Here’s yet another HIPAA violations penalty to add to what seems to be a quickly growing list. In this case it was a violation of the minimum necessary access principle, in addition to providing the information to reporters, who then published the information. And, it is likely based upon the required actions that go beyond the fine, that the policies, procedures, training, awareness, and access logging processes was lacking as well.
It is important to note that in addition to the fine the system must also make specific actions to improve their information security and privacy program. Namely:
- Update existing, and implement new as necessary, “meaningful” policies and supporting procedures to ensure similar incidents are less likely to occur.
- Provide training to ensure workers know, and can follow, the policies and procedures.
- Implement audit trails to identify worker access to patient records.
The OCR will closely monitor the UCLA hospital system for at least the next three years to ensure they are doing these activities.
Here is a quote from the OCR release that emphasizes the need for CEs to take HIPAA/HITECH requirements seriously:
“Covered entities need to realize that HIPAA privacy protections are real and OCR vigorously enforces those protections. Entities will be held accountable for employees who access protected health information to satisfy their own personal curiosity,” said Director Verdugo.”
Notice the emphasis the OCR placed upon the word “meaningful.” This is an issue that has concerned me for a very long time. Too many organizations think that having words on a document and slapping the title “policies” on them will fulfill the requirement to have information security and privacy policies and procedures. And far too many vendors irresponsibly, and dangerously to their clients, perpetuate this wrong-thinking by saying all they need are the “free” policies they will give them that they can then use as “evidence.” Evidence of what? Only that the company was able to download a file.
Information security and privacy policies form the foundation of an information security and privacy program, and MUST apply to each organization. Downplaying their value in an information security and privacy compliance program is risky, and will get an organization sooner or later.
Possessing a document called “information security policies” that an organization has not thoughtfully customized to fit their organization, and implemented according to their risks in addition to regulatory and other legal requirements, will not provide any type of information assurance to the organization. This would be similar to saying that if you load a Chinese dictionary on your company network then all your personnel will be able to speak Chinese. Which should be obviously ridiculous.
Ridiculous, like thinking that having free, un-modified, policies, with no supporting procedures (yes, folks, procedures are much different than policies; they SUPPORT the policies for your specific environment), stored somewhere in the deepest darkest bowels of your network where your organization’s workers cannot find them, and for which they receive no, or ineffective, training or awareness communications, will meet the HIPAA/HITECH requirements. Any documents like these are meaningless.
- Holding a paper copy of policies does not mean you are following or even know those policies: without necessary actions they are meaningless
- Storing a file called policies in your computer does not mean you are following, or even know those policies: without necessary actions they are meaningless
- Pasting policies into a compliance spreadsheet does not mean you are following, or even know those policies: without necessary actions they are meaningless
- Sleeping on a DVD containing policies does not mean they will soak into your brain through osmosis overnight, and then you will follow them or even know them: without necessary actions they are meaningless
Ahh…yes…meaningless. Have I made my point yet that they would not meet the “MEANINGFUL” requirements that OCR clearly states is necessary?
The UCLA incident and sanction requirements also show the role of logging access to patient records, and being able to provide an access report to show all disclosures. This case is similar to other past cases where such access logging was also documented within the HHS HIPAA violation resolution agreements. Incidents like these highlight likely reasons why some of the proposed Accounting of Disclosures rule requirements for accounting of accesses were made.
Speaking of which, I know I am long overdue for my Accounting of Disclosures Discussion #2, which will be about Access Reports and the associated benefits, issues and challenges of creating them, as described within the Accounting of Disclosures proposed rule. I’ve just not had enough time in the day over the past several weeks. I’ll try to make some time in the near future!
Tags: accounting of disclosures, BA, business associates, CE, covered entities, herold, HHS, HIPAA, HITECH, Information Security, notice of proposed rule making, NPRM, OCR, privacy, privacy breach, privacy rule, sanctions, security, security rule, UCLA