Businesses with access to patient health data risk HIPAA violations that can lead to steep federal and state penalties. Elliot Dinkin, president of Cowden Associates, Inc. notes the importance of protecting medical information in light of recent data breaches and multimillion-dollar fines.
The Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) recently announced a settlement imposing $3 million in fines on Touchstone Medical Imaging. A 2014 data breach revealed that the medical office violated numerous HIPAA (Health Insurance Portability and Accountability Act of 1996) policies. The steep penalty was determined by a few main factors, including failure to protect health data from unauthorized access, the initial denial by Touchstone that a problem existed and failure to provide timely notification of the breach to affected individuals[1].
“This and other recent sanctions make it clear that the OCR is serious about penalizing HIPAA violations,” said Elliot Dinkin, a nationally known expert in actuarial, compensation and employee benefits issues. “Businesses providing support services to healthcare providers need to be aware of their exposure to this risk, and to make certain they have the proper agreements in place with any subcontractors they may employ in providing these services.”
The government’s multimillion-dollar settlement with Touchstone Medical Imaging was not an isolated incident. Two weeks after the case was resolved, OCR announced the $100,000 settlement of another HIPAA violations act against Medical Informatics Engineering, Inc. (MEI). In this case, the data breach took place at MEI’s subsidiary NoMoreClipboards, where hackers were able to gain access to the protected health information of 3.5 million individuals. Along with the financial penalty, MEI agreed to conduct an organization-wide program to identify data risks and reduce them to a “reasonable and acceptable” level[2].
Want to publish your own articles on DistilINFO Publications?
Send us an email, we will get in touch with you.
In addition to the sanctions levied by OCR, the attorneys general of 18 states brought a multi-state action stemming from the same data breach, resulting in an additional $900,000 penalty levied against MEI[3].
“Given the recent tendency on the part of HHS toward active enforcement, we strongly urge business associates and covered entities to review their current agreements with an expert in the field to make certain they are in compliance with HIPAA,” Dinkin said.
While the HIPAA Privacy Rule, issued by HHS in 2001 applies only to certain organizations—health plans, healthcare clearinghouses and some healthcare providers—the law recognizes that many entities do not carry out all healthcare activities themselves. Thus, they are authorized to share protected health information (PHI) with third-party claims processors, CPA firms, attorneys, consultants, independent medical transcriptionists, pharmacy benefits managers and other organizations that will be accessing protected medical records[2].When business associates receive protected health information, they become liable for the unauthorized disclosure of that information[4].
“If a covered entity uses a business associate, there must be a written contract, called a business associate agreement, that requires the business associate to comply with certain requirements under the HIPAA rules,” he concluded.
Date: August 19, 2019
Source: Yahoo