The Health and Human Services’ Office of Civil Rights (“OCR”) recently entered into a Resolution Agreement with a Florida physicians’ group after investigating an alleged HIPAA breach at the hand of a third-party billing service, as reported by Lexology.
Through its investigation, OCR discovered physicians’ group did not have a business associate agreement with the company, thus violating HIPAA Rules. Although the group has been in existence since 2005, it failed to implement any risk analysis or security measure policies prior to receiving notice of the 2014 breach.
Under the terms of the Resolution Agreement, the group was required to pay OCR $500,000 and enter into a two year Corrective Action Plan which will require, among other things, for the group to provide HHS with an accounting of all of its business associates and maintain business associate agreements; conduct a thorough risk analysis and adopt a risk management plan; and review and revise its written policies and procedures to fully comply with HIPAA Rules that govern covered entities and business associates. The group will also be responsible for distributing policies and procedures to all its workforce members.
But why risk fines or wait for OCR to mandate corrective actions for your practice? You can start making positive changes now by enlisting the help of HIPAAcraticRx. We guide practices along a 5-step path to a state of managed HIPAA compliance. While implementing a compliance program may seem overwhelming, the HIPAAcraticRx makes the process simple. Contact us for more information.