Published On: October 18th, 2016

In September, a Rhode Island hospital agreed to pay a HIPAA fine of $550,000 for what could be viewed as sloppy paperwork. They were investigated by the U.S. Department of Health and Human Services Office of Civil Rights (OCR) following the loss of unencrypted backup tapes that contained patient data. The fines resulted because this hospital failed to update the Business Associate Agreement it had in place with their IT service provider.

Several points to make in response to this latest HIPAA enforcement action:

  1. HHS-OCR is no longer messing around with enforcement threats. They are under political pressure to actually enforce, and they are. Even small organizations are now being investigated and heavily fined.
  2. Documentation and effort are critical for avoiding what happened to this hospital. OCR wants to see that a “reasonable” effort has been made to document steps taken to protect PII (security assessment, awareness training, policies & procedures, etc.). Without it, you will be on thin ice if an investigation occurs.
  3. If you use an IT service provider to manage data backup, there should be no (good) reason why they are not encrypting the sensitive information. The reality is that most do not, especially when the data is backed up to tape. Insist they do, or at least ask them to explain why they are not.

Share This Post!

About The Author: Jason Bittner

jason bittner

CEO and founder of Triple Helix Corporation, since 2004. For over two decades, Jason has worked closely within the Aerospace/Defense/Manufacturing industries. He excels at solving technical challenges by integrating data and information technologies with best business practices. Jason takes an avid interest in educating his readers with the latest news in information management, as well as providing keen insights into the most efficient methodologies for the best operating companies today and into the future.