Still working on your HIPAA Security Risk Assessment? Or, still thinking about when to get started?
For providers who experience a breach, this proves to be a pricey strategy.
On January 27, 2012, a federally qualified health center reported a breach: 3,200 patients' ePHI was accessed through a phishing scheme. The health center appropriately investigated and took mitigating steps in response to the breach, and conducted a risk analysis by mid-February.
The problem here is that this was the health center's first risk analysis.
The breach was promptly reported, and the Office of Civil Rights (OCR) found the breach was appropriately handled after the fact. But, because the health center failed to conduct a risk analysis until after the breach, it entered a $400,000 HIPAA settlement. The OCR emphasized the following HIPAA deficiencies:
- The health center did not conduct a risk analysis before the breach.
- Because the health center did not conduct a risk analysis, it did not - and perhaps could not - have mitigated security risks.
- When it did conduct a risk analysis, it did not meet Security Rule requirements.
The federal government makes it relatively easy to conduct a HIPAA Security risk analysis by providing a free online tool. One has to wonder if the availability of this tool raises expectations for provider compliance, and lowers tolerance for excuses for those who don't complete the analysis.
For health care providers, breaches are inevitable: it's only a matter of time before most of us face breach notification. Prepare yourself now by maximizing your HIPAA Security position. If you are one of the many providers who are behind on HIPAA Security compliance, start with the OCR's free online risk analysis tool, and move on to mitigate risks and develop Security policies and procedures.