By Jack Anderson
May 10, 2013
This is a an in-depth analysis of the importance of a risk assessment and mitigation of the risks. As i wrote in m blog yesterday, if you falsely attested to Core Measure 15 of meaningful use you could be hit with major fines and fraud charges. If you are a business associate your covered entity is within their rights to ask you for a copy of your most recent risk assessment and remediation and to sever the business relationship if they detect “a pattern of non-compliance” that has not been remediated.
Here are a few excerpts from the whole article and a link:
“There are many reasons a healthcare entity dealing with protected health information (“PHI”) should conduct a risk analysis. First and foremost, if conducted properly, a risk analysis should identify PHI-containing systems, assess vulnerabilities of those systems, evaluate and prioritize risks to those systems, and assist in developing mitigation strategies to safeguard the systems. These on-going efforts can help ensure adequate protection of patients’ health information.”
“In short, failing to conduct a risk analysis can result in:
- OCR enforcement including civil monetary penalties and resolution agreements;
- Increased risk of suffering data breaches;
- CMS enforcement to recoup EHR incentive payments; and
- OIG enforcement under the False Claims Act including liability of up to 3 times the EHR incentive payment and exclusion from federally funded healthcare programs.”
http://www.techhealthperspectives.com/2013/05/07/fallout-from-failing-to-conduct-a-hipaa-risk-analysis/#page=1