The first OCR fine for 2017 was issued to Presence Health for delay in notifying 836 patients of a breach experienced in 2013. Presence Health met the requirement of notifying HHS of the breach within 60 days after the end of the calendar year in which the breach is discovered (notification took place January 31, 2014).
There have been many articles written about the need to investigate a potential breach, and establish what happened, how it happened and do a thorough job in getting as complete as possible, the names of all individual affected by the breach so that notification can take place. What you don't want to do is forget the breach notification rule that states that for a breach of any size, patients must be notified "without unreasonable delay, but in no case longer than 60 days." Certainly, there are a few exceptions like law enforcement delay and other rare situations, but the rule is clear.
The fine is significant enough, but remember that along with the OCR fine, generally comes a corrective action plan (CAP). In this particular case, there was a requirement to revise existing policies and procedures related to the Breach Notification rule. Training materials would also need to be updated and provided to appropriate workforce members with documentation of the date the training was provided. Evidence of compliance with the CAP is always required.
A couple of key takeaways include noting that the OCR will investigate all breaches and that it generally takes a good bit of time for the OCR to make their determination based on information requested and provided. The fine, if infractions are identified will follow and the CAP will take resources and an investment on the facility's part. Breaches and their impact are significant and the financial costs associated with them run deep.
Read the full article here
CYBERCRIME UPDATE
The rise of cybercriminal activity in healthcare is cause to review current security protocols and practices.Since 2017 is well underway, this may be the right time to modify HIPAA policies and procedures, check those business associate agreements, formalize a breach response plan and carefully review update your security risk analyses.
It didn't take very long for the bad guys to figure out where the valuable ePHI resides and they've made quick work to targeting health plans and healthcare organizations across America. In 2015 alone through 57 large breach events, over 112 patients' data was compromised.
At the present time, based on end of year 2016 data from the OCR wall of shame, nearly 75% of the total number of patients impacted are a result of hacking activities. The number of patients affected by hacking healthcare organizations alone is about 128 million!
Because insider threats remain the best gateway for cybercrime activities, healthcare organizations should take the time to update their HIPAA education arsenal. One of the best defenses is an informed workforce. Periodic reminders with real-life events as examples serve as an excellent way to keep the workforce informed that what they do, makes a difference. Another effective solution is to provide examples of how emails that look authentic can simply be an invitation and gateway to the intruders. Help your workforce be your best first-line defense!
https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
