Lack of Risk Assessments Could Cost $729 Million

June 14, 2017

Some EHR Incentive Payment Recipients Lacked Risk Assessments,

An OIG spokesman tells Information Security Media Group that the six EPs that did not meet the meaningful use requirement for security risk assessment “may have conducted the assessments, but they did not provide the documentation that we rely on for proof. They self-attested. We speculate that statistically there are other [healthcare providers] out there in the same situation; that these six professionals aren’t the only ones out there” that would fall short in providing documentation for proving they conducted a security risk assessment if pressed.

As mentioned in the article by other security professionals, this is the tip of an Antarctica sized iceberg. Many healthcare organizations don’t do risk assessments at all. Some use HIPAA checklists which do not qualify, and others haven’t done a risk assessment in years.

As we discussed in our recent webinar, Ransomware is a HIPAA Breach, a risk assessment is critical to help prevent a ransomware attack it is also crucial in the event of an attack. In reporting the breach you will be subject to an audit. Initially this could be a desk audit where OCR requests that within20 days you send them the following documents; your most recent risk assessment, previous risk assessments, copies of HIPAA policies created and or editd to fit your organization, documented staff training for the last six years, etc. If you can provide all of this in the alloted time you will probably get let off with just a warning. If you can’t you might get an on-site audit that will be much more encompassing event.

Take an inventory right now. Do you have an up to date and genuine risk assessment, documented staff training, and up to date policies? If not let me know and I will set up a time to show you how our Jumpstart program and can supply all of this in 72 hours.

Back to News