(800) 570-5879

info@hipaaetool.com

Wooden boardwalk through green meadow

HIPAA Shortcuts Can Be Costly

They were a big company serving dialysis patients world-wide. They had HIPAA policies and compliance officers. From the outside they looked golden.

But it turns out that management wasn’t paying attention to HIPAA risk analysis requirements. It cost them $millions.

Enforcement Priorities

How do we know what the OCR cares about? OCR tells us through announcements, press releases and newsletters.

Over the past fifteen months, there have been four highly visible announcements reminding us that all locations must have their own site-specific Risk Analysis-Risk Management plan.

1. February 2018

OCR announces Fresenius Medical Care Holdings, Inc., $3.5 Million Settlement Payment and 2-year Corrective Action Plan (more than 2,000 locations nationwide).

Roger Severino, Director of OCR said “The number of breaches, involving a variety of locations and vulnerabilities, highlights why there is no substitute for an enterprise-wide risk analysis for a covered entity.”

2. April 2018

OCR Cybersecurity Newsletter: A risk analysis is a necessary tool to assist covered entities and business associates conduct a comprehensive evaluation of their enterprise to identify the Electronic Patient Health Information (ePHI) and associated risks and vulnerabilities.

3. October 2018

OCR Press Release:  What is an enterprise-wide risk analysis?  It is a robust review and analysis of the risks to the confidentiality, integrity, and availability of electronic health information — across all lines of business, in all facilities, and at all locations. It’s a requirement of the HIPAA Security Rule, helps healthcare organizations understand their security and prevent costly data breaches.  

4. May 2019

OCR announces Touchstone Medical Imaging, LLC $3 Million Settlement Payment and two-year Corrective Action Plan.

Said Roger Severino, “Neglecting to have a comprehensive, enterprise-wide risk analysis, as illustrated by this case, is a recipe for failure.”

Touchstone Corrective Action Plan:

TMI was required to complete a thorough, enterprise-wide analysis of security risks and vulnerabilities with a complete inventory of all equipment, systems, data storage facilities, and applications that contain electronic health information.

Solution

The HIPAA E-Tool® makes location-specific Risk Analysis easy and affordable without shortcuts. We provide step-by-step guidance and every question you need to answer. You don’t need expensive outside help to get this done. You create an inventory, identify risks, which populate your To-Do list, creating full documentation of your Risk Management Plan. All consistent with OCR recommended NIST (National Institute of Standards and Technology) procedures.

You can be golden.

Share This Post

Share on facebook
Share on twitter
Share on linkedin

Maggie Hales

Maggie Hales is a lawyer specializing in health information privacy and security. As CEO of ET&C Group LLC she advises health care providers and business associates in 36 states, Canada and the EU, using The HIPAA E-Tool® to deliver up to date policies, forms and training on everything related to HIPAA compliance.

Copyright © 2019 The ET&C Group LLC.
The HIPAA E-Tool® is a registered trademark of The ET&C Group LLC
Terms of Service | Privacy Policy