Metro Community Provider Network received a $400,000 fine and a corrective action plan for failing to do a risk assessment prior to a phishing incident that exposed 3200 employee files. Doing the risk assessment a month after the breach didn't work.
Posted April 13, 2017 by Jack Anderson
A HIPAA breach caused by a ransomware attack on a solo physician practice proves that it can happen to anyone. Will the audit reveal that the practice was in HIPAA compliance or willful neglect?
Posted April 12, 2017 by Jack Anderson
Compliance Helper offers the NIST framework at a fraction of the cost of HITRUST. Assure compliance with HIPAAssure®, built on the NIST framework, delivered in the SaaS method, and with the Helper methodology to reduce cost.
Posted March 6, 2017 by Jack Anderson
An up to date HIPAA risk assessment is the one single proof of HIPAA compliance that can prevent huge fines and possible jail time. No matter what else you have done if you don't have an official (NIST) and up to date (at least annually) HIPAA risk assessment you are probably in willful neglect.
Posted January 24, 2017 by Jack Anderson
Willful Neglect of HIPAA compliance has caused companies to go bankrupt. How would you handle a six figure penalty from OCR?
Posted January 13, 2017 by Jack Anderson
One wonders what would be revealed if all companies accessing ePHI were to do a comprehensive risk assessment today. How many breaches would be discovered? A breach of nearly 400,000 patient records occurred on a server maintained by a BA. The breach was discovered by an outside person 11 months after it occurred.
Posted December 27, 2016 by Jack Anderson
“We’re doing more investigations of smaller breaches … I think you’re going to see more of that in terms of entities with whom we enter corrective action plans,” reiterated Deven McGraw, Esq., OCR deputy director of health information privacy at the [88th annual American Health Information Management (AHIMA) conference](http://www.ahima.org/events/~/link.aspx?_id=07CB00ACC48D4D4D9446155086C6A05F&_z=z) held October 16-19 in Baltimore, MD
Posted December 21, 2016 by Jack Anderson
An up do date risk assessment is a key element in your MIPS Composite Performance Score. The MACRA Act which was passed with bilateral support in Congress uses the MIPS score to determine reimbursement for practices.
Posted November 22, 2016 by Jack Anderson
If you create, receive, maintain, or transmit ePHI you are a business associate and must be HIPAA compliant, even if the data is encrypted and you don't have the key. Thus saith OCR.
Posted November 9, 2016 by Jack Anderson
Leaving 31,800 patient records open and accessible on the Internet cost St Josephs Hospital a $7.5 million dollar settlement of a class action suit and a $2.145 million dollar fine from OCR. Quarterly risk assessments might have revealed the problem sooner or prevented it from happening at all.
Posted October 20, 2016 by Jack Anderson