The latest settlement for a potential HIPAA violation provides us with another example of the consequences of not conducting and documenting a comprehensive risk analysis and having a risk management plan. http://www.hhs.gov/about/news/2016/08/04/advocate-health-care-settles-potential-hipaa-penalties-555-million.html#
According to the Open Group Standard Risk Analysis, a risk analysis is the evaluation component of the risk assessment process. The analysis is to determine the significance of the identified risk concerns. The most important aspect of the risk analysis for a covered entity is identifying where PHI is processed, stored, and transmitted and who has access to it. If the covered entity cannot account for its PHI then they cannot protect it.
According to the Office of Civil Rights (OCR) website, Advocate Health Care Network (Advocate) has agreed to a settlement with the U.S. Department of Health and Human Services, Office for Civil Rights (OCR), for multiple potential violations of the Health Insurance Portability and Accountability Act (HIPAA) involving electronic protected health information (ePHI). Advocate has agreed to pay a settlement amount of $5.55 million and adopt a corrective action plan.
“We hope this settlement sends a strong message to covered entities that they must engage in a comprehensive risk analysis and risk management to ensure that individuals’ ePHI is secure,” said OCR Director Jocelyn Samuels. “This includes implementing physical, technical, and administrative security measures sufficient to reduce the risks to ePHI in all physical locations and on all portable devices to a reasonable and appropriate level.”
About Jim Angle
Dr. Angle has over 20 years of experience in multiple areas of IT culminating as the Deputy CIO for an army hospital. He has over 15 years of information security experience in both government service and the private sector. He is currently a Regional Information Security Officer for Trinity Health. In this capacity, he manages the information security and HIPAA security compliance for 17 hospitals and 83 clinics.