HIPAA Risk Assessments and constant monitoring are essential to the healthcare industry, helping practices avoid HIPAA audit failures. A professionally prepared HIPAA risk assessment can serve as a critical basis for an ongoing HIPAA compliance program.
The OCR is the regulatory enforcement agency that oversees the Health Insurance Portability and Accountability Act’s (HIPAA) Privacy, Security, and Data Breach Rules, which protect patients’ fundamental rights regarding nondiscrimination and privacy.
The office is in the process of distributing letters to 1,200 “covered entities” in the healthcare industry, surveying them on the accuracy and compliance of their patient data. These companies will have 10 – 14 days to comply with the requests in the letters.
According to the HIPAA Journal, “any covered entity receiving a survey may have a 50% chance or higher of being audited.” These letters are being readied for distribution to start what will be a permanent audit program. The new program will include both “desk audits” requiring the submission of documents, and site visits where auditors will inspect and observe the organization.
|Monetary Penalties for HIPAA Violations|
|Violation Category||Each Violation||All Identical Violations|
|Did not know||$100-$50,000||$1.5 Million|
|Reasonable Cause||$1,000-$50,000||$1.5 Million|
|Willful Neglect-corrected||$10,000-$50,000||$1.5 Million|
|Willful Neglect-not corrected||$50,000||$1.5 Million|
HIPAA penalties can reach into the millions of dollars, and smaller medical organizations are not exempt. For instance, according to OCR Director Jocelyn Samuels at the HIPAA Security Conference, a small cancer practice whose employee had an unsecured notebook computer and backup media stolen from a car resulted in a $750,000 settlement.
HIPAA compliance assessments provide evidence that a healthcare company has conducted ongoing monitoring and backups of its network. Such documentation of the company’s security policies is invaluable during a HIPAA audit in order to alleviate fines.
A Security Risk Assessment is the foundational document required by the HIPAA Security Rule. It identifies threats and vulnerabilities that can put electronic Protected Health Information (ePHI) at risk of loss or unauthorized access.
Security from outside intrusions requires, at minimum, a properly configured and monitored firewall and data backups. Managed I.T Services provided by a company with years of healthcare and HIPAA experience can mean the difference between a quick successful audit and a painful and expensive forced compliance with the associated fines.
“HIPAA compliance requires specific, concrete evidence that companies have taken steps to confirm that their data is secure, including detailed HIPAA Risk Assessment Reports. Technically, it’s impossible for a company to institute a viable comprehensive compliance program within the 10- to 14-day period that the OCR letters allow.
Practices must prepare a strategy now. HIPAA compliance plans are essential for all healthcare providers.
Hooks Systems of Wilmington and Myrtle Beach offers comprehensive HIPAA Compliance Assessments along with Management Plans, Reports and documentation as required by The Office of Civil Rights (OCR). 24 x 7 monitoring of network data, backups and security are included in all service packages.