Stern Warning From HIPAA Enforcer – Conduct Your Risk Analysis Or Else!
The feds are coming, and they might be coming for you.
That’s right, the federal regulators overseeing the healthcare industry in the United States are ramping up their HIPAA enforcement activities including their soon-to-be-relaunched COMPLIANCE AUDITS. The feds want medical clinics and business associates to heed this warning. Conduct your risk analysis and assessments or face the consequences.
A whopping two-thirds of organizations audited under HIPAA did not conduct a risk assessment according to OCR senior adviser, Linda Sanches. That’s a huge number of organizations falling short of their compliance requirements, and it won’t be long until the penalties start raining down.
Jocelyn Samuels, the director of the Department of Health and Human Services, made her stance very clear in her first public appearance since taking on the job as the country’s top HIPAA muscle: Conduct your risk assessments as required under the HIPAA rules to mitigate risks and avoid breaches.
Samuels said, “We continue to see a lack of comprehensive and enterprise-wide risk analysis and risk management that leads to major breaches and other compliance problems.” Samuels’ strong-arm approach of enforcement is a key mechanism of her strategy to ensure compliance with HIPAA. This also includes business associates who work in the medical industry.
How can your clinic or business prevent hefty fines for non-compliance?
- Conduct your risk analysis: This is a simple way to ensure all your bases are covered. When the OCR investigates a breach, they not only look at the actions after the breach occurred to ensure it never happens again, but they also look at what was done prior to the breach occurring in the first place. Get ahead of any problems by conducting the risk analysis, not only to prove that you did your duty, but also to hopefully catch issues before they can lead to a data breach.
- Training: Are all your employees trained to identify and respond to security incidents? Training is a key way to help employees prevent breaches and compliance violations from occurring in the first place, but also consider what training occurs after an incident to learn from mistakes and protect patient information.
- Agreements: Do you have all your business associate agreements in place with all your service companies, suppliers, and consultants? Make sure all your bases are covered – if one of your associates makes a mistake, you could be liable too.
Business Associates: You Can No Longer Hide!
The next phase of HIPAA compliance audits will include you. Organizations will be chosen in the near future as part of the next volley of routine check-ins by the OCR.
Not chosen? Don’t celebrate just yet. If a breach occurs, your organization may be identified throughout the investigate process, and you could still find yourself liable for damages.
Be Forewarned: Conduct your Risk Assessment now. Failure to conduct a risk assessment could lead to large fines if a breach occurs and it is traced back to your organization. Don’t leave your practice and livelihood endangered because you decided a risk assessment wasn’t worth it.
Are you a medical clinic or business associate and not sure where to turn? Contact our team of medical IT professionals today. We will sit down with you and discuss how your organization can prepare today and what to watch out for in the future. We will also conduct a full HIPAA risk assessment or risk analysis to make sure any potential pitfalls are cleared up.