...when your Privacy program isn't? We work with a lot of clients excited to balance compliance, risk and security as they safeguard ePHI. Interestingly, when we ask about the organization's Privacy program the line goes dead often.
This month, HHS OCR settled with St. Joseph's Medical Center (Joe) for Privacy Rule violations. Specifically, Joe disclosed patient information without first obtaining written authorization from the patients. The Privacy Rule spells out when PHI can be disclosed, and when such disclosures require, may require, or does not require the patient to consent.
As important, an organization's Privacy program covers ALL PHI, including ePHI. So it's certainly less helpful if a company is only focused on protecting a subset of their patient's information.
Joe has settled for $80K and agreed to implement a corrective action plan requiring the facility to develop written policies and procedures that comply with the HIPAA Privacy Rule. That's a LOT more expensive than asking a consultant to ensure that your Privacy policies adequately cover what they should. Proteus offers a turn-key set of Business Associate Privacy policies. We also can help you perform a compliance gap analysis to determine whether your policies are compliant with the Privacy and Breach Notification Rules.
Click the graphic to read more and
Stay (HIPAA) safe,