As companies increasingly rely on digital systems to manage sensitive information, they must remain vigilant against potential breaches, particularly those stemming from within their own ranks. Employees with access to personal data wield considerable power, capable of inadvertently or maliciously compromising privacy safeguards. Such was the case during the first half of 2013 when a hospital employee exploited their position to gain unauthorized access to the personal information of over 12,500 patients, precipitating a significant HIPAA breach. This breach not only underscored the critical need for robust data security measures but also triggered a comprehensive investigation and subsequent corrective actions mandated by regulatory authorities.
The breach involved the employee illicitly accessing personal information of more than 12,500 patients, including names, addresses, Social Security numbers, and health insurance details. This data was then sold to an identity theft ring. Upon discovery in May 2015, the hospital notified the government and underwent an investigation by the U.S. Department of Health and Human Services (HHS).
HHS found potential violations of HIPAA Security Rule requirements, including insufficient risk analysis, record review procedures, and activity monitoring mechanisms. The hospital agreed to a $4.75 million settlement and a two-year Corrective Action Plan (CAP).
Under the CAP, the hospital must conduct a thorough risk analysis, develop a risk management plan, update HIPAA policies, and provide staff training. The risk analysis encompasses environmental controls like fire suppression and climate systems. A risk management plan addressing identified vulnerabilities must be implemented, alongside audit controls on information system activity. Revised policies and procedures must meet minimum HIPAA content requirements and be distributed to all relevant staff.
The CAP also mandates workforce training, annual reports to HHS on implementation progress, and internal reporting of any noncompliance. HHS advises all Covered Entities (CEs) to review vendor relationships, conduct regular risk analyses, adopt robust audit controls, utilize multi-factor authentication, encrypt PHI, update security procedures, and provide ongoing HIPAA training to mitigate cyber threats.
Benefit Allocation Systems (BAS) provides best-in-class, online solutions for: Employee Benefits Enrollment; COBRA; Flexible Spending Accounts (FSAs); Health Reimbursement Accounts (HRAs); Leave of Absence Premium Billing (LOA); Affordable Care Act Record Keeping, Compliance & IRS Reporting (ACA); Group Insurance Premium Billing; Property & Casualty Premium Billing; and Payroll Integration.
MyEnroll360 can Integrate with any insurance carrier for enrollment eligibility management (e.g., Blue Cross, Blue Shield, Aetna, United Health Care, Kaiser, CIGNA and many others), and integrate with any payroll system for enrollment deduction management (e.g., Workday, ADP, Paylocity, PayCor, UKG, and many others).
