An IT and health information management company, CHSPSC LLC, (“CHSPSC”) has agreed to pay over $2 million to Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) to pay for the breach of Protected Health Information (PHI). The Business Associate was notified by the Federal Bureau of Investigation (FBI) that it had traced a cyberhacking group’s advanced persistent threat to CHSPSC’s information system.
After OCR ‘s investigation, it was found that CHSPSC had “longstanding, systemic noncompliance with the HIPAA Security Rule including failure to conduct a risk analysis, and failures to implement information system activity review, security incident procedures, and access controls.” The large health system provided various Business Associate services including IT and health information management, to hospitals and physician clinics.
These violations could have easily been avoided.
“The healthcare industry is a known target for hackers and cyberthieves. The failure to implement the security protections required by the HIPAA Rules, especially after being notified by the FBI of a potential breach, is inexcusable,” said OCR Director Roger Severino.
In addition to the monetary penalty, the Business Associate will be required to complete a “robust” Corrective Action Plan (CAP) with at least two years of monitoring activity. CHSPSC will also be required to do the following:
Implement technical policies and procedures to allow access only to those persons or software programs that have been granted access rights to information systems maintained.
Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.
Conduct accurate and thorough assessments of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.
Have you ever read such headlines and doubted whether a small Billing Company or independent physician practice actually ever face penalties?
As we have stressed before, it is important for you to understand that every complaint or potential breach must be investigated by HHS/OCR. If you, a billing company, or other vendor, suspects a breach you must inform the covered entity (your client) and have a breach risk assessment completed to determine key factors and take action.
“I’m a small business, in a small town. How could anything like this ever happen to me?”
Keep in mind, a Business Associate is a ‘person’ or ‘entity’. This means there is no Billing Company too small or too large to comply with the Federal HIPAA regulations. Again, if you haven’t completed an accurate and thorough security risk assessment prior to that, you could also be penalized under ‘willful neglect’. This category alone is $50,000 per violation!
What can I do to ensure this doesn’t happen to me or my organization?
At Live Compliance, we make checking off your compliance requirements extremely simple.
Reliable and Effective Compliance
Completely online, our role-based courses make training easy for remote or in-office employees.
Contact-free, accurate Security Risk Assessments are conducted remotely. All devices are thoroughly analyzed regardless of location.
Policies and Procedures curated to fit your organization ensuring employees are updated on all Workstation Use and Security Safeguards in the office, or out. Update in real time.
Electronic, prepared document sending and signing to employees and business associates.
Don’t risk your company’s future, especially when we are offering a free Organization Assessment to help determine your company’s status. Call us at (980) 999-1585, or email me, Jim Johnson, at Jim@LiveCompliance.com or visit www.LiveCompliance.com