On March 3, 2020, the Office for Civil Rights (OCR) released a Resolution Agreement (RA) with a gastroenterology (GI) physician practice for violation of HIPAA rules. The GI group initiated a HIPAA compliance complaint on November 21, 2013 to OCR indicating one of their Business Associates’ (BA) Electronic Health Record (EHR) was blocking the GI practices access to electronic protected health information (ePHI) until $50,000 was paid to the EHR. The GI practice indicted this was an impermissible use of the ePHI by the BA. Ironically, as part of the investigation, OCR uncovered HIPAA noncompliance within the GI practice, resulting in them being placed on a two-year Corrective Action Plan (CAP) and receiving a fine of $100,000.
What Were the Findings?
- The GI practice failed to implement policies and procedures to reduce security risks and vulnerabilities which would possibly prevent, detect, contain or correct security violations.
- The GI practice failed to conduct a HIPAA security risk analysis to minimize the risks and vulnerabilities to the confidentiality, integrity and availability of ePHI.
- The GI practice did not obtain satisfactory assurances that the EHR would safeguard the ePHI on behalf of the practice prior to the November 21, 2013 complaint filed to OCR.
What are the Corrective Action Items?
Security Management Process – Risk Analysis
- The GI practice agrees to conduct an accurate and thorough HIPAA risk analysis. Prior to completing this risk analysis, a complete inventory of all electronic equipment, data systems and applications is to be created. The risk analysis is to be submitted to OCR for approval in 90 days.
Security Management Process - Risk Management
- Once the risk analysis is approved, the GI practice shall provide OCR with a risk management plan for approval within 90 days to address and mitigate the security risks.
- Once approved, the GI practice must implement the plan promptly.
Revise Policies and Procedures
- Revise all policies and procedures, outlined in the risk management plan within 30 days for OCR approval.
- Revise all policies and procedures relating to BAs, including a responsible party to negotiate, track and archive records for the HIPAA six year minimum.
- Revise all policies and procedures relating to the use and disclosure of protected health information (PHI) to ensure workforce members understand.
- Provide workforce training within 60 days upon OCR approval of all revised policies and procedures. This training is to be conducted annually and as needed.
- During the period of the CAP, the GI practice must investigate workforce non-compliance with the policies and promptly report the events to OCR as a “reportable event.”
Additional implementation steps are outlined in the CAP and can be found by reading the “Porter Resolution Agreement and Correction Plan.”
What are the Key Takeaways?
Although the GI practice has a legitimate complaint to file with their EHR BA, OCR conducted investigations and explored the root cause of the incidents and discovered areas of non-compliance within the GI practice. Covered Entities must keep in mind their role in protecting PHI/ePHI in collaboration with their BAs.
- Conduct an accurate security risk analysis to serve as the foundation for the Risk Management Plan.
- Develop policies and procedures to support the Risk Management Plan and comply with HIPAA Privacy, Security and Breach Notification rules.
- Train workforce members on the policies and procedures and maintain the training records and attestations for six years per HIPAA, or longer if your state or practice is more restrictive.
If you have questions on conducting an accurate HIPAA Security Risk Analysis please contact LW Consulting, Inc.
If you are looking for HIPAA Security Policies and Procedures, please visit our LW Consulting Store here.