1 / 11

HIPAA Enforcement Highlights

HIPAA Enforcement Highlights. The Department of health and human services ( hhs ) office for civil rights ( ocR ) enforces the Hipaa privacy, security, and breach notification rules. Providence Health & Services (Providence) July 2008.

tabib
Download Presentation

HIPAA Enforcement Highlights

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. HIPAA Enforcement Highlights The Department of health and human services (hhs) office for civil rights (ocR) enforces the Hipaa privacy, security, and breach notification rules

  2. Providence Health & Services (Providence) July 2008 • Resolution Agreement with HHS to settle potential violations of the HIPAA Privacy and Security Rules. • Providence removed and left backup tapes, optical disks, and laptops containing unencrypted protected health information unattended. Subsequently, the media and laptops were lost or stolen. • Compromised the protected health information for over 300,000 patients.

  3. Providence Health & Services (Providence) July 2008 • Under the three year Resolution Agreement, Providence agreed to: • Pay $100,000. • Implement a corrective action plan: • Revise policies and procedures. • Train workforce members. • Conduct audits and site-visits. • Submit compliance reports.

  4. Blue Cross and Blue Shield of Tennessee (BCBST) October 2009 • Settled with the government in response to alleged violations of the HIPAA requirements. • 57 unencrypted computer hard drives were stolen, containing over one million individuals’ protected health information. • BCBST had not performed the necessary security evaluation prior to storing individuals’ protected health information at the facility.

  5. Blue Cross and Blue Shield of Tennessee (BCBST) October 2009 • Under Settlement Agreement, BCBST is required to: • Pay $1.5 million. • Develop a corrective action plan: • Review and update HIPAA policies and procedures. • Administer HIPAA training to its workforce. • Update the facility access plans to prevent future thefts of protected health information.

  6. Cignet Health of Prince Georges County, MD October 2010 • OCR fined Cignet Health with a civil money penalty (CMP) for violating HIPPA requirements. • Cignet Health denied 41 patients access to their medical records. They received a $1.3 million CMP. • Cignet Health failed to cooperate in the OCR investigation. They received a $3 million CMP. • Cignet did not request a hearing, and therefore, the total CMP of $4.3 million is final.

  7. Massachusetts General Hospital (MGH) February 2011 • Settled with the government in response to violation of HIPAA Privacy Rule. • An MGH employee lost information on the subway train for 192 patients of MGH’s Infectious Disease Associates outpatient practice. • These unrecovered documents included information such as patient names, date of birth, medical record number, health insurer and policy numbers, diagnosis and names of providers.

  8. Massachusetts General Hospital (MGH) February 2011 • Under the three year Resolution Agreement, MGH agreed to: • Pay $1 million. • Develop a corrective action plan: • Revise policies and procedures. • Train workforce members. • Authorize Director of Internal Audit Services of Partners Healthcare System Inc. to act as an internal monitor.

  9. The University of California at Los Angeles Health System (UCLAHS)July 2011 • Resolution agreement with HHS to settle potential violations of the HIPAA Privacy and Security Rules. • Two complaints that employees were inappropriately examining protected health information of patients. • UCLAHS had not documented or made available Security Rule training for employees, sanction employees for their actions, or have adequate security measures to protect patient health information.

  10. The University of California at Los Angeles Health System (UCLAHS) July 2011 • Under the three year Resolution Agreement, UCLAHS agreed to: • Pay $865,500. • Enforce a Corrective Action Plan: • Revise policies and procedures. • Distribute and update policies and procedures. • Train workforce members. • Assign an independent individual or agency to monitor compliance.

  11. Conclusion • Under the Patient Protection and Affordable Care Act, the HHS Office for Civil Rights is required to increase enforcement activities of security, privacy, and breach. Providers must ensure they have adopted the necessary safeguards. • Safeguard include: • Developing HIPAA policies and procedures. • Developing and administering HIPAA compliance training. • Conducting HIPAA Risk Assessments. • Forming HIPAA-related strategies and business plans. • Strategic Management help your organization with these safeguards and more.

More Related