Whether you are audited randomly or as a result of a breach or a complaint, you will be asked to provide evidence of past security/risk assessments and plans/actions for remediating any deficiencies identified in these assessments. This company’s failure to conduct risk assessments was a key factor in the settlement agreement reached with the Office for Civil Rights (OCR) for $400,000 following a breach of 3200 patient records resulting from a phishing attack by a hacker. The company did not perform a risk analysis until after the breach occurred and even subsequent risk analyses were found to be insufficient to meet the requirements of the HIPAA Security Rule. A link to the press release is below:
https://www.hhs.gov/about/news/2017/04/12/overlooking-risks-leads-to-breach-settlement.html
Fortenza conducts security/risk assessments appropriate for the size and resources of your practice. Contact Fortenza for a complimentary high-level assessment and educational discussion to help determine where you stand on your road to HIPAA compliance and how you can partner with Fortenza to help protect the privacy of your patients. We can also help with drafting and updating business associate agreements, notices of privacy policies, HIPAA and cybersecurity training, and company policies/procedures drafting and review for HIPAA compliance.