Risk Analysis/Risk Management – Page 7 – RISC Management and Consulting

February 27, 2014 Orlando, Florida

It’s all about aligning “the right information with the right people at the right time,” said HIMSS Executive Vice President Carla Smith in her closing message to attendees of the HIMSS14 Annual Conference & Exhibition. The meeting assembled some 38,000 healthcare professionals and 1,200 exhibitors in Orlando for a week focused on patient safety, care quality, access, affordability, privacy, and security.

HIMSS14 collage

At HIMSS14 we were educated on the savings from the financial and business end of healthcare, prevention and patient education, electronic information and data sharing, treatment efficiency while providing quality care and safety, and lastly improving the satisfaction of patients, providers, and staff.

In one educational session, a case study was presented from a large, multi-location Federally Qualified Health Center (FWHCs) where minors and adults were treated for STDs. The organization had a Business Associate Agreement (BAA) in place with the grant funder and data collector. However, computers were stolen from the grant-funding organization but it was never determined if patient data was accessed. It is important to note that once again stolen computers were not encrypted, as we’ve seen before a risk analysis was not performed, and a contingency plan for notification was not in place. The key findings can almost be copied from several previous breach events.

I remember thinking about what Chris Heuman, the Practice Leader of RISC Management and Consulting tells our clients “Know why, what and how; meaning understand why you need to protect information, such as regulations, what is required to protect that information, and how to implement and manage those protections.” It is very important to recognize where the HIPAA Privacy and Security Rule and the HITECH Act play a role in safeguarding the confidentiality, integrity, and accessibility of the patient’s protected health information. RISC worked to express that taking care of a patient’s health includes ensuring the privacy and security of their health, personal, and financial information as well. The last thing an individual needs to endure when recovering from or managing a condition is identity theft.

The breach referenced above serves to remind the industry that even the basics have not been addressed across the continuum. Foundational security program elements are still being ignored or abbreviated. It is important to have policies and supporting procedures in place to state the intent of the organization to prevent costly data breaches. Priorities should be approved by management, and strategies put in place to implement industry best practice, and to consult with resources that are subject matter experts in compliance. Begin always by performing a risk analysis and providing workforce training.

Develop, approve, publish and train on HIPAA Privacy and Security policies and supporting procedures
Say what you are going to do, and do what you said you were going to do
Know the role of the Privacy and Security Officers and how they differ
Complete a comprehensive Risk Analysis
Have a data breach notification policy, develop and test a procedure, and ensure members of the response team are trained
Train all members of your workforce, consistently and constantly

The best part of the last day of HIMSS14 was the Keynote Speaker Erik Weihenmayer. Weihenmayer is a World Class Blind Adventurer. He is the embodiment of overcoming adversity and leads an exhilarating and fulfilling life. He was the first and only blind person who made it to the top of Mount Everest in 2008. In this is a lesson for all of us; with the right drive and desire, training, preparation, and follow through, we can accomplish what we set out to do regardless of perceived obstacles.

Sponsored by: RISC Management, www.RISCsecurity.com

Adult & Pediatric Dermatology, P.C., of Concord, Mass., (APDerm) has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security, and Breach Notification Rules with the Department of Health and Human Services, agreeing to a $150,000 payment. APDerm will also be required to implement a corrective action plan to correct deficiencies in its HIPAA compliance program. APDerm is a private practice that delivers dermatology services in four locations in Massachusetts and two in New Hampshire. This case marks the first settlement with a covered entity for not having policies and procedures in place to address the breach notification provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act, passed as part of American Recovery and Reinvestment Act of 2009 (ARRA).

The HHS Office for Civil Rights (OCR) opened an investigation of APDerm upon receiving a report that an unencrypted thumb drive containing the electronic protected health information (ePHI) of approximately 2,200 individuals was stolen from a vehicle of one its staff members. The thumb drive was never recovered. The investigation revealed that APDerm had not conducted an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality of ePHI as part of its security management process. Further, APDerm did not fully comply with requirements of the Breach Notification Rule to have in place written policies and procedures and train workforce members.

In addition to a $150,000 resolution amount, the settlement includes a corrective action plan requiring AP Derm to develop a risk analysis and risk management plan to address and mitigate any security risks and vulnerabilities, as well as to provide an implementation report to OCR.

The resolution agreement and press release can be found on the OCR website at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/apderm-agreement.html.

For assistance please contact RISC Management.