With HIPAA compliance, risk management isn’t optional
The Office for Civil Rights (OCR), part of the U.S. Department of Health and Human Services recently announced their latest HIPAA enforcement action, a $650,000 settlement with Catholic Health Care Services (CHCS), a health care services unit of the Archdiocese of Philadelphia.
This occurred after the theft of an employee’s CHCS-issued mobile phone, which was unencrypted, not password protected, and contained extensive information for about 400 patients.
What the OCR found during the HIPAA compliance audit
After the loss of the phone was reported, the OCR investigation uncovered:
- Lack of encryption or passwords
- Lack of a risk assessment or plan regarding potential loss of mobile devices containing protected health information (PHI)
There are a lot of lessons here beyond the obvious need to encrypt and password-protect patient info on mobile devices. And these lessons are important for all healthcare organizations, regardless of whether their employees use mobile devices for work.
Risk assessment and management are not optional
The OCR cited the lack of risk assessment and risk management as one of the basic failings here. This is very much in line with previous HIPAA actions. Policies, training, and documented plans are as important as implementing specific technologies such as encryption.
Also, the OCR was very clear in the resolution agreement that CHCS was fully responsible, as a business associate, for following HIPAA security and privacy rules, just like a covered entity.
Learn more about HIPAA compliant IT services
Take a look at your HIPAA compliance strategies. Have you uncovered absolutely every scenario involving PHI? Do you have all the tools in place to manage your risk?
If not, take some time to explore how cloud-based IT services, like those from Intermedia, can help close HIPAA compliance gaps. You can learn about our IT services for healthcare organizations by visiting our website or giving us a call at 800-379-7729.