[ Tuesday, December 29, 2015 ]
Recent Breaches Highlight Risk of Failing to Conduct Risk Analysis:
Jeff [3:16 PM]
The American Health Lawyers Association email alert today discussing three recent HIPAA enforcement actions (all of which I've briefly blogged about, below): Lahey Hospital and Medical Center (the hospital affiliated with Tufts Medical School), Triple S Management (a Puerto Rico insurance provider), and University of Washington Medical. Fines for all 3 totaled $5.1 million.
Lahey involved a stolen laptop; in a twist, it was not stolen from an employee's car, but was actually connected to a piece of medical equipment in the hospital. Lahey didn't do enough to secure the hardware, partly because it didn't do a good job of tracking the hardware it had. Triple S had some problems with too much PHI being sent out in mailings, but the real trouble came to light in the subsequent investigation, when OCR discovered a failure to conduct a risk analysis and institute appropriate safeguards. UW suffered a breach when an employee of a care division downloaded a computer virus; UW had conducted risk analyses (at least in connection with its "meaningful use" attestation), but didn't make sure all operations were covered and apparently didn't make sure all appropriate divisions and operating units were instituting appropriate safeguards.
As the AHLA email alert correctly notes, the unifying factor in these cases is a failure to conduct and/or implement a good risk assessment. Triple S did no risk assessment; Lahey didn't pick up all of its hardware and ePHI uses; and UW did not ensure that its a risk assessment and safeguards reached all of its operating units. So:
- Do a solid risk assessment;
- Make sure you cover all of the places you use and transmit PHI; and
- Make sure you cover all of your business units, facilities, and operating divisions.
This should not be news to you.
Blogger: HIPAA Blog - Edit your Template