$3.5 Million HIPAA Fine for Risk Management Failures
The most recent large-scale HIPAA fine is a cautionary tale for health care professionals of all varieties about the dangers of improper risk management.
On February 1, 2018 the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced a $3.5 million HIPAA settlement in order to settle numerous HIPAA violations uncovered during investigation.
OCR levies fines ranging from $100-$50,000 per incident, depending on the severity of the violation and the level of perceived negligence on the part of the organization being investigated.
The organization, called Fresenius Medical Care North America (FMCNA), is a provider of products and services in relation to renal and kidney failure. FMCNA reported give separate incidents in January of 2013 for breaches that had occurred between February and July of 2012. As per the HIPAA Breach Notification Rule, all breaches of protected health information (PHI) must be reported to OCR. Common examples of PHI include: names, addresses, phone numbers, health care data, insurance information, and Social Security numbers, to name a few. 2017 saw the first fine in the history of HIPAA enforcement for a violation of the breach notification rule.
These breaches were spread across five different branches of the FMCNA system. Over the course of their investigation, OCR determined that FMCNA failed to conduct the appropriate risk management in their locations in accordance with HIPAA regulatory requirements. Among the breaches uncovered, OCR found HIPAA violations including:
- Failure to conduct an adequate risk analysis, which is required to assess risk to PHI throughout a health care organization.
- Failure to implement HIPAA policies and procedures regarding access and removal of hardware that handles PHI. As per HIPAA regulation, access must be limited on a role-based need. Health care organizations also must have policies addressing the physical removal of devices that can access PHI off the premises of the entity’s practice.
- Failure to encrypt PHI. In many cases, HIPAA regulation requires organizations to keep any PHI stored in an electronic format to be encrypted at rest and in motion, in order to protect the security and integrity of the data.
- Providing unauthorized access to PHI, which has strict limitations as per the HIPAA Privacy Rule.
This massive HIPAA violation stresses the key importance that all health care practices need to place on HIPAA compliance. Having a thorough, effective, and up-to-date HIPAA compliance program is the only way to defend against mounting HIPAA violations and federal fines.
Compliancy Group gives behavioral health professionals confidence in their HIPAA compliance with The Guard®. The Guard is a web-based HIPAA compliance solution, built by former auditors to help simplify compliance.
Compliancy Group’s team of expert Compliance Coaches® field questions and guide users through the implementation process, taking the stress out of managing compliance. The Guard is built to address the full extent of HIPAA regulation, including full risk assessments in accordance with privacy and security standards.
With The Guard, behavioral health professionals can focus on running their practice while keeping their patients’ data protected and secure.
Find out more about how Compliancy Group and the HIPAA Seal of Compliance® can help simplify your HIPAA compliance today!
Disclaimer: The views and opinions expressed in the article and on this blog post are those of the authors. These do not necessarily reflect the views, opinions, and position of the Telebehavioral Health Institute (TBHI). Any content written by the authors are their opinion and are not intended to malign any organization, company or individuals.