HHS settlement reveals importance of risk analysis

093015 blog post

For some dentists there is an “it won’t happen to me” belief that gives them a false sense of security.  Completing a risk analysis is something that generally isn’t a priority.

For one healthcare organization, not completing a risk analysis and failing to have strong policies and procedures contributed to a breach of unsecured protected health information.  Electronic protected health information (ePHI) was breached when a laptop bag was stolen from an employee’s car resulting in a $750,000 HIPAA settlement.

According to the U.S. Department of Health and Human Services (HHS) announcement, the laptop bag contained the employee’s computer and unencrypted backup media.  The computer contained the names, addresses, dates of birth, Social Security numbers, insurance information and clinical information of approximately 55,000 current and former patients.  While this may be far more names than in the average dental practice, it still highlights the need for a risk analysis.

The HHS investigation found that the organization was in non-compliance with the HIPAA Security Rule prior to the breach.  Specifically, the organization failed to conduct an enterprise-wide risk analysis.  In addition, the organization failed to have a written policy specific to the removal of hardware and electronic media containing ePHI into and out of its facilities.

OCR Director Jocelyn Samuels said “organizations must complete a comprehensive risk analysis and establish strong policies and procedures to protect patients’ health information. Proper encryption of mobile devices and electronic media reduces the likelihood of a breach of protected health information.”

This settlement is an important reminder that HHS takes risk analysis and policies and procedures seriously. Healthcare Compliance Pros, a Burkhart recommended vendor partner, offers three options for conducting an SRA, identifying areas that should be addressed, corrected and where policies and procedures may be missing. If you would like more information about SRA options, or if you have any compliance questions, please send them an email at support@healthcarecompliancepros.com or call 8554270427.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: