Some recent cases highlight the importance of adequate risk analysis to comply with HIPAA requirements
Would HIPAA Approve of Your Risk Analysis?
Robert Ellis
Robert Ellis - President

The Department of Health and Human Services Office for Civil Rights (OCR) recently  fined a Denver health center $400,000 for events connected to a data breach that happened in 2011. This is the smallest fine the OCR has assessed so far in 2017.
 
You may wonder why we're bringing this up. The violation had nothing to do with printed documents or mail. The offender is a covered entity under HIPAA, not a Business Associate like DDS customers.
 
Under HIPAA, Covered Entities include health plans and health care providers. Business Associates are individuals or companies that have access to protected health information and assist a covered entity with functions like claims processing or billing.
 
We're writing about this news because of lessons that do apply to the document industry and the service providers who handle data and documents containing protected health information.
 
The Denver healthcare provider is not paying the OCR $400,000 and adopting a strenuous corrective action strategy because of the 2011 breach. They are paying because of the subsequent investigation.
 
The OCR investigates cases where over 500 patient records are compromised to see if the guilty organization violated HIPAA rules. In this case, the investigation showed the covered entity took sufficient actions after the breach to prevent future phishing attacks. But OCR investigators also uncovered several HIPAA violations. The most serious offense was a missing risk analysis.
 
Trickle-Down Problems
In the eyes of the OCR, an entity that fails to assess the confidentiality, integrity, and accessibility of protected health information cannot be certain to have identified all the risks. If they can't identify all the risks, they cannot assume they have implemented sufficient measures to decrease those risks. These were the problems that provoked the HIPAA fines.
 
The OCR understands the impracticality for a covered entity to protect itself completely from something like a phishing attack. Had they done an adequate risk analysis before the breach, the financial damage to the Denver healthcare provider would likely have been minor. The expensive part wasn't the data breach; it was the lack of preparation.
 
The questions print service providers should ask themselves are:

1.       Have we done a sufficient risk assessment?
 

2.       Have we taken reasonable steps to lower the risks to HIPAA-acceptable levels?
 

3.       Can we afford the consequences of an OCR investigation?

 

Phishing attacks can't be 100% prevented. Neither can document integrity errors. Unlike phishing however, systems like DDS' iDataScan TM and iDataManager TM can catch document integrity errors before print/mail service providers become responsible for a HIPAA privacy breach.
 

If you have yet to assess your HIPAA risks, call us. We will help you find the weak points in your workflow and suggest suitable remedies.
If you would like to see a demonstration of the latest production automation technology contact us at the number below. We are proud to show you what we can do.

Document Data Solutions (DDS) is dedicated to providing Solutions To Move Your Business Forward  TM

We have developed a team of dedicated professionals to provide unrivaled consulting and custom solutions to help our customers separate their business from their competition and increase profits.
 
DDS' Vision inspection systems, data collection and management reporting capabilities for piece level verification are helping document centers of all kinds avoid the devastating effects of integrity errors. Our color printing technology is helping print service providers add new revenue streams and expand their businesses.
 
Give us a call to set up a webinar to see how we can develop a custom solution for your business


 View our videos on YouTube     View our profile on LinkedIn