Lobbying Affiliate: MML&K Government Solutions
{ Banner Image }

Healthcare Law Blog

Comprehensive Healthcare law services.
It's kind of our bag.

Contact Us

250 Character(s) Remaining
Type the following characters: romeo, romeo, hotel, six

* Indicates a required field.

Categories

McBrayer Blogs

Related Blogs

Coming to a Medical Practice near You: HIPAA and Hi-Tech Audits

On December 26, 2013, the U.S. Health and Human Services Office of Civil Rights (“OCR”) announced  its first settlement with a covered entity for not having policies and procedures in place to address the breach notification provisions of the Health Information Technology for Economic and Clinical Health (“HITECH”) Act. Adult & Pediatric Dermatology, P.C., (“the Practice”) of Concord, Massachusetts agreed to settle potential violations with a $150,000 penalty and corrective action plan.

In 2011, the Practice notified OCR that an unencrypted thumb drive containing the electronic protected health information (“ePHI”) of approximately 2,200 individuals was stolen from a staff member’s vehicle. OCR launched a subsequent investigation and found that the Practice had failed to conduct an accurate and thorough analysis of the potential risks and vulnerabilities of confidential ePHI as part of its security management process.  Further, the Practice did not fully comply with requirements of the Breach Notification Rule to have in place written policies and procedures and train workforce members.

The Final Omnibus Rule has been discussed at length on this blog (here and here) and compliance was mandated by September 23, 2013. Providers should already have policies and procedures implemented to correspond with the Final Rule, reflect current technology, and address ePHI. The OCR’s December settlement, however, serves as a startling reminder that providers of every size are being audited. No entity is too small and medical practice practitioners are gravely mistaken if they think they are off OCR’s radar.

The importance of HIPAA risk analysis cannot be stressed enough. The Practice failed to have a risk analysis and paid the costly consequences. Not only is an analysis required as the first step in HIPAA Security Rule compliance, but it is also a Core Measure of Stage 1 and 2 “Meaningful Use.”

The Practice’s troubles began over a lost thumb drive. Does your practice use thumb drives? How about laptops? Mobile phones? Have you accounted for the use and misuse of these devices in your HIPAA risk analysis? On Thursday, we will review the risks associated with these devices and how encryption of ePHI can help insulate your practice from liability.

Christopher J. Shaughnessy is a member at McBrayer law.  Mr. Shaughnessy concentrates his practice area in health care law and is located in the firm’s Lexington office.  He can be reached at cshaughnessy@mcbrayerfirm.com or at (859) 231-8780, ext. 1251. 

Services may be performed by others.

This article does not constitute legal advice.

Lexington, KYLouisville, KYFrankfort, KYFrankfort, KY: MML&K Government Solutions