Finding Compliance with ConnectWise Manage
Did you ever think that ConnectWise Manage might save you from a million-dollar fine?
ConnectWise Manage is more than a business management solution, it’s a great compliance tool too.
The CEO of a small hospital calls you about a letter he just received from the US Department of Health & Human Services Office for Civil Rights. It says that a server you replaced six months ago included a hard drive with over 100,000 patient records, and that you failed to dispose of it properly. The hospital has two weeks to provide evidence to the investigators.
Dollar Signs in His Eyes
The hospital CEO isn’t happy. He knows there have been HIPAA fines of $ 1.7 million for lost laptops and hard drives. He knows any loss over 500 records must be reported to the federal government and the state attorney general; both the hospital’s name and yours will be documented for the world to see on the ‘HIPAA Wall of Shame’ and the hospital will have to notify patients and alert the media that their data was stolen.
The CEO knows the media won’t be calling you about the breach, but will be calling him for a quote or a TV interview. And, he is in the midst of a fundraising campaign for major renovations. He also remembers that Target’s CEO ended up resigning after their data breach.
In short, he’s freaking out.
It’s Not Pretty
The 2015 IBM/Ponemon Cost of a Data Breach Survey estimates a data breach of healthcare information costs $398 per record, with almost two-thirds being consequential costs like lost business, after the fines, legal fees, technical services, and notification costs.
Under the new 2013 HIPAA rules your company can be fined, but so can the hospital if the investigators decide they should have chosen a more reliable partner. Class action lawsuits are common, and the resulting loss of trust, and business, can be huge. You have $1 million in cyber liability insurance, which sounded like a lot of money but sure doesn’t now.
How many times have you heard Arnie Bellini say, “If it isn’t in ConnectWise, it didn’t happen.”? There are a lot of reasons for good documentation, like getting paid by clients, measuring staff utilization, and maintaining consistent service quality. But in this case, documentation gives you the power to fight an allegation that could cost you your business and your reputation in the community you love.
Your Worst Fears
You get off the phone with the hospital CEO and, nerves shaken, you search ConnectWise Manage for the server replacement ticket. While your heart is pounding you look through the ticket and find…
- Detailed notes about the disposal of the old server
- A scanned checklist detailing the wiping, removal, and destruction of the server’s hard drive
- A report from the hard drive wiping software, including the drive serial number, date and time, and a method that meets federal regulations
- A note describing the physical destruction of the drive
- Attached photographs of the drive, one taken before destruction clearly showing the drive serial number, and one after your tech had drilled large holes through it to make it unusable.
- A scanned copy of the report from your recycler that the drive was disposed of in an environmentally-friendly way.
These photos, and the irreplaceable information they accompany, are worth a lot more than 1,000 words. You export everything into a pdf document and send it to the hospital CEO to provide to the OCR investigators. You call him and tell him what you sent, and, smiling because you can’t help it, say that you will be glad to talk with the investigators if they need anything else.
A Fairy Tale?
Could you have survived a similar situation? Do you have the right technical tools? Are your employees trained in compliance? Do they follow proper procedures? Do your managers audit your staff’s ConnectWise Manage entries to be sure you are prepared to deal with audits and investigations?
ConnectWise Manage is a great tool to support compliance with regulations in healthcare, finance, education, and other industries. But it is only as good as the information you enter, in anticipation of an audit or investigation. And, because you never know which activity will end up being investigated, you have to be consistent – every time.
Are you walking the walk or just talking the talk? Are you saying “If it isn’t in ConnectWise…” or are you really checking?