HIPAA Blog Posts: HIPAA Business Associates
A ransomware attack can trigger a series of bad events leading to a huge HIPAA fine. The slippery slope: Ransomware attack is a HIPAA breach, which when reported triggers an audit, that discovers a lack of an up to date risk assessment, which leads to a fine for willful neglect.
Metro Community Provider Network received a $400,000 fine and a corrective action plan for failing to do a risk assessment prior to a phishing incident that exposed 3200 employee files. Doing the risk assessment a month after the breach didn't work.
Compliance Helper offers the NIST framework at a fraction of the cost of HITRUST. Assure compliance with HIPAAssure®, built on the NIST framework, delivered in the SaaS method, and with the Helper methodology to reduce cost.
An up to date HIPAA risk assessment is the one single proof of HIPAA compliance that can prevent huge fines and possible jail time. No matter what else you have done if you don't have an official (NIST) and up to date (at least annually) HIPAA risk assessment you are probably in willful neglect.
HHS issued new guidelines for covered entities or business associates who use cloud computing to create, maintain, store, transfer, or process PHI. In a nutshell, every entity involved in the process must be HIPAA compliant even if the data is encrypted.
Beginning this month, OCR, through the continuing hard work of its Regional Offices, (my emphasis) has begun an initiative to more widely investigate the root causes of
breaches affecting fewer than 500 individuals. OCR-Announcement-8-18-16.pdf
In a breach reminiscent of the Anthem HIPAA breach, a business associate left 650,000 patient records exposed on the Internet. R-C Healthcare Management a business associate of Bon Secour was adjusting their network settings and left the patient records exposed from April 18 through April 21.
Huge fines and audits are the signal that HIPAA compliance is entering a new era for business associates. A $650,000 fine was assessed for a business associate that lost an unencrypted and non-password protected I-Phone and the audit letters are on their way.
An orthopedic clinic failed to get a BA agreement before sharing PHI with a business associate and got a $750,000 fine. Jocelyn Samuels, director of OCR, said in the statement. "It is critical for entities to know to whom they are handing PHI and to obtain assurances that the information will be protected."