Here’s a cautionary tale: A medical practice comes to us in a panic. It turns out the physician had received a letter from the Office of Civil Rights (OCR) ordering an investigation related to a patient data breach – not his own.
In this instance, the practice’s business associate (BA), a web hosting company, had committed the breach and exposed patient information, part of which ended up in a Google search. The web hosting company was investigated and is awaiting a final determination from OCR. But the medical practice was also being investigated because it had contracted the services of its provider.
RELATED content from Medical Economics: Patient data security risks climb with ACA rollout
Impact to the physician
This particular medical practice, an oral surgeon with a staff of six, had 20 days to answer 15 questions all pointing to electronic security measures it should have taken to protect the thousands of patients stored in its systems (the investigation came after the initial 60 days that they had to notify patients). The workload in response to an OCR investigation could be enough to make a physician want to shutter his practice. Here is just a taste of the OCR’s questions:
- Copies of any notes, documents and reports relating to any internal investigation, including any forensic analysis conducted by the covered entity, or its designated contractor or agent of the alleged incident. Please detail any corrective measures taken as a result of this alleged incident.
Please indicate whether you conducted a breach risk assessment for the alleged incident. If so, please provide a copy of the breach risk assessment.
- If you determined that a breach of patients’ PHI occurred as a result of this incident, please indicate, as applicable, whether you notified the affected individuals, the media, and the HHS Secretary.
- If you notified the affected individuals, the media, and the HHS Secretary, please provide OCR with documentation of said notifications.
If the OCR determines that the medical practice is in willful neglect of HIPAA regulations it could be looking at a fine of $50,000 per incident, up to $1.5 million.
NEXT: BAs do not have to disclose a breach in a timely manner