May 29, 2015. In April, the Office of the National Coordinator for Health Information Technology published online Version 2.0 of its Guide to Privacy and Security of Electronic Health Information. This is an excellent description of requirements and need for safeguarding electronic protected health information, but the document provides little guidance on establishing policies and procedures based on findings from a required risk analysis.
May 26, 2015. The Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) accepted a $125,000 resolution amount from a Colorado compounding pharmacy for disposing of protected health information (PHI) of 1,610 patients “in a dumpster that was accessible to the public” in violation of the HIPAA Privacy Rule. In the Bulletin issued by OCR entitled: “HIPAA Settlement Highlights the Continuing Importance of Secure Disposal of Paper Medical Records,” OCR indicated that it “opened a compliance review and investigation after receiving notification from a local Denver news outlet regarding the disposal of unsecured documents containing PHI.” In the Bulletin, the OCR Director, Jocelyn Samuels stated:
Cornichon Healthcare has launched at www.HIPAASafeguard.net Version 2.0 of HIPAA Safeguard that links Cornichon’s risk analysis template—based on protocols established by the National Institute of Standards and Technology (NIST)—with Cornichon’s written, 92 HIPAA-required policies and procedures for safeguarding protected health information (PHI) and 22 forms for documenting safeguard actions, activities, and assessments. Covered entities and business associates are required by federal law to secure PHI, and, with HIPAA Safeguard, they can now streamline the first step in the compliance process—the required risk analysis—and use the findings to tailor Cornichon’s written safeguard policies and procedures to their business operational environments to achieve and demonstrate compliance