Hard times on the HIPAA front

A trio of ugly situations means painful publicity for lazy or sloppy organizations

1 2 3 Page 2
Page 2 of 3

The employee strikes back

Beyond sloppy implementation, the HHS is looking for what's referred to in the law as "willful neglect" -- a "conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated." An employee of Providence Health System in Portland, Ore., was asked to store backup tapes off-site in his car, and when the car was broken into, media with unencrypted personal information on 365,000 patients was stolen. After Steven Shields reported the incident to the authorities, Providence terminated his employment in what he claims is a retaliatory action prohibited by whistle-blower protection laws.

Various sources and a commenter to the Computerworld article indicate that Providence's Home Services division -- where Shields was employed -- operated an independent IT group with lax or absent governance oversight or compliance review. In an unfortunately common situation, it's likely that Shields was asked by a manager to take the tapes off-site in a superficial attempt to follow the HIPAA security rule.

However, sending tapes home with an employee accomplishes the off-site requirement but breaks numerous other rules. An off-hours employee in his home is not the same thing as a service provider. Unless the person contractually agrees to provide controlled, monitored, and secure transport and storage of data -- in a service contract that meets the business-associate rules -- then the data is intentionally out of control of the covered entity. If this isn't "willful neglect" of the HIPAA provisions, I don't know what is.

It really can get worse

For those still waffling between the hassle of compliance versus the risk of getting an unpleasant and prolonged visit from HHS, have a look at two parts of the HIPAA enforcement rule, linked above. Pay special attention to Subpart C, §160.310, "Responsibilities of Covered Entities" -- yes, covered organizations really do have to open their doors and let auditors tromp around in their records as well as the physical site.

As if the disruption and potential work stoppage from an audit isn't enough, the enforcement rule includes my favorite tool for behavior modification: public humiliation. Buried in Subpart D, §160.426, there's a section entitled "Notification of the public and other agencies." Serious violators can be sure the HHS will follow a final penalty (fines and/or jail time) with public notices and notification letters to state and local medical and professional organizations, state agencies administering or supervising appropriate health care programs, "appropriate utilization and quality control peer-review organization[s], and the appropriate state or local licensing agency or organization."

Ow.

Just read it

1 2 3 Page 2
Page 2 of 3
9 steps to lock down corporate browsers
  
Shop Tech Products at Amazon