Importance of Audit, policy and continuing review in HIPAA
According to the Health and Human Services’ (“HHS”) Resolution Agreement and Corrective Action Plan regarding Memorial Healthcare System (“MHS”), two employees inappropriately accessed patient records and later reported 12 additional employees from an associated doctors’ offices impermissibly accessed privately identifiable information (“PII”) of patient records.
Access was granted to former employees, and MHS failed to implement policies and procedures to review system and document access by way of login monitoring, audit logs, security and tracking reports.
The resultant resolution penalty was $5.5 million dollars and an agreement to implement a corrective action plan.
Myth: HIPAA compliance is too expensive
Being HIPAA compliant isn’t the most difficult thing in the world. A good, knowledgeable MSP can assist a small practice without a ton of trouble. It takes some work, and of course, effort costs money.
Few medical providers realize that penalties for non-compliance can cost them over $200,000 on the low end, up to millions of dollars on the high end. Paying to do risk-assessments, penetration testing, and then fixing any issues that come up is a small price compared to what could be paid if the practice is audited and fined pale in comparison to a potential loss of profession license.
Doctors, dentists, lawyers, accountants, psychologists, nurses, EMT’s, paramedics, social workers, mental health counselors, and pharmacists (including Medical Marijuana dispensaries), are just some of the professions that have to abide by confidentiality requirements to keep their licenses.