The Department of Health and Human Services (HHS) Office of Civil Rights (OCR) is proceeding with its second round of audits and HIPAA covered entities should be on high alert. The time is now to implement policies and procedures that will minimize your risk in the event of a data breach.

This penalty and the corrective action plan ORC required from the cancer care group serves as a reminder for the need for clear policies and procedures.  HIPAA covered entities need to be proactive to mitigate the damage in the event of a breach.

Most providers try, at all costs, to avoid a data breach but often they are inevitable in the day and age of technology in which we live.  Instead, practices would be wise to: (1) establish a compliance program (2) perform and document risk analysis and (3) implement solid training programs.

One of the best practices to adopt in your compliance program is a “shred everything, all the time, in the same manner” policy.  All Points Mobile Shredding specializes in Health Care Shredding.

Businesses don’t realize the discretion they are affording their employees when they allow them to make the call on whether a document contains Protected Information (PHI) or not.   Often times these employees are busy and don’t have the understanding or time to make the right call.  One wrong decision is all it takes for a document containing PHI to end up in the dumpster. A split second judgment call made by an employee can result in a HIPAA violation that carries significant fines and a severely damaged reputation.

By Dawn Connelly, Esq.

For more information please contact us at 772.283.4152