The Department of Health and Human Services’ Office for Civil Rights (OCR) has investigated a Californian Physician’s group following a reported breach of protected health information.
Covered entities can implement policies and procedures to prevent data breaches, but security incidents are still likely to occur. Responding correctly to those breaches and ensuring HIPAA Rules are carefully followed will help to ensure financial penalties for HIPAA compliance violations are avoided.
As with all breaches that result in the protected health information of more than 500 individual being exposed, OCR launched an investigation of Imperial Valley Family Care Medical Group (IVFCMG) when the breach summary was submitted through its breach portal. The breach in question was the theft of a laptop computer containing the protected health information of some of its patients.
IVFCMG had previously signed up to use ‘The Guard’, a software platform developed by the Compliancy Group to guide HIPAA compliance programs and ensure all aspects of HIPAA Rules are followed and documented. The Guard is the leading compliance software platform used by healthcare organizations in the United States.
The platform uses the company’s proprietary ‘Achieve, Illustrate, Maintain’ methodology to ensure compliance with HIPAA Rules. When OCR, CMS, or state attorneys general auditors come knocking, covered entities can quickly access and supply all the required documentation to prove compliance with HIPAA Rules.
When IVFCMG experienced its breach of PHI, the Compliancy Group’s Breach Response Team provided assistance and helped ensure the incident was managed correctly, in accordance with the HIPAA Rules. Through the Compliancy Group’s Breach Response Program, IVFCMG was able to mitigate risk to patients and create all appropriate documentation to supply to auditors when the breach was investigated.
When OCR contacted IVFCMG with a comprehensive list of questions about the breach, IVFCMG’s compliance program, and its breach response, through the Compliancy Group’s Audit Response Program IVFCMG was able to provide all of the necessary information promptly, thus avoiding a potential HIPAA penalty.
Don Caudill, Chief Strategic Officer at IVFCMG said, “We were able to respond directly to all points of their investigation thanks to Compliancy Group. Not a single audit request or report was left out.” Caudill went on to explain, use of The Guard “ultimately made a huge impact on our ability to respond to OCR. We knew everything we needed to report just by doing everything we needed to outline in The Guard.”
The second phase of the OCR HIPAA audit program has commenced and audits of covered entities are well underway. Additionally, investigations of reported breaches are always conducted and OCR investigates complaints about potential HIPAA violations submitted through its website.
OCR is increasingly issuing financial penalties to HIPAA covered entities that have been discovered to have violated HIPAA Rules. Ensuring compliance with HIPAA Rules, responding correctly to breaches, and being able to answer questions and supply documentation to auditors is more important than ever. HIPAA compliance software helps covered entities ensure HIPAA Rules are followed and documentation is created to demonstrate compliance with all aspects of HIPAA Rules.
Robert Grant, Chief Compliance Officer of Compliancy Group, said, “As a former auditor and co-founder of our company, I’ve built The Guard and developed our Audit Response Program to address the necessary HIPAA regulatory standards for CEs and BAs.” Grant explained that “In the event of an audit, there’s no better way to handle your organization’s response than by providing your auditors with everything they need to properly assess the scope of the violation. Our goal is to help bridge the gap between auditors and our clients so they can continue to satisfy the law.”
To date, all organizations that have signed up to the company’s HIPAA compliance software platform has been able to prove compliance with HIPAA Rules and not one has failed an OCR or CMS audit.