Last week HHS announced a new settlement for 2017. This time around they fined health center Metro Community Provider Network $400,000. The center reported the breach of 3,200 patient records in a phishing incident. The interesting part of the story is the reason they were fined. OCR found that the center took necessary corrective action related to the reported incident which is good! However during the course of the investigation it was discovered that the center failed to conduct a risk analysis until a month after the incident occurred. That is bad and what ultimately cost them $400k. You can read the official press release here. That's a whopping $11.8M in resolution agreements and civil penalties for HIPAA violations through the first four months of 2017.
The moral of the story is to make sure to do a risk analysis! Once done this should be repeated periodically (we suggest annually) or whenever a major system change happens within the business. Being technically compliant is not enough -- all of the proper documentation has to be in place in order to be considered compliant. That includes annual employee training, annual policy reviews, etc. This is true not only of Covered Entities but of Business Associates as well. And make no mistake, when a breach occurs your full compliance program will be audited, not just the portion related to the breach.
Effort is such a huge part of what is considered before OCR levies a HIPAA fine. A business with a small gap in their compliance program could be fined as little as $100 per incident. However if that same business is grossly negligent and has done nothing to address its compliance, the same offense can be fined at a rate as high as $50,000 per incident. There is a good write up of the full details here but needless to say it isn't a risk that any business should take.
NeoCloud Consulting offers an amazing HIPAA compliance service to help both covered entities and business associates achieve, maintain and illustrate compliance. I encourage you to download our HIPAA Compliance checklist here to do a quick self-evaluation. If you have any questions about risk assessments, HIPAA compliance in general or would like to discuss our compliance services, please contact us today!
Have a great week!