Insurance agencies under HIPAA are known as Business Associates (BA). Insurance carriers are known as Covered Entities. Up until recently, most HIPAA fines were on Covered Entities. Not anymore. The Office for Civil Rights (OCR) at the U.S Department of Health and Human Service (HHS), with increased funding for audits, has fined a Business Associate $650,000 due to an employee’s stolen iPhone that contained extensive protected health information (PHI). I repeat, $650,000!
OCR found that the iPhone was not encrypted or password protected. They also concluded that the Business Associate had no policies addressing the removal of mobile devices containing PHI or what to do in the event it was lost/stolen. On top of that, and possible adding to the severity of the fine, OCR found that the BA had not conducted a risk analysis and had no risk management plan.
This easily could happen to your agency. Do you use cell phones? Can they get to clients names, social security numbers, notes on health history? Have you completed a risk analysis in the last three years? Do you know what one is? Do you have documentation on your agencies policies and procedures regarding the handling of PHI? Probably not. Which means if one of your employees car is broken into while getting a quick bite to eat and a laptop or cell phone is stolen, your agency could face a $650,000 fine. Can you afford that? What’s your insurance policy against it?
Don’t jeopardize your agencies reputation and solvency. Contact us to learn more about GRA’s PHI365 HIPAA consulting service at 800-678-4456 or [email protected]