A. Build and maintain a culture of privacy and security awareness throughout the organization.
B. Provide annual HIPAA training to all employees.
C. Encrypt data and hardware.
D. Maintain, regularly update and disseminate privacy and security policies.
E. Establish and implement plans to mitigate and best manage security and privacy risks.
F. Execute proper business associate agreements.
G. Perform an analysis, if using cloud computing services, to determine potential risks and how they impact HIPAA compliance.
H. Assign a qualified HIPAA compliance or security officer to oversee HIPAA compliance.
I. Alert employees to be responsible for their data devices and be aware of HIPAA risks with emails and social media use.
J. In anticipation of a possible HIPAA audit or OCR investigation, establish an action and response plan.
K. Be aware of and on alert for potential external data security threats.
L. Seek HIPAA counseling from a qualified attorney.

A Health and Human Services administrative law judge found the University of Texas MD Anderson Cancer Center guilty of a similar predicament in 2018, ruling that it violated HIPAA privacy and security rules in regard to three data breaches that took place in 2012 and 2013. The breaches involved a stolen, unencrypted laptop from an Anderson employee's home, and the loss of a pair of thumb drives with records belonging to more than 33,000 people. MD Anderson was ordered to pay a $4.3 million fine.

DADS provides services for the elderly and those with intellectual and physical disabilities.

Back to HCB News

Health IT Homepage