HIPAA and the Feds: Be “Proactive” not “Reactive” – It may Save Your Practice or Business


One sure fire way to get your business or practice audited and in big financial (if not criminal) trouble is to take a reactive instead of a proactive approach. What do I mean by this? Let’s take for example a situation I encountered earlier in the year. A practice had a breach of private health information occur (called in anonymously by an employee) and was sent a letter from the Health and Human Services (HHS), Office of Civil Rights (OCR) demanding that the practice turn over the following information:

1. Documentation and outcome of any investigation the practice had done regarding the matter, including a description of the breach, number of affected individuals, incident report, corrective actions taken, and mitigation. OCR WILL WANT TO SEE EVERYTHING THAT WAS DONE PRIOR AND AFTER THE BREACH
2. Policies and procedures to identify, document, respond to, and mitigate any security incidents involving ePHI. DO YOU HAVE POLICIES IN PLACE CURRENTLY?
3. The risk analysis performed for or by practice before or after EMR denial in January 2013. HAVE YOU CONDUCTED A RISK ASSESSMENT?
4. Evidence of the security measures implemented to reduce risks and vulnerabilities to a reasonable and appropriate level, based on risk analysis before and after DMC’s EMR denial in January 2013. WAS YOUR PRACTICE ADEQUATELY PROTECTED PRIOR?

5. Practice’s relevant Privacy and Security Rule policies addressing confidentiality of PHI, mitigation, information safeguards, and data integrity. WHAT SPECIFIC POLICIES WERE IN PLACE TO MITIGATE THE RISK OF THIS TYPE OF INCIDENT?
6. Practice’s relevant Security Rule policies implementing its access authorization programs to prevent unauthorized access to ePHI and to provide for backup records if the original ePHI is destroyed, tampered with, or unavailable. WHAT IS YOUR ACCESS AUTHORIZATION POLICY? HOW ARE BACKUPS DONE?
7. Practice’s breach notification policies and procedures under the Breach Notification Rule, providing for notification to the individual, media, and HHS Secretary. DID YOU ABIDE BY THE BREACH NOTIFICATION RULE UPON LEARNING OF THE BREACH?
8. A representative sample of the breach notification sent to the individuals whose unsecured PHI has been, or DMC reasonably believes to have been, accessed, acquired, used, or disclosed as a result of the breach. CAN YOU SHOW AN EXAMPLE OF WHAT WAS SENT TO THE INDIVIDUALS WHO WERE AFFECTED BY THE BREACH?
9. Practice’s reasons for failing to notify OCR for the breach within 60 days of the occurrence. IF NOT NOTIFIED WHY NOT?

After working directly with the practice (after the fact) the fines were slightly lowered but had they taken proactive measures none of this would’ve happened in the first place.

How can you help avoid this situation in your practice? The number one thing you need to do for your practice or business (if you qualify as a business associate) is a Risk Analysis. The lack of a Risk Analysis was the #1 area of non-compliance based upon the findings of the pilot audit program the Feds began back in 2012

If you have any questions please feel free to email me directly at:brian.tuttle@ingaugehsi.com


Comments are closed.