The University of Rochester Medical Center recently settled a HIPAA enforcement action brought by New York State Attorney General Eric Schneiderman, paying a $15,000 fine and entering into a corrective action plan.

The settlement is a reminder to HIPAA covered entities that state attorneys general—in addition to the HHS Office for Civil Rights—have the authority to bring forward HIPAA civil actions. It’s a message that Schneiderman highlighted in an announcement of the regulatory action. “This settlement strengthens protections for patients at URMC and it puts other healthcare entities on notice that my office will enforce HIPAA data breach provisions.”

Also See: State AGs Ask Congress Not to Preempt Breach Notification Laws

Further, this HIPAA civil action moved much quicker than most such actions, which can occur years after a breach. In March 2015, a nurse practitioner soon leaving URMC for a new position asked URMC for a list of the patients she had treated at the medical center and received a spreadsheet with 3043 patient names along with their addresses and diagnoses, according to the settlement agreement. The nurse gave the spreadsheet to her soon-to-be new employer—Greater Rochester Neurology—without authorization from URMC.

Greater Rochester Neurology then mailed letters to the patients alerting them that the nurse practitioner would soon be joining the practice and inviting patients to be treated there. URMC learned of the breach when patients began calling the hospital to complain.

Now, URMC will provide to Schneiderman’s office recommendations made by a taskforce that was formed to assess policies on departing and incoming employees, identify revisions to HIPAA policies, retrain the workforce, and notify the AG in a timely manner of any future breaches.

Joseph Kirkpatrick, managing partner in the security compliance assessment services unit of accounting firm KirkpatrickPrice, during a presentation at the AHIMA 2015 Convention, outlined eight questions from HIPAA auditors that they will surely ask and want documented proof of the answers.

Too often Kirkpatrick said, HIPAA auditors will ask how an organization is ensuring vendor security compliance and be handed a policy to read. What they want is to be shown how privacy and security are being monitored, particularly when it comes to business associates. These are the questions that will come:

* Do you know the name of your business associates and their subcontractors?

* Do you address the risks of subcontractors?

* Do your policies define permissible uses and disclosures of protected health information?

* Do your agreements require business associates to provide evidence of appropriate safeguards? How do you determine what is appropriate?

* Do you have a defined incident response procedure?

* Do you require the BA to provide auditors with all necessary documentation in case of an audit?

* Does your business associate agreement have teeth, with termination an option in case of violations?

* Do you make clear that the vendor is responsible for telling you if there is a breach?

Register or login for access to this item and much more

All Health Data Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access