Neglecting to conduct a HIPAA risk assessment could cost you.
In the first week of November, the Office of Civil Rights (OCR) announced two big HIPAA penalties.
- A $3 million settlement with the University of Rochester Medical Center for HIPAA violations in 2013 and 2017.
- A $1.6 million civil penalty imposed against the Texas Health and Human Services Commission for HIPAA violations between 2013 and 2017.
In both cases, the organizations failed to perform an adequate risk assessment beforehand, according to the OCR’s parent department, the U.S. Department of Health and Human Services.
Failure To Comply Results In Big Penalties
The Texas Health and Human Services Commission is of particular interest. A data breach occurred when one or more employees moved an internal application from a private, secure server to a public one. The application included a security flaw and the ePHI (electronic protected health information) of more than 6,600 patients. When moved to a public server, the flaw exposed those records to the world.
The department responsible for the breach filed a report with OCR in 2015. This triggered an investigation, which revealed the organization also failed to:
- Conduct an enterprise-wide risk analysis
- Implement access and audit controls as required by HIPAA
These are costly, time-consuming, and embarrassing mistakes – and they erode trust with clients and patients. Luckily, an ounce of prevention goes a long way toward avoiding these violations.
Free HIPAA Risk Assessment Tool
OCR recently announced an update to its HIPAA Security Risk Assessment Tool. This tool is designed for small-to-medium sized businesses and is free to download.
It walks users through a series of modules and questions to help evaluate and document potential threats and vulnerabilities to ePHI in their organizations.
Users enter lists of important items, such as assets, vendors, and business associates. Items can be entered manually or uploaded via CSV.
A series of questions walk users through the process of identifying threats and vulnerabilities, scoring their likelihood of occurring, and their impact if they occurred.
A summary report provides risk scores, areas for review, and a total number of vulnerabilities identified as applicable to the organization.
The tool is worth a look – especially for smaller healthcare organizations and their IT providers.