When the OCR Issues Guidance or Technical Advice You Have 2 Options. Listen or Pay
This got me thinking about all the HIPAA Settlements that were agreed to AFTER the OCR issues technical advice.
I talked about the settlement with West Georgia Ambulance company issued on December 30th, 2019 on a recent episode of the ProactiveIT Podcast. They had to pay $65,000 for an incident in 2013. The incident was initiated with a laptop that went missing (allegedly fell off the back of an ambulance).
The laptop was not encrypted which does violate HIPAA. The OCR came in to do an investigation and discovered a lot of HIPAA compliance issues. The OCR issues technical advice. Technical advice essentially means here’s what you need to do to correct the HIPAA compliance issues we have found.
The ambulance company ignored them. When the OCR followed up and discovered that their technical advice was ignored, they took further action. This action eventually turned into a $65,000 settlement and a 2-year corrective action plan (which will cost more than the settlement).
The initial fine was probably a lot more than the final settlement.
HHS Just Wants to Ensure Patient Privacy and Access is Protected
Health and Human Services Office of Civil Rights (OCR) has stated on several occasions that it’s not about the fines. If it was it would be easy to just fine healthcare practices and business associates.
There are numerous instances of the OCR supplying a healthcare practice with technical support and that’s the end of it. If you are provided technical support from the OCR it pays to listen.
It really is all about patient care. Are you protecting their health information and sensitive data? Are you providing access to their health information in a reasonable manner when requested?
What is Technical Support From the OCR?
Technical support from the OCR is not like Technical Support from IT. What they’re really doing is telling you how to fix your HIPAA Compliance issues.
For example, in the case of the ambulance company they uncovered that the laptop was not encrypted. When they investigated further, they also discovered access controls were not in place and reasonable security was not being utilized to protect PHI, and there was no real HIPAA compliance program in place.
The OCR advised the ambulance company what they needed to do to resolve these issues.
West Georgia Ambulance essentially ignored the technical advice. In doing so they became negligent. That ended up costing a small business of 64 employees $65,000 plus two years of the OCR monitoring them to ensure they put a HIPAA Compliance program in place.
Guidance and Technical Support from the OCR Should be Taken Seriously
The OCR and I think a lot alike. I will give you the information and advice you need. It’s up to you to act on it.
I provide technical advice all the time. Honestly, it gets ignored probably 80% of the time. And sometimes it ends up costing the business owner a lot more in the long run.
OCR’s main objective is to make sure patient care includes protecting patient information and making it accessible to the patient when they want it.
You may have heard of the CIA Triad (no it’s not a special ops group in the CIA).
- Confidentiality
- Integrity
- Availability
What this means:
Patient’s healthcare information should remain confidential. The integrity of that information should be protected, and it should be available to the patient when needed.
The OCR just wants to ensure the CIA Triad is followed by healthcare providers and business associates. They just want to make sure patients are cared for. It is called patient CARE after all.
If they provide guidance or assistance in any manner, whether it’s a web page, official letter, audit or email you should take it VERY SERIOUSLY. The next step would cost you significantly more if you don’t.
And at the end of the day, it’s all about patient CARE whether you’re a healthcare practice or a business that supports them.
Here are some important information which, let’s face it, nobody explains to you in such detail and simply. Thank you.
Very interesting information, and all explained in a way that is easy for others to understand. You’re so helpful! Thanks so much for sharing this with all of us!
I know I want my info to be safe when I see a doctor so I always hope everything goes smoothly. A few times there has been a breech and that can be irritating.
I think that institutions that own sensitive data should hire professional companies to take care of their IT systems. Hacking can happen to anyone and it is understandable, even if you have support, but not protecting the data in the first place has no excuse.
I’m glad HIPPA came to be. I feel safer now that my medical info is protected.
There seem to be so many moving parts to all of this. It is a shame there isn’t some central program that just automatically makes all of the security work. I get how naive that perspective is, though, as people know how to hack the latest technology as soon as it is out if not earlier. Sigh.
This is so well written! So interesting and informative I learned so much about HIPPA!
I feel how it’s annoying not to help with solve the issues but give you another task like solving other. Great and informative post!
I was a bit familiar with some of this since I previously worked in healthcare (a couple of the things you mentioned was briefly covered in some of my classes and my orientation).
I’m not so familiar with this, but it was quite informative and I’m happy to have came across it.
I am actually surprised that the West Georgia Ambulance company actually ignored the initial technical advice that was given. I have a background in IT, software and security for over 15 years so I understand how serious this is when it comes to PHI.
Medical infornations should be always protected. Lots of needed info here!