|
information about the incident or problem described in the complaint.
Where a complaint pertains to electronic protected health information (PHI) –
providing system access logs and documentation of electronic safe guards
will be needed. All too often this requires laborious information
gathering and research. In such situations, software with good
audit logs and reports can be a real life saver by allowing you to
promptly and efficiently respond to OCR. Getting into gray waters is
easy when a practice is unable to track system access or unable to
respond promptly. Lost time and distraction have a significant financial cost
for the practice. Furthermore, the inability to respond clearly may lead
to a joint OCR review with CMS to determine if the HIPAA
Security Rule has been violated.
Source:
http://www.hhs.gov/ocr/privacy/enforcement/data/historicalnumbers.html#all
Yes, OCR has been active. In 2,199
investigations conducted in 2007, nearly 67% (a total of 1,484
investigations) led to corrective action. While 2008 enforcement results
are not yet available, This summer’s complaint resolution in July
between HHS and Seattle-based Providence Health & Services was
financially significant – a $100,000 financial penalty was paid for loss
of computers containing PHI by Providence and a probably much larger
cost of lost personnel time within the entire Providence organization.
While patient complaints are somewhat unavoidable, advance planning can
help the practice respond
promptly, efficiently, and decisively to complaints. Make sure you have
HIPAA training logs and documented processes and controls for the
sharing of PHI. Finally, verify that your applications containing PHI clearly meet
security requirements of the HIPAA Privacy Rule. If you don't know, ask
your vendor to confirm that your system complies. Also ask them to
show you how to view reporting
functionality in the event of a complaint.
Marc-François Bradley
Email:
mfbradley@sophrona.com
President, Sophrona Solutions
|
