In light of the recent $750,000 settlement agreement reached by The University of Washington Medicine (UWM), following the conclusion of a U.S. Department of Health and Human Services Office for Civil Rights (OCR) investigation into a claim of a potential data breach compromising the medical details of thousands of patients, it might be a good time for medical practices and healthcare organizations of all sizes to review their electronic security protocols, to ensure that they are not running afoul of HIPAA and patient confidentiality laws (even by accident – it still counts as a breach even if an organization is not aware of it!)
“All too often we see covered entities with a limited risk analysis that focuses on a specific system, such as the electronic medical record or that fails to provide appropriate oversight and accountability for all parts of the enterprise,” said OCR Director Jocelyn Samuels. “An effective risk analysis is one that is comprehensive in scope and is conducted across the organization to sufficiently address the risks and vulnerabilities to patient data.”
What to Look Out for When Conducting an HIPAA Compliance Risk Assessment
All covered entities under The Health Insurance Portability and Accountability Act (HIPAA) must ensure organization-wide compliance with the regulations. Covered entities include:
- Healthcare plans
- Healthcare providers – doctors, hospitals, clinics, pharmacies, and nursing homes
In order to run a successful risk assessment to ensure that your entire organization and any subsidiaries are compliant, covered entities are encouraged to follow four basic principles:
It’s important to know that many breaches of patient confidentiality standards often occur by accident, by inadvertently using a computer with malware installed, or sending information over networks that are not secure. Analyzing your organization’s and practice’s systems for potential vulnerabilities is a good place to start. As the UWM case has shown, HIPAA violations can prove to be costly after the fact.