🔥 Find me at MedicalDevicesGroup.net 🔥
5 min reading time
That’s how much Triple-S Management Corp will pay for insufficiently protecting health information.
See http://bit.ly/HIPAA-enforced for what Health & Human Services said.
It’s not as though these rules just appeared.
Group member and privacy expert Rebecca Herold writes, “Expect to see many more fines/sanctions in the coming year. If healthcare organizations and their vendors don’t establish safeguards, after close to 15 years of having time to do so, they will be paying a large price.”
From the Office for Civil Rights (OCR), which enforces the Federal standards that govern the privacy of individually identifiable health information:
“After receiving multiple breach notifications from TRIPLE-S involving unsecured protected health information (PHI), OCR initiated investigations to ascertain the entities’ compliance with HIPAA Rules. OCR’s investigations indicated widespread non-compliance throughout the various subsidiaries of Triple-S, including:
• Failure to implement appropriate administrative, physical, and technical safeguards to protect the privacy of its beneficiaries’ PHI;
• Impermissible disclosure of its beneficiaries’ PHI to an outside vendor with which it did not have an appropriate business associate agreement;
• Use or Disclosure of more PHI than was necessary to carry out mailings;
• Failure to conduct an accurate and thorough risk analysis that incorporates all IT equipment, applications, and data systems utilizing ePHI; and
• Failure to implement security measures sufficient to reduce the risks and vulnerabilities to its ePHI to a reasonable and appropriate level.
The settlement requires TRIPLE-S to establish a comprehensive compliance program designed to protect the security, confidentiality, and integrity of the personal information it collects from its beneficiaries, that includes:
• A risk analysis and a risk management plan;
• A process to evaluate and address any environmental or operational changes that affect the security of the ePHI it holds;
• Policies and procedures to facilitate compliance with requirements of the HIPAA Rules; and
• A training program covering the requirements of the Privacy, Security, and Breach Notification Rules, intended to be used for all members of the workforce and business associates providing services on TRIPLE-S premises.”
For today’s discussion, think back over your career: How confident are you that all your former employers have impenetrable protections for patient data it collects?
Are you using online apps for your health?
How concerned are you about YOUR patient health information?
Common UDI Mistakes You Can Avoid
In case you missed it, resident Unique Device Identification expert Gary Saner will present a free webinar next Thursday about common mistakes he’s seen from the more than 100,000 UDI applications his company has processed.
See http://medgroup.biz/UDI-mistakes to register for free.
If you support a Class II medical device, you won’t want to miss it.
Medical device tax repeal efforts update
Implanted medical devices
Can a dog be a medical device?
Notified bodies requesting evidence of simulation of product recall procedures?
Ultrasound is still underutilized. What new usage scenarios and applications?
Make it a great week.
P.S. We’re moving the Medical Devices Group off LinkedIn. To stay involved, sign up at http://medgroup.biz/MOVE
David P. Depman ✓
This is a big issue and the courts have made it clear that there is a very high level of expectation placed on companies entrusted with personal medical information. Most breaches are accidental and a robust cyber insurance policy can protect your company if information is inadvertently made public.
Marked as spam