As we have discussed in prior publications,
part of a robust HIPAA privacy and security policy is to implement several
compliance features, including monitoring, audit, workforce training, and
sanctions and termination.
The Alina Health matter is a good reminder
to all HIPAA covered entities to review their policies and ensure that
compliance with the policies and procedures is being followed. Some questions come to mind based on this
incident, such as the following:
·
Do you know which positions have
access to PHI? For example, have you created a minimum necessary database,
listing which positions have access to PHI, and how much information (e.g.,
just the billing information)?
·
Are employees accessing PHI for
reasons other than on a “need to know” basis?
·
Has the Privacy/Security Officer
monitored the implementation of the policy to ensure compliance?
·
What is your sanctions policy for an
unauthorized access of PHI?
·
Does your policy include a method to
ensure the security of PHI such that when a person is terminated he or she no
longer has electronic access to any information?
These are just some of the questions that
are raised from this incident. If you
have any questions regarding the privacy incident at Alina Health or
implementing HIPAA privacy and security policies, please contact attorneys
Susan Ziel, sziel@kdlegal.com
or Jaya White jwhite@kdlegal.com.