A local surgery practice with 8 surgeons had too many old/inactive charts and needed to find additional space for storage. Not knowing the HIPAA rules and regulations, they decided to purchase and build several storage sheds behind their building in the parking lot and store all their old charts there. Even though the sheds were locked with a padlock, someone pulled up the truck and stole thousands of charts from the sheds in the middle of the night. Upon further investigation, I found out that no security cameras or motion detection lights were installed behind the building. The day after the incident we were called to see what we could do to help. Even though this client was an OSHA client, but they refused to implement our HIPAA program that we had presented some months back. So, all we could do was to implement the HIPAA program in a rush and hope that it would pass inspection. And that’s exactly what we did. We conducted a thorough technical, administrative, and physical risk assessment performed by an IT HIPAA expert. Then we provided our written Gap analysis and Remediation report, followed by a personalized HIPAA policies and procedures (475 pages), and a two-hour HIPAA training. This case is still pending and may still result in potential fines and penalties, but we are hoping that what we did would suffice.
Potential penalties are estimated at over $150,000 for this major breach (over 500 patients compromised).
Important Takeaways:
- Please don’t wait until something like this happens to you before you implement a comprehensive HIPAA program and purchase at least $500,000 worth of Cyber Security insurance.
- Make sure you have all the following HIPAA compliance tasks completed:
- Technical, administrative, and physical risk assessment by an IT expert
- Written Gap analysis report
- Written Remediation report and
- Site specific HIPAA policies and procedures (475 pages)
- Two-hour HIPAA training