business associate insurance agency closes doors due to hipaa violation
TRANSCRIPT
Increase your agency strength
Please note that we are not attorneys and do not guarantee compliance with HIPAA.
GRA works with 50 agencies in these states…
Our HIPAA experience came when we were audited by a large carrier in 2010. 3 people 3 months. Had to be a better way.
Your HIPAA Requirements:
• Perform a risk analysis
• Document how your office handles PHI
• Train your staff regularly
• Develop a spirit of compliance
In March 2013 a laptop was stolen from Joe’s car. It contained a complete database of his clientele.
By August 2014, the government issued a settlement agreement for $850,000 and a corrective action plan.
In September 2014, Joe said goodbye to his remaining staff and closed doors to National Agency
CLOSED
Fortunately, Joe’s story is fiction. However, it won’t be long until a similar story is in the local news.
DeLoach & Williamson
This South Carolina broker had a laptop stolen that contained PHI of 3,432 individuals.
Following the breach, they immediately launched an investigation and retrained the employee.
Anchorage Community Mental Health Services
Breach affecting 2,743 individuals due to outdated and unsupported software
Settlement reached in December 2014. Facility paid $150,000 to HHS and adopted a government-recommend corrective action plan.
Affinity Health Plan
Estimated up to 344,579 individuals were affected when multiple photocopiers were returned without having been erased.
Settlement reached in August 2013. Affinity paid $1.2 million and implemented a corrective action plan.
Adult & Pediatric Dermatology
During a breach investigation, HHS also found they failed to properly handle breach notification and the company waited more than a year before performing a risk assessment.
A fine was issued for $150,000, the company adopted a corrective action plan and must report its progress to HHS.
Pharmacy Chain
OCR investigated an incident that information was inappropriately revealed to a business associate. They determined the business associate did not misuse the information, however a business associate agreement was not in place.
A corrective action plan was established.
Blue Cross Blue Shield of Michigan
Personal information of 5,514 BCBSM members was printed out and used to access credit cards and gift cards. At least two employees were involved.
11 people were arrested.
Mass. provider settles HIPAA case for $1.5 million
Alaska settles HIPAA security case for $1,700,000
HHS settles HIPAA case with BCBST for $1.5 million
HHS settles lack of HIPAA safeguards case for $100,000
WellPoint pays HHS $1.7 million
County Government agrees to $215,000 settlement
HHS settles with health plan for $1.2 million
Hospice breach of less than 500 settles for $50,000
Breach: Stolen Laptop
• Implement a mobile device policy
• Keep a log of individuals with laptops
• Don’t store data on the laptop
• Utilize strong passwords and encryption
• Remind users not to leave laptop in an unsecure location
Breach: Outdated Software
• Schedule regular updates every week
• Document whenever updates are performed
• If you must use outdated software, apply other safeguards to protect the information
Breach: Improper Disposal
• Properly dispose of all media−Shred documents−Wipe or destroy equipment−Double check information is unavailable −Document disposal and destruction
Breach Notification
• Notify your carrier and HHS immediately
• Set up procedures to notify clients
• Document any perceived security incidents
Business Associates & Subcontractors
•Make a list of all your vendors, determine who has access to PHI
• Issue custom business associate agreements with all appropriate vendors
What you can do:
• Perform a risk analysis
• Document how your office handles PHI
• Train your staff regularly
• Develop a spirit of compliance
Custom Documents
We work with you to create more than 700 pages
of documentation tailored to your company.
Privacy RemindersEntry Access Policy Review
Quarterly Breach Policy ReviewVulnerability and Penetration Testing Reminders
Social Engineering and PhishingConversational Awareness
Physical Document and Workspace SecurityAnd Other Timely Topics
Ongoing Compliance Topics
Your HIPAA Requirements:
• Perform a risk analysis
• Document how your office handles PHI
• Train your staff regularly
• Develop a spirit of compliance
10 person agency:Setup $1,500Monthly $92.50
Michigan Group Benefits
“GRA’s PHI365SM solution is empowering. I feel my company and client data are now
better protected. GRA was very knowledgeable and continues to help me
reach HIPAA and HITECH compliance.”
– Michael Harp