Can you imagine paying millions of dollars for the theft of your office devices? Imagine paying the price for a crime orchestrated by someone else. Indeed, HIPAA can be a nightmare for healthcare providers who take the confidentiality of patient’s information very lightly. The process of fulfilling HIPAA compliance requirements can be quite complicated. What makes this law a burden is the continuous ongoing efforts that are necessary within organizations to protect sensitive health information. This is why many progressive organizations use HIPAA compliance management software to streamline their compliance activities.
The consequences of non-compliance
Lifespan, the Rhode Island-based health system, has been very recently hit with a massive $1 million fine. This settlement is tied to a data breach incident that took place in 2017. This incident involved the theft of an unencrypted laptop that potentially exposed the data of 20,000 individuals.
The problem started when an affiliated hospital employee’s laptop was stolen in April 2017. A wide range of electronic protected health information (ePHI) was stored in the device, including patients’ names, medical record numbers, and demographic and medical information.
After the investigation, the Office for Civil Rights (OCR) determined that the affiliated hospital, Lifespan Ace, did not encrypt ePHI on any of their laptops and lacked device and media controls. Shockingly, Lifespan Ace had also failed to execute a business associate agreement with its parent company.
A few healthcare organizations have been hit with massive fines by the OCR in recent times. Among them is the Sentara Hospital, which has been fined $2.2 million by the OCR. According to the OCR, in addition to mailing patient PHI to 577 incorrect recipients, Sentara’s leaders decided to not report the full extent of the breach.
In early 2019, OCR also fined Touchstone Imaging Medical for a whopping $3 million. Only after getting notified by the FBI and OCR, the medical imaging firm learned that their data had been breached. What’s more, the firm had waited several months to investigate the security incident despite being warned by the FBI and OCR. And by then, 300,000 patients’ data had already been compromised.
What can we learn?
There are myriad other examples where healthcare organizations have been fined due to unsatisfactory HIPAA practices. The lessons we can learn from these is that you either use HIPAA compliance management software or get assistance from someone who is well versed in the provisions of HIPAA. OCR Director, Roger Severino also advises organizations to encrypt their mobile devices. Thefts are inevitable and it is best to encrypt mobile devices to thwart identity thieves.
Unencrypted devices are a major vector for medical identity theft. You should either encrypt your devices or implement measures to prevent further repercussions like medical identity theft. Many leading hospitals use biometric patient identification platforms to not only prevent medical identity theft but also improve patient matching rates and eliminate duplicate records.
What will you find in our HIPAA compliance management software?
Lifespan has signed a resolution agreement with OCR to devise a corrective action plan. And under this plan, the health system is required to:
- Provide proof of encryption and access control within 90 days;
- Review and update written policies and procedures on device and media controls;
- Distribute the updated policies and procedures to all the workforce members who use or disclose ePHI;
- Provide training to its employees on the policies and procedures regarding ePHI.
Our HIPAA compliance management software, HIPAA Ready, includes all of the features to streamline the above-mentioned procedures. This robust cloud-based HIPAA compliance management software is designed to reduce administrative burden and remove HIPAA-related complexities. An important feature of our HIPAA compliance management software is that it keeps a log of all the devices that contain ePHI. With a few simple keystrokes, you can check which device needs to be encrypted or needs a password change and to whom the devices are assigned.
With our HIPAA compliance management software, you will be able to perform internal audits and security risk assessments effortlessly. What’s more, our pricing strategy ensures that even small or medium-sized companies can protect their practice lifelong.
Grab the opportunity to simplify your HIPAA compliance tasks and learn new ways to manage and protect your practice.