Safeguarding personal health information is one of the most important responsibilities of health care professionals, but having policies and procedures in place isn’t enough. Covered entities must continuously monitor their execution and ensure that employees are trained.
A Seattle-based healthcare ministry has learned the hard way about this importance by having to enter into a Resolution Agreement with the U.S. Department of Health and Human Services (HHS) to settle potential violations of the Privacy and Security Rules of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The Resolution Agreement is due to the covered entity’s loss of electronic backup media and computers with personal health information. As a result, they were ordered to pay $100,000 and implement a detailed Corrective Action Plan to safeguard patient information.
The Resolution Agreement obligates the organization to perform certain duties over the next few years such as staff training, monitoring transport and storage of electronic personal health information and conducting audits.
Kerry Weems, the acting administrator of the Centers for Medicare and Medicaid Services (CMS), commented, “This resolution confirms that effective compliance means more than just having written policies and procedures. To protect the privacy and security of patient information, covered entities need to continuously monitor the details of their execution, and ensure that these efforts include effective privacy and security staffing, employee training and physical and technical features.”
This is the first case where HHS has required a Resolution Agreement from a covered entity.
Although the healthcare ministry has become more effective at protecting personal health information, the investigation and Resolution Agreement have cost them time, money and created unwanted negative publicity. For more on this case visit HHS news , HIPAA enforcement