Last fall, a small local doctor’s office was robbed. During the lunch hour, while staff members were in the back office, a thief walked into the doctor’s copy room and stole a laptop containing protected health information (PHI). Eight months and $20,000 later, the good doctor narrowly avoided a possible $1.5 million governmental fine.
In the healthcare compliance system, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is both the referee and governing body.
Once the OCR received a report that the doctor’s laptop was stolen, they came marching in to conduct an inquiry. The OCR asked for:
- A formal written description of the event;
- Evidence of corrective action taken by the doctor’s office;
- Documentation of mitigation steps taken;
- A copy of the doctor’s policies and procedures to safeguard PHI;
- Copies of any risk analyses assessing potential threats and vulnerabilities to the office’s PHI;
- Documentation showing the office had implemented security measures sufficient to reduce risks;
- Documentation showing the office had implemented a mechanism to encrypt and decrypt electronic PHI;
- Confirmation of whether the theft was reported to the OCR’s web portal; and
- Many other weighty requests.
Unfortunately, the doctor only had a hand-me-down notice of privacy policies that staffers routinely gave to new patients. That was it. Nothing else. Risk Analysis? Encryption? Mitigation? Security measures? OCR web portal? The doctor had no idea what any of that meant.
Consequently, the doctor had to retain legal counsel and an information security expert to build and implement — retroactively — new policies, procedures and practices that were compliant with HIPAA’s privacy rule, breach notification rule, and security rule. These professionals also assisted the doctor with the careful response and communications to the OCR. Thankfully, the doctor’s retroactive (and very expensive) efforts helped him avoid the fine. The OCR is typically not so lenient. He also narrowly avoided having to notify more than a few thousand patients, which would have been a significant expense and likely embarrassment. The national average for notification and credit monitoring is $214 per patient.
The OCR has very publicly announced that it is picking up its audit program and will begin a new round of audits starting soon. Healthcare professionals need to be prepared by not only understanding, but by meeting privacy, security and breach notification requirements. Pleading ignorance is not a defense when the OCR calls.
The doctor in this account could have completely avoided all the time, expense, and financial risk had he:
- Spent a few hours to implement written privacy, security and breach notification policies and procedures; and
- Implemented some simple security measures, such as encryption
Every practitioner should recognize the seriousness of compliance and the OCR. As a result, we have prepared and are making available a template of policies and procedures for you to use in your practice. We can also refer you to professionals who will provide tips and actionable items to help you win compliance and protect your practice.
ABOUT THE AUTHOR
Shawn M. Lindsay, Esq., partner at Harris Berne Christensen LLP. Mr. Lindsay is a skilled business and intellectual property attorney. He is also a former member of the Oregon State House of Representatives.
Shawn’s experience includes representing clients in the following areas: software and commercial licensing; establishing, acquiring, transferring, and preserving intellectual property rights; business entity formation and structuring; business transitions and successions; mergers and acquisitions; privacy and security; HIPAA compliance; and government relations. Shawn is one of the few attorneys in Oregon who has passed the International Association of Privacy Professionals’ (“IAPP”) Certified Information Privacy Professional/United States (“CIPP/US”) exam.
You can reach Mr. Lindsay at 503-968- 1475 or email@example.com.