No HIPAA Risk Assessment? $400,000 Fine

How many risk assessments can you get for $400,000?  We will give you a lifetime license for only $200,000.  Actually I wonder how much  Metro Community Provider Network paid for the risk assessment they had done a month after the breach?  According to their website; "Metro Community Provider Network (MCPN) is a nonprofit organization that has been serving the Denver metro area since 1989".  So they went 28 years without a risk assessment.  Of course they weren't required until later but that is still a long time to be asleep at the switch.

But let's not pick on them, because if you asked privacy and security experts (and I have) to estimate the percentage of healthcare organizations or business associates that have an up to date risk assessment very few would go higher than 20%.  For larger organizations quarterly risk assessments are the new standard and for even the smallest organization annually is required.  If you a manager in a healthcare organization ask you compliance officer for a copy of your most recent risk assessment, you will probably be shocked at the answer.

What is the biggest reason for organizations eschewing risk assessments?  Cost is frequently cited.  Yet the new automated risk assessments delivered through the Software as a Service (SaaS) model can be less than $1,000 for a small organization.

What are the odds of an audit?  According to The Ponemon Institute "Nearly 90 percent of healthcare organizations represented in this study had a data breach in the past two years, and nearly half, or 45 percent, had more than five data breaches in the same time period."" 

Come to our website at and try our Free HIPAA Risk Assessment.  If you are an organization of more than 20 employees contact me directly at for a free consultation.

Add Your Comments

(not published)