They were a big company serving dialysis patients world-wide. They had HIPAA policies and compliance officers. From the outside they looked golden.
But it turns out that management wasn’t paying attention to HIPAA risk analysis requirements. It cost them $millions.
Enforcement Priorities
How do we know what the OCR cares about? OCR tells us through announcements, press releases and newsletters.
Over the past fifteen months, there have been four highly visible announcements reminding us that all locations must have their own site-specific Risk Analysis-Risk Management plan.
OCR announces Fresenius Medical Care Holdings, Inc., $3.5 Million Settlement Payment and 2-year Corrective Action Plan (more than 2,000 locations nationwide).
Roger Severino, Director of OCR said “The number of breaches, involving a variety of locations and vulnerabilities, highlights why there is no substitute for an enterprise-wide risk analysis for a covered entity.”
2. April 2018
OCR Cybersecurity Newsletter: A risk analysis is a necessary tool to assist covered entities and business associates conduct a comprehensive evaluation of their enterprise to identify the Electronic Patient Health Information (ePHI) and associated risks and vulnerabilities.
3. October 2018
OCR Press Release: What is an enterprise-wide risk analysis? It is a robust review and analysis of the risks to the confidentiality, integrity, and availability of electronic health information — across all lines of business, in all facilities, and at all locations. It’s a requirement of the HIPAA Security Rule, helps healthcare organizations understand their security and prevent costly data breaches.
4. May 2019
OCR announces Touchstone Medical Imaging, LLC $3 Million Settlement Payment and two-year Corrective Action Plan.
Said Roger Severino, “Neglecting to have a comprehensive, enterprise-wide risk analysis, as illustrated by this case, is a recipe for failure.”
Touchstone Corrective Action Plan:
TMI was required to complete a thorough, enterprise-wide analysis of security risks and vulnerabilities with a complete inventory of all equipment, systems, data storage facilities, and applications that contain electronic health information.
Solution
The HIPAA E-Tool® makes location-specific Risk Analysis easy and affordable without shortcuts. We provide step-by-step guidance and every question you need to answer. You don’t need expensive outside help to get this done. You create an inventory, identify risks, which populate your To-Do list, creating full documentation of your Risk Management Plan. All consistent with OCR recommended NIST (National Institute of Standards and Technology) procedures.
You can be golden.
