Case Study: HIPAA Privacy and Security Rule Violation

In violation of the HIPAA Privacy and Security Rules, two entities within a healthcare system, home health services and hospice services, had several instances over about a seven$-$month period where backup tapes, optical disks, and laptops were left unattended and eventually lost or stolen. All of the devices contained unencrypted ePHI on more than $386,000$ patients. The healthcare organization responded to state notification laws and to the HHS with more than $30$ complaints submitted as a resul. Working together, OCR and CMS focused the investigation on the organization's failure to implement policies and procedures to safeguard this information. The HHS entered into a resolution agreement with the organization to settle the violation. It was agreed that the CE would pay a $$100,000$ resolution amount $($due to cooperation, this resolution amount was in lieu of a clvil monetary penalty that could have been much more$)$ and implement a robust corrective action plan. This plan included revising policies and procedures for physical and technical safeguards $($encryption$),$ governing off$-$site transport and storage of the electronic media that contained PHI, training workforce on the safeguards, conducting routine audits and site visits of facilities within the organization, and submitting the required compliance reports to HHS for three years.

This case is an example of a sthuaton where a resolution agreement is suitable. In the majority of compliance issues investigated, there is one facility with one type of breach involved and one major corrective action imposed. In this case there were two different entsies with several different types of data storage devices involved. There were several different orrective actions including a payment to be made and a comprehensive corrective action plan with numerous items to be accomplished over a period of time. The required compliance reports assured compliance and acoountability.

$41$

C$20231$ AHINACRG

AHtiMA