Page 15 - Part 1 Navigating Electronic Media in a Healthcare Setting
P. 15
SVMIC Navigating Electronic Media in a Healthcare Setting
The investigation concluded the surgical group:
Failed to implement adequate policies and procedures to
appropriately safeguard patient information;
Failed to document that it trained employees on its policies
and procedures on the Privacy and Security Rules;
Failed to identify a security official and conduct a risk
analysis; and
Failed to obtain business associate agreements with
internet-based email and calendar services where the
provision of the service included storage of and access to its
ePHI.
Under the HHS resolution agreement, the surgical group agreed to
pay a $100,000 settlement amount and enter a corrective action
plan to come into full compliance with the Privacy and Security
Rule. This is an example of a healthcare group that failed to comply
with the requirements of the Privacy and Security Rules and,
although the settlement amount was staggering at the time, recent
cases involving similar violations of the same magnitude have
settled for much larger amounts, typically in the $500,000 range.
Anyone with access to PHI, including temporary/volunteer staff or
students, must complete basic HIPAA training. Additionally, a
written policy should be established which sets forth performance
guidelines for the management of confidential information and
ensures compliance with legal and ethical requirements. The
policy should state that violation of a patient’s confidentiality is
grounds for disciplinary action, up to and including termination.
Anyone with access to PHI, should sign this policy and/or
agreement indicating that he or she has reviewed and
Page | 15
