We received notice from HHS this morning that "...Peachstate Health Management, LLC, doing business as AEON Clinical Laboratories (Peachstate), has agreed to pay $25,000 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) and to implement a corrective action plan (CAP) to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule..."
While we don't know what additional information will be made public in the coming days or weeks, we are left guessing why such an inexpensive CAP was justified. Did the MD Anderson appeals case influence OCR's decision (i.e. by keeping monetary penalties low, OCR reduces the odds of another appeals process)? This isn't the only inexpensive settlement within the last year or so and it's hard to gauge how things are agreed upon. Given that OCR's findings included "...failures to conduct an enterprise-wide risk analysis, implement risk management and audit controls, and maintain documentation of HIPAA Security Rule policies and procedures...", we have to ask ourselves how many medical organizations are reading this and asking themselves if it's cheaper to take the hit if audited than to run a compliant program.
We won't ever advocate risking patient data and causing harm through neglecting a compliance program focused on privacy and security, especially since this CAP doesn't take into consideration the civil lawsuit that will probably follow. A basic understanding of a company's risks, alongside policies and procedures, will help leadership dedicate the correct resources to protect their patients' most valuable information. Reach out if you want to learn more. The graphic below is linked to the three year CAP.
Stay (HIPAA) safe, Alan -