vendor and a third-party data center provider as required by HIPAA.” In addition to the monetary penalty, Touchstone must follow a two-year corrective action plan that requires “the adoption of business associate agreements, completion of enterprise-wide risk analysis, and comprehensive policies and procedures to comply with the HIPAA Rules.” Touchstone must also bear its own costs for legal and other administrative fees related to the enforcement and corrective action plan.
It is becoming more common, whether, by law or contract, those entities who cause a breach are required to pay for at least one year of identity theft monitoring service for each person whose information was included in a breach. The most basic identity theft monitoring service costs about $10 per month. If applied to the Touchtone enforcement, which included over 300,000 patients, the additional cost would be about $2,985,000.
Everyone is on the same team and wants to see patients receive the best and safest care possible. Ensuring employees receive effective routine training and interim reminders or updates creates an awareness and appreciation for measures that protect patient information. It teaches employees when to ask questions and how to identify potential issues that might compromise the privacy and security of patient and practice information before it’s too late.