When the OCR Issues Guidance or Technical Advice You Have 2 Options. Listen or Pay
This got me thinking about all the HIPAA Settlements that were agreed to AFTER the OCR issues technical advice.
I talked about the settlement with West Georgia Ambulance company issued on December 30th, 2019 on a recent episode of the ProactiveIT Podcast. They had to pay $65,000 for an incident in 2013. The incident was initiated with a laptop that went missing (allegedly fell off the back of an ambulance).
The laptop was not encrypted which does violate HIPAA. The OCR came in to do an investigation and discovered a lot of HIPAA compliance issues. The OCR issues technical advice. Technical advice essentially means here’s what you need to do to correct the HIPAA compliance issues we have found.
The ambulance company ignored them. When the OCR followed up and discovered that their technical advice was ignored, they took further action. This action eventually turned into a $65,000 settlement and a 2-year corrective action plan (which will cost more than the settlement).
The initial fine was probably a lot more than the final settlement.
HHS Just Wants to Ensure Patient Privacy and Access is Protected
Health and Human Services Office of Civil Rights (OCR) has stated on several occasions that it’s not about the fines. If it was it would be easy to just fine healthcare practices and business associates.
There are numerous instances of the OCR supplying a healthcare practice with technical support and that’s the end of it. If you are provided technical support from the OCR it pays to listen.
It really is all about patient care. Are you protecting their health information and sensitive data? Are you providing access to their health information in a reasonable manner when requested?
What is Technical Support From the OCR?
Technical support from the OCR is not like Technical Support from IT. What they’re really doing is telling you how to fix your HIPAA Compliance issues.
For example, in the case of the ambulance company they uncovered that the laptop was not encrypted. When they investigated further, they also discovered access controls were not in place and reasonable security was not being utilized to protect PHI, and there was no real HIPAA compliance program in place.
The OCR advised the ambulance company what they needed to do to resolve these issues.
West Georgia Ambulance essentially ignored the technical advice. In doing so they became negligent. That ended up costing a small business of 64 employees $65,000 plus two years of the OCR monitoring them to ensure they put a HIPAA Compliance program in place.
Guidance and Technical Support from the OCR Should be Taken Seriously
The OCR and I think a lot alike. I will give you the information and advice you need. It’s up to you to act on it.
I provide technical advice all the time. Honestly, it gets ignored probably 80% of the time. And sometimes it ends up costing the business owner a lot more in the long run.
OCR’s main objective is to make sure patient care includes protecting patient information and making it accessible to the patient when they want it.
You may have heard of the CIA Triad (no it’s not a special ops group in the CIA).
- Confidentiality
- Integrity
- Availability
What this means:
Patient’s healthcare information should remain confidential. The integrity of that information should be protected, and it should be available to the patient when needed.
The OCR just wants to ensure the CIA Triad is followed by healthcare providers and business associates. They just want to make sure patients are cared for. It is called patient CARE after all.
If they provide guidance or assistance in any manner, whether it’s a web page, official letter, audit or email you should take it VERY SERIOUSLY. The next step would cost you significantly more if you don’t.
And at the end of the day, it’s all about patient CARE whether you’re a healthcare practice or a business that supports them.