HIPAA HITECH Breach by a Small Practice: Actual Experience

Tuesday, May 17, 2011

Jack Anderson


A HIPAA HITECH breach caused by an office burglary resulted in a letter from OCR demanding a large amount of information in a very short time frame. Below are actual quotes from the OCR letter that are as scary as an IRS audit letter...

The OCR letter detailing the allegations gave them 21 days to respond with the following:

1. Documentation of the covered entity's admission, denial, or a statement indicating that the covered entity has obtained insufficient evidence to make a determination regarding the allegations.

2. Documentation of an internal investigation conducted by the covered entity in response to the allegations including a copy of the incident report prepared as a result of the laptop and server theft.

3. Documentation of the covered entity's corrective action taken or plan for actions the covered entity will take to prevent this type of incident from happening in the future, including documentation specifically addressing, if applicable:

    a. sanctioning of the workforce member(s) who violated the Privacy and Security Rules, in accordance with the covered entity's current policies and procedures, and as required by the Privacy Rule.

    b.re-training of appropriate workforce members.

    c. mitigation of the harm alleged, as required by the Privacy Rule.

4.  A copy of your HIPAA policies and procedures related to the disclosure of and safeguarding of PHI and specifically EPHI.

5.  A copy of the policies and procedures implemented to safeguard the CE's facility and equipment.

6.  Evidence of physical safeguards implemented for computing devices to restrict access to PHI.

7.  A copy of the most recent risk assessment performed by or for the CE, per Security Rule requirements.

8.  Evidence of security awareness training for involved workforce members including training on workstation security.

9.  Evidence of the implementation of a mechanism to encrypt EPHI stored on the workstations.

10. A copy of the written notification of the breach provided to the affected individuals.

11.  A copy of the written notification given to the media.  This should include a list of all media sources to whom this notification was given and any media reports (news stories or articles) stemming from this notification.

Could your organization come up with this in 21 days? 

Compliance Helper can help you get compliant, stay compliant, and prove compliance with the Compliance Meter for a few dollars a day.

Cross-posted from Compliance Helper

Possibly Related Articles:
Healthcare Provider
HIPAA Compliance HITECH Healthcare Covered Entities OCR EPHI
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.

Most Liked