.png)
This hefty HHS fine was issued against a back and spine pain management medical practice in Florida. The December 5 HHS announcement linked below says the medical practice failed to: (1) terminate a consultant's access to medical personal health information (PHI) of its clients, (2) do a decent risk analysis to avoid a breach, (3) put in procedures to prevent it, (4) regularly review records of activity in systems with PHI, and (5) establish and modify workforce members' access to information systems.
HHS found that over 34,000 records were compromised and the former consultant was alleged to have created false medical claims leading to roughly 6,500 false Medicare claims. The medical provider was also found to have violated the HIPAA Security Rule.
More can be found by following the link below, but the message is simple: IMPLEMENT STATE OF THE ART SECURITY PROCEDURES AND FOLLOW THEM. If you handle PHI, how hard is it to have well-written policies and responsible employees to follow them up?
The first step is to analyze the risk.
The second is to implement policies and procedures.
The third step is to follow them.
The fourth step is to monitor.
If you handle PHI, have an internal and/or third-party periodically or continuously monitor the comprehensiveness of the policies and the implementation, and fix what's broken.
Get help to understand, then do something.
HHS has made it clear that these mistakes should not have happened. The cost of reasonable compliance for the privilege of handling PHI is minimal. The cost of making careless mistakes is maximal: big fines and crippling, bad publicity.
Comentários