![\"\"](\"https:\/\/advantagehcconsulting.com\/blog\/wp-content\/uploads\/2018\/05\/hipaa-compliance.png\")
<\/p>\n<\/p>\n
Learn a valuable lesson from this $2.3 million HIPAA settlement.<\/em><\/strong><\/span><\/p>\n If you skimp on risk management or other HIPAA core duties, you may have to pay big when a breach occurs. That\u2019s what one health care provider has recently discovered.<\/p>\n Background:<\/span>\u00a0<\/strong>The\u00a0Federal Bureau of Investigation\u00a0<\/strong>warned physician practice\u00a021st Century Oncology Inc.\u00a0<\/strong>twice about a cyber invasion of its systems in 2015, resulting in large-scale HIPAAviolations for failing to adequately secure its patients\u2019 electronic protected health information (ePHI) against an \u201cunauthorized third party,\u201d says an\u00a0HHS Office for Civil Rights\u00a0<\/strong>release.<\/p>\n The Fort Myers, Florida, cancer treatment and oncology specialist with 179 locations in both the U.S. and Latin America left more than 2.2 million individuals exposed after internal investigations determined illegal access of its network SQL database through \u201cremote desktop protocol from an exchange server within 21CO\u2019s network,\u201d the OCR says. The report suggested evidence obtained from an FBI informant is what originally alerted the feds that the files with \u201cnames, social security numbers, physicians\u2019 names, diagnoses, treatment, and insurance information\u201d had been breached.<\/p>\n OCR levied a $2.3 million monetary settlement against 21CO for its HIPAA violations and required the organization to put together a corrective action plan. \u201cPeople need to trust that their private health information will remain exactly that; private,\u201d says OCR Director\u00a0Roger Severino<\/strong>. \u201cIt\u2019s not just my hope that covered entities will learn from this example and proactively find and address their security risks, it\u2019s what the law requires.\u201d<\/p>\n The OCR\u2019s biggest complaint pointed to repeated compliance basics blunders by 21CO. The provider missed opportunities to better assess and manage its risk. And with large-scale settlements like this one becoming the norm, providers cannot be too careful when devising their HIPAA protocols. It remains evident that a strong compliance foundation, which promotes and outlines in writing the HIPAA Privacy and Security rules, provides some insulation against steeper penalties.<\/p>\n \u201cCovered entities and business associates must insulate their businesses with a comprehensive compliance plan and risk analysis addressing and mitigating any applicable privacy and security risks,\u201d advises attorney\u00a0John E. Morrone<\/strong>, a partner at\u00a0Frier Levitt Attorneys at Law\u00a0<\/strong>in Pine Brook, New Jersey. \u201cThrough recent settlements, OCR has demonstrated its propensity to impose significant fines on entities that fail to implement appropriate safeguards, independent of the number of affected individuals or the content of the protected health information included in a particular breach.\u201d<\/p>\n Do this:\u00a0<\/strong><\/span>If your agency is due for a HIPAA compliance plan update, consider adding these priorities that 21CO failed to implement \u2014 but that the OCR looks for after a breach occurs:<\/p>\n Tip:<\/span>\u00a0<\/strong>After you assess your risk and as part of your HIPAA-plan implementation and management, it is a great idea to create a list of all business associates that provide services to your organization and update this annually as changes arise and your agency evolves. It\u2019s easy to forget to alert BAs, and some may feel uncomfortable insisting that business partners, suppliers, and vendors follow HIPAA.<\/p>\n Nonetheless, OCR insists your final steps include identifying BAs and setting up BAAs. They must understand what your 2018 initiative entails, why HIPAA is important to the integrity of your agency, and sign off on your principles in a BAA.<\/p>\n Source- SuperCoder<\/span><\/i><\/a><\/p>\n","protected":false},"excerpt":{"rendered":"\n