Consider the following situation, your photocopier lease expires and you decide to upgrade as you may need new machines or some that will scan faster so you can upload documents to your medical record. The copier company takes the old machines and then replaces them with new ones. Or simply your machine broke down and the technician came in and replaced some of the components such like the power processor and the hard drive. Sounds innocent and quite common. As a matter of fact most of these actions are but a nuisance that your office manager or administrator handles without missing a beat. Yet under the new rules and as indicated by now existing legal precedent this routine maintenance and upgrade could cost you $1.2 Million dollars.
Under a settlement with the U.S. Department of Health and Human Services (HHS), Affinity Health Plan, Inc. will settle potential violations of the HIPAA Privacy and Security Rules for $1,215,780. The core violation was that Affinity Inc. returned multiple photocopiers to a leasing agent without erasing the data contained in the copier hard drive. Additional violations identified by HHS included:
• Failure to Incorporate electronic protected health information stored in copier’s hard drives in its analysis of risks and vulnerabilities as required by the Security Rule;
• Failure to implement policies and procedures when returning the hard drives to its leasing agents.
In a way they were lucky that the HIPAA Omnibus Rule may not be enforced yet as they could have been charged double the amount as the Business Associate, copier company, failed the same items as Affinity Inc. They could even be charged with failure to obtain “satisfactory assurances” from the Business Associate and their subcontractors.
The actual settlement was also interesting from the standpoint that the same included what I’m starting to see as standard conditions in settlements:
1. Corrective Action Plan
2. Comprehensive Risk Analysis
3. Revision of Policies and Procedures
4. Train Staff
Of course they will also be required to use “best efforts” to retrieve all hard drives that were contained on these photocopiers but that is a unique requirement of this case. My point besides the obvious is the use of vague language such as “satisfactory assurances” and “best efforts”. What is “satisfactory assurance” in terms of our Business Associates? Do we conduct a gap analysis/risk analysis for them? Do we monitor their compliance plan? I don’t think anyone knows for sure but I believe that simply having a signed Business Associate Agreement may not be enough to meet the “satisfactory assurance” requirement.
In today’s day and age there is a lot to keep track in addition to providing quality health care. Technology is changing fast and rules and regulations seems to be changing faster. Regardless, the ultimate responsibility and liability rests upon you, hence these basic recommendations:
1. Conduct a gap analysis
2. Conduct a risk analysis
3. Update policies and procedures based on findings and the Omnibus Rule.
a. Update Notice of Privacy Practices
b. Update Business Associate Agreement
4. Identify Business Associates
a. Sign new Business Agreements – updated with Omnibus Rule requirements
b. Obtain “satisfactory assurance” from Business Associates
5. Train employees
I actually created a form that you can use to obtain “satisfactory assurance” from your Business Associates. I don’t guarantee that it will/will not work but at the very least is a step closer to show that you are trying to meet the requirements of the law. For copies of this form simply e-mail me at [email protected] and I will shoot you a copy.