Advocacy Center   |   Collaborate   |   Data Portal   |   Print Page   |   Contact Us   |   Sign In   |   Join AAOE
News & Press: Industry News

How to Protect Your Health Care Organization from the next HIPAA Breach

Friday, November 22, 2019   (0 Comments)
Share |


Written for AAOE by Stacy Walton Long and Alexandria M. Foster


In 2018, the Health and Human Services’ Office of Civil Rights (“OCR”) broke its all-time record by settling 10 cases—OCR’s highest number in a single year with total settlements of $24.7 million. One of these settlements was with Pagosa Springs Medical Center (“PSMC”), a critical care hospital, after OCR investigated an alleged HIPAA breach.

On June 7, 2013, OCR initiated a complaint investigation that revealed PSMC failed to terminate a former employee’s remote access to PSMC’s web-based scheduling calendar (the “Calendar”). The Calendar, managed by one of PSMC’s vendors (the “Vendor”), contained patients’ electronic protected health information (“ePHI”). OCR’s investigation uncovered that PSMC impermissibly disclosed the ePHI of at least 557 patients to the former employee and to the Vendor.

As with many other alleged HIPAA breach investigations, OCR discovered that PSMC did not have a business associate agreement with the Vendor, and was thus in violation of HIPAA Rules. Further, PSMC’s failure to de-activate the former employee’s username and password allowed the individual to continue accessing ePHI after the individual was terminated from PSMC.

The terms of the Resolution Agreement required PSMC to pay OCR $111,400 and enter into a two-year Corrective Action Plan. The Corrective Action Plan requires PSMC to, among other things, revise its policies and procedures relating to business associates; assess its policies and procedures relating to uses and disclosures of ePHI; provide revised training to its workforce members regarding, in part, privacy and security awareness; and conduct a thorough risk analysis and risk management plan to comply with HIPAA standards. To see the complete Resolution Agreement and the Corrective Action Plan attached to it, please click here.

As a health care executive, it is critical to be fully aware of who has access to your health care organization’s protected health information (“PHI”) at all times. The following are best practices to adopt to protect your health care organization from a potential HIPAA breach, or otherwise unauthorized access to PHI (which includes ePHI):

  • Develop HIPAA policies and procedures for your organization.
  • Always obtain proper authorizations before disclosing PHI.
  • Ensure safeguards such as password protected authorization and encryption, and two-step logins are in place to access PHI on all computers, phones, and other electronic devices.
  • Design physical safeguards to store paper copies of patient paperwork, charts, and records.
  • Use cover sheets when faxing or mailing PHI.
  • Maintain business associate agreements with all business associates before sharing any PHI.
  • Do not electronically communicate about PHI unless the system is encrypted.
  • Hold regular HIPAA training for all employees.
  • Exercise caution when opening suspicious emails or answering calls from unidentified phone numbers.
  • Do not allow your organization’s employees to share passwords.
  • Do not post PHI online, whether on your organization’s website or social media platforms.
  • Remind employees not to leave electronic devices or physical PHI unattended or in public view.
  • Ensure that proper procedures are in place to terminate access to privileged information, when appropriate, with former employees, vendors, and any other individual or entity who may have access to PHI.
  • Properly dispose of PHI in accordance with state laws and federal regulations. 


About the Authors

Alexandria Foster is an Associate in Krieg DeVault's Health Care Practice Group. Ms. Foster provides regulatory, compliance, licensure, and corporate advice to a wide range of health care clients including physicians, practice groups, ambulatory surgery centers, hospitals, on-site employer health clinics, and senior living facilities. Ms. Foster assists these clients with a variety of matters including reviewing, drafting, and negotiating vendor agreements, advising on HIPAA and state privacy law issues, implementing and evaluating telemedicine policies and procedures, assisting with complex transactions, and providing counsel for professional licensing and disciplinary matters.

Stacy Long is a member of the Krieg DeVault Healthcare and Litigation Practice Groups. She represents and advises the firm’s Healthcare clients regarding many significant legal issues, including security breach incidents and risk assessments involving Protected Health Information and other personal information under HIPAA/HITECH and other Federal and State laws governing the privacy and security of such information, as well as corporate compliance and regulatory matters. Ms. Long also counsels and advises clients on HIPAA/HITECH compliance programs, as well as breach notification obligations and audits initiated by Federal and State governmental agencies. She also represents individual professionals and healthcare providers in licensing and disciplinary matters, as well as employment-related matters, and works with mental health providers on confidentiality matters and commitment proceedings.

Membership Management Software Powered by YourMembership  ::  Legal