As shocking as it may be, in this day and age there are still many hospitals and medical-related businesses that have not made sufficient risk assessments relating to patients’ protected health information (“PHI”) and their third party vendors that have access to this information. This is pertinent to large organizations such as hospitals, smaller organizations like a physician or dental office, and the third party vendors that work with these types of entities (for example- IT and copy repair companies or cleaning services). Last week, a resolution agreement between the United States Department of Health and Human Services Office for Civil Rights (“OCR”) and North Memorial Healthcare proved that this issue is still extremely relevant and potentially costly. In this instance, North Memorial self-reported to OCR that an unencrypted laptop containing the PHI of approximately 10,000 individuals was stolen from its third party vendor.
Unbelievably, there was no business associate agreement between the hospital and its vendor. At the conclusion of its investigation, North Memorial agreed to pay 1.55 million dollars to resolve allegations that it violated HIPPA and agreed to enter into a robust compliance program relating how it would enter into business associate agreements (“BAA”) going forward. If you are interested in reading a copy of the actual Resolution Agreement, please click here.
Before addressing what North Memorial agreed to do going forward, understand that, North Memorial, as a “covered entity,” was required to take certain steps to protect PHI under HIPPA and to report any breach of this obligation directly to OCR. OCR is the governmental agency in charge of enforcing the rules and regulations surrounding the privacy of individually identifiable health information and has the authority to conduct compliance reviews and investigations of complaints alleging violations of HIPPA rules generally.
North Memorial agreed to, in addition to the million dollar fine, to implement the following policies and procedures:
- Develop Policies and Procedures Related to BAAs
- Perform Risk Analysis
- Develop and Implement Risk Management Plan (based upon results of analysis)
- Training (as approved by OCR)
- Compliance Reporting to OCR Going Forward
If you are in the medical industry or your business works with other businesses in the medical industry, you need to have procedures in place to guard against cyber intrusion, and how to respond to a loss of PHI. Your company needs to have standardized in-house policies and methods, as well as an awareness of the policies and methods of every other medical related company it is doing business with. While a business associate agreement with a vendor is a good start, it’s important to have an individual who also understands the security procedures your vendor has in place for proper due diligence. If a vendor does not want to disclose what efforts they have undertaken to be HIPPA compliant, perhaps it is time to look for another vendor. Keep in mind, sometimes you cannot even take a vendor’s word at face value as a recent Resolution Agreement with OTC reveals. It is imperative to have actual documentation of what measures are in place. Click here for a Federal Trade Commission Release where a dental practice software company admits that it misled practices across the country as to the level of encryption its software provided.
The attorneys at Danziger Shapiro & Leavitt, P.C. are available to discuss this and the many other issues that affect your medical or dental practices. Whether your inquiry is directly related to cyber security, or perhaps related to cyber security in connection with your interest in buying or selling a practice, the attorneys are available to help guide you through this complicated process.
This entry is presented for informational purposes only and does not constitute legal advice.