In September, a Rhode Island hospital agreed to pay a HIPAA fine of $550,000 for what could be viewed as sloppy paperwork. They were investigated by the U.S. Department of Health and Human Services Office of Civil Rights (OCR) following the loss of unencrypted backup tapes that contained patient data. The fines resulted because this hospital failed to update the Business Associate Agreement it had in place with their IT service provider.
Several points to make in response to this latest HIPAA enforcement action:
- HHS-OCR is no longer messing around with enforcement threats. They are under political pressure to actually enforce, and they are. Even small organizations are now being investigated and heavily fined.
- Documentation and effort are critical for avoiding what happened to this hospital. OCR wants to see that a “reasonable” effort has been made to document steps taken to protect PII (security assessment, awareness training, policies & procedures, etc.). Without it, you will be on thin ice if an investigation occurs.
- If you use an IT service provider to manage data backup, there should be no (good) reason why they are not encrypting the sensitive information. The reality is that most do not, especially when the data is backed up to tape. Insist they do, or at least ask them to explain why they are not.
More details on this story can be found here.