Dedicated to helping health professionals.

Avoiding HIPAA Security Breaches Requires “Organization-Wide Analysis”

By Carly Van Thomme, Esq.

As medical organizations store more patient records electronically, entities covered under HIPAA will face new challenges in protecting the security of those records and in complying with the HIPAA Security Rule. The U.S. Department of Health & Human Services (“HHS”) calls such records “electronic protected health information,” or “e-PHI.” The University of Washington Medicine (“UWM”) recently entered into a settlement with HHS that includes a provision requiring UWM to pay $750,000. Why? Per the Resolution Agreement, UWM “failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of e-PHI.” In their press release, HHS emphasized “the need for organization-wide risk analysis.”

In the UWM case, HHS began their investigation following an actual e-PHI security breach. The breach was the result of a malware attack. One of UWM’s employees downloaded an e-mail attachment containing the malware. In addition to further breach investigations, the future will bring widespread HIPAA audits. The HHS Office of Civil Rights (“OCR”) handles the audit process. This office checks for compliance not only with the HIPAA Security Rule, but also with the HIPAA Privacy and Breach Notification Rules.

Since organizations are charting new territory in their efforts to develop and implement HIPAA-complaint security policies, it is inevitable that there will be “growing pains.” In the next few years,  the OCR will continue to uncover and investigate HIPAA Security Rule violations. To be prepared for a potential audit, covered entities and business associates need to address the administrative, physical, and technical aspects of protecting e-PHI. Due to the complex nature of HIPAA requirements, covered entities should seek legal advice as they complete the required risk assessments, seek to implement appropriate safeguards, and develop policies for compliance.

If you are concerned about the privacy and security of your organization’s e-PHI or other aspects of HIPAA, contact the experienced health law attorneys at Chapman Law Group today for legal guidance.