Problem
Two healthcare organizations were fined for a HIPAA security breach that affected thousands of patients when their health information, including medications and laboratory results, were disclosed on the Internet.
The two facilities are separate covered entities that participated in a joint arrangement. Investigation of the breach revealed it was caused when a physician who developed applications for both of the covered entities attempted to deactivate a personally owned computer server on the network containing electronic personal health information (ePHI). Because of a lack of technical safeguards, deactivation caused the ePHI to be accessible on Internet search engines. The covered entities learned about the breach after receiving a complaint from a deceased patient's family member who found the deceased's ePHI during an internet search. The investigation also found that the covered entities had made no efforts prior to the breach to:
1. Assure that the server was secure and contained the appropriate software protections
2. Conduct a thorough risk analysis that identified all covered entity systems that access ePHI
3. Develop an adequate risk management plan that addressed potential data security threats
4. Implement appropriate policies and procedures for authorizing access to its databases
5. Ensure that its own policies and procedures on information access were observed
The covered entities were fined a total of $4,800,000-the largest HIPAA violation fine to date-in which both parties agreed to a substantive correction action plan that included performing a risk analysis, developing a risk management plan, revising policies and procedures, training staff, and providing progress reports.
How should a DG policy be worded that includes authority, responsibility, and accountability for risk management?