Effective cybersecurity and HIPAA compliance come down to the quality of the information you have. It is what you do not know that is most dangerous to you – when was the last time you analyzed your practice’s security and compliance?
You probably hear about HIPAA compliance and cybersecurity all the time. In industry news, emails in your inbox, the occasional seminar, etc. At this point, it may sound a bit like white noise – easy to tune out. Unfortunately, that’s a dangerous attitude to adopt.
Case in point: The Texas Health and Human Services Commission was recently fined $1.6 million for their failure to analyze their HIPAA risk.
Does your HIPAA budget account for that serious of a fine? If not, then you better make sure you properly assess your HIPAA risks and ongoing compliance – or at least have your IT support in Houston do it for you.
This fine traces all the way back to a data breach the Texas Health and Human Services Commission experienced in 2015. A part of their organization (The Department of Aging and Disability Services), had reported the potential breach of their patients’ data, including names, addresses, Social Security and Medicaid numbers, and treatment or diagnosis details.
This triggered a compliance review by the Office for Civil Rights. In the course of their review, they determined the following:
And in the end, what were these failures worth? $1.6 million. That’s why it’s so important for you to figure out if you’ve failed in the same way…
If you want to avoid the same noncompliance risks and fines as the Texas Health and Human Services Commission, make sure your HIPAA risk assessment includes:
1. The Scope of the Analysis: Any potential risks and vulnerabilities to the privacy, availability, and integrity of the PHI, such as portable media, desktops, and networks.
2. Data Collection: Locate where the data is being stored, received, maintained or transmitted.
3. Identify and Document Potential Threats and Vulnerabilities: Identify and document any anticipated threats to sensitive data, and any vulnerabilities that may lead to leaking of PHI.
4. Assess Current Security Measures: What kind of security measures are you taking to protect your data?
5. Determine the Likelihood of Threat Occurrence: Take account of the probability of potential risks to PHI—in combination with the third item on this list, this Analysis allows for estimates on the likelihood of ePHI breaches.
6. Determine the Potential Impact of Threat Occurrence: By using either qualitative or quantitative methods, assess the maximum impact of a data threat to your organization.
7. Determine the Level of Risk: Take the average of the assigned likelihood and impact levels to determine the level of risk.
8. Finalize Documentation: Write everything up in an organized document. Make sure that any risks that you’ve identified be documented and a separation “Action Plan” for addressing those items is included.
9. Periodic Review and Updates to the Risk Analysis: It is important to conduct a risk analysis on a regular basis. The HHS says that this guidance is not intended to provide a one-size-fits-all blueprint for compliance with the risk analysis requirement. Rather, it clarifies the expectations of the department for organizations working to meet these requirements.
Need a hand assessing your HIPAA compliance?
You can ask for help from IT support Houston, especially when the stakes are this big. You should partner with ICS to have your compliance practices double-checked and supported by the right technology.
Like this article? Check out the following blogs to learn more:
ICS is a Texas-based 37-year-old technology company specializing in Managed IT, VoIP, Video Conferencing and Video Surveillance solutions for US and International businesses. ICS has over 4000 regional installations and specializes in multi-site businesses between 25 and 2500 employees. ICS’s customers enjoy the experience of ICS’s Total Care program which provides clients flat fee services with obsolesence and growth protection. Whether a customer elects to deploy their IT, Video Conferencing or VoIP in the cloud or on the customer’s premise, ICS can provide a full turn-key solution for our clients under one flat monthly fee.
ICS will never sell, rent, share or distribute your personal details with anyone. In addition, we will never spam you.