We're not naive. In our years helping companies understand the relationship between compliance, security and risk, we've (as an example) seen ePHI being shared without a Business Associate agreement and KNOW that our client didn't self report. As such, we assume this is one of the industry's dirty little secrets. Regardless, it isn't the right thing to do and today's OCR settlement showcases Sentara Hospitals (Sentara) being held accountable with a two-year corrective action plan and a $2.175M settlement. We think the settlement had everything to do with Sentara being advised directly by OCR to make a proper breach report; for some reason, Sentara didn't agree or comply - OUCH.
Here are six sources that you can plan on generating an OCR investigation:
a phishing attack
a misconfigured system or upgrade that discloses ePHI to the Internet
a lost or stolen unencrypted device storing ePHI
a resentful ex-employee
a conscientious employee
a patient or family member compliant
If you're not getting good advice from your consultant or lawyer, find one that will advise you according to The Rules. We're happy to help. Click the graphic below to read the HHS announcement.
Stay (HIPAA) safe,