By Jack Anderson
December 9, 2015
Yesterday I told you about a business associate who said that their major client had never asked for them to sign a business associate agreement despite more than a decade of access to their PHI. Today we get an upclose look at another case where a healthcare insurer pretty much had a total failure to compy with HIPAA.
Triple S, based in Puerto Rico, was investigated by OCR for multiple breaches and was found to have “widespread non-compliance”. This included lack of proper safeguards to protect PHI, lack of a proper risk assessment, and failing to get a business associate agreement signed by a major vendor. The only major issue not mentioned was failure to adequately train their staff on their policies and procedures but one can assume that this would have been impossible since they didn’t seem to have any policies.
The $3.5 million fine will probably cost them less than the CAP (Compliance Action Plan). Retrofitting a HIPAA compliance plan is expensive and disruptive to your business. Especially since there will undoubtedly be expensive consultants lurking about the premises for the foreseeable future.
Avoiding the OCR spotlight is relatively straightforward. For a few thousand dollars a year you can have updated policies, documented security awareness training for staff, and quarterly risk assessments. Even if the auditors show up you are in a safe harbor. With an automated approach the documentation of your efforts is kept in a single location quickly accessible to the OCR auditors. This prevents a lot of digging around which always discovers more things to be audited. You want the auditors to be able to quickly establish that you were doing the right things and documenting them. Documentation is what will help build a “legal firewall” around your company.
We have been helping healthcare organizations get accredited with The Joint Commission since 2007 and get HIPAA compliant since 2009. Our clients have been through hundreds of audits and to date no client has ever failed. This despite the fact that our services are delivered efficiently and cost effectively over the Internet.
Take a look at our new Jumpstart program that helps you get HIPAA compliant in less than 72 hours for as little as $249. www.compliancehelper.com