Actual HIPAA Audit Letter Following a Data Breach
We came across an actual letter sent by the Office of Civil Rights following a data breach. The OCR is responsible for taking action for HIPAA compliance issues and enforcement. This particular breach involved a Business Associate of a Covered Entity – this means, that the breach happened while the data was possessed by one of their third-party providers, such as IT, email provider, cloud service, shredding company, or another service which utilizes patient data for a medical or dental office.
Why Was the Practice On-The-Hook?
Even when a medical or dental practice contracts out services to third parties, the end-responsibility of data security lies entirely on them; the covered entity. It is up to the covered entity to obtain Business Associate Agreements detailing exactly how their patients’ data is to be used. While such an agreement can limit exposure and liability, the weight of responsibility of the audit rests on the shoulders of the practice that the data originated.
What did the Practice Have to Provide?
The OCR was looking for a detailed Risk Management plan, which includes a Risk Assessment in combination with implemented technical safeguards for data security. In other words, a Risk Assessment is not enough – documentation of actions taken to remediate risks is also required to be available. Specifically, the letter asked for documentation of:
- HIPAA policies and procedures relating to PHI security practices
- Employee training materials with sign-offs by employees & managers
- A written policy on breach notification, in place before a breach is suspected
- Risk assessment detailing possible points of entry into PHI
- Output of network vulnerability scans
- Evidence of active anti-virus software
- System activity review – who accessed what, and from where.
The Takeaway:
It is becoming more difficult to site a lack of enforcement in deciding whether or not to comply. Recently, a CDA dentist in Rockland was hit with a HIPAA audit. St. Joseph Hospital also suffered a breach this year due to a stolen USB flash drive. Additionally, random HIPAA audits are planned for October this year.
Please note that the items requested in this letter, if not available, constitute a willful neglect of HIPAA regulations and results in penalties and loss of production.
Please take advantage of our free onsite HIPAA consultations and we can help you with your Risk Assessment. We are dental IT and HIPAA specialists.