Contact Us Chat

HIPAA – Security Risk Analysis

Government bodies such as HHS, OCR, and CMS are randomly but meticulously conducting audits to review HIPAA compliance. We recommend being prepared and having P3 complete a risk analysis for you beforehand, in order to avoid the chances of being penalized. Although the chances of being audited are relatively low, safety and risk violations can lead to the possibility of legal action or fines. Let’s take a look at some odds:

These audits focus on verifying noncompliance with HIPAA privacy, security, and OMNIBUS rules. Violation penalties are based on the level of negligence and can range from $100 - $50,000 per violation or per patient record, with a maximum penalty of $1.5 million per year. Criminal charges resulting in jail time are also possible.

The fines and charges have two major categories: “Reasonable Cause” and “Willful Neglect.” Reasonable Cause ranges from $100 to $50,000 per incident and does not involve any jail time. Willful Neglect ranges from $10,000 to $50,000 per incident and may result in criminal charges as well.

HIPAA violation categories and their respective penalties:

What is HIPAA and ePHI?

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) required the Secretary of the U.S. Department of Health and Human Services (HHS) to develop regulations protecting the privacy and security of certain health information.1 To fulfill this requirement, HHS published what are commonly known as the HIPAA Privacy Rule and the HIPAA Security Rule. The Privacy Rule, or Standards for Privacy of Individually Identifiable Health Information, establishes national standards for the protection of certain health information. The Security Standards for the Protection of Electronic Protected Health Information (the Security Rule) establish a national set of security standards for protecting certain health information that is held or transferred in electronic form. The Security Rule operationalizes the protections contained in the Privacy Rule by addressing the technical and non-technical safeguards that organizations called “covered entities” must put in place to secure individuals’ “electronic protected health information” (e-PHI). Within HHS, the Office for Civil Rights (OCR) has responsibility for enforcing the Privacy and Security Rules with voluntary compliance activities and civil money penalties.


Source: Summary of the HIPAA rules and ePHI

P3 Risk Analysis Process

To pass an OCR audit covered entities must have a thorough, documented Security Risk Analysis in place to protect Electronic Patient Health Information. P3 takes on this task with great vigilance, and completes a security risk analysis in collaboration with providers within a time period depending on the size of your practice. Some of the services we offer include:

  • Designating a privacy and security officer within the place of service
  • Constructing written policies and procedures
  • HIPAA related employee trainings included within the service offering (uncapped)
  • Complete module based Risk Assessment
  • Disaster recovery plans
  • PHI disposal logs
  • Security incident monitors and incident reporting guidelines
    1. No comma needed after monitors
    2. No comma needed after vigilance

When constructing an SRA, Security Rule mandates must be followed. Hence P3 bases the SRA on three (3) cores:


Technical Safeguards

Example
  • Access and audit controls for any software with ePHI (EHR, RCM), or access to prescriptions and other documentation containing PHI
  • Prevention of unauthorized destruction of PHI

Physical Safeguards

Example
  • Facility access control
  • Device and media controls

Administrative Safeguards

Example
  • Workforce access to PHI and security
  • Contingency plans

With each module covered, risk assessments are made taking into account:

  • Probability of possible breach
  • Severity of possible breach

We recommend getting in touch with a professional if by chance you receive an audit. There are many online tools available which offer convenience – but risky shortcuts. “Having” documentation should not be confused with “Good” documentation. Auditors will be on the lookout for quality rather than quantity; focusing on the documentation and whether or not it contains the appropriate information.



Contact Us for the best client services

Any other concern coming in between you and your patients? If yes, please leave your comments or queries in the below form and we will get back to you soon on this.