Winter 2014: theft from a clinic, of an unencrypted thumb drive, leading to a breach of patient health information, may have actually avoided fines-however-a $150,000 fine was issued by Health and Human Services, the Office of Civil Rights (the enforcement agency for HIPAA privacy rules) , because the clinic did not have a written policy for breach notification to individuals and government agencies.
This lack of policy, combined with a lack of documentation to show that staff had been trained and agreed to abide by such policy, resulted in a massive fine-the first of its kind- showing that enforcement will now occur relative to a lack of policies in a clinic/healthcare office!
There are approximately 35 to 50 written security policies (depending on how they might be combined together) that the typical chiropractic office is required to have in place relative to HIPAA. Since CMS (the agency charged with enforcing HIPAA security rules-as well as Medicare law) states that the majority of compliance with security rules ‘lies in having appropriate written, documented, trained and agreed to security policies’, it is critical to have those in place.
If you have been lagging behind in this regard, it is time to get caught up as enforcement in all areas of compliance has increased in leaps and bounds over the last two years and shows no signs of slowing!
About: For more information on this topic or other HIPAA compliance questions, please contact Dr. Ty Talcott, CHPSE, at HIPAA Compliance Services – a company dedicated to protecting healthcare professionals by producing simplified “how to” step-by-step training materials and procedures to assist doctors and clinic support personnel with establishing, maintaining and updating their HIPAA compliance program.