Although risk assessment continues to be a priority in health care organizations, there are several breaches occurring in small health organizations that have resulted in hefty penalties. Privacy protection is a growing concern and despite stringent laws governing data security, medical institutions are experiencing challenges in safeguarding patient information.
The lack of a current and thorough risk assessment can be very costly and a recent action by federal regulators reiterated the same. The authorities have issued penalties in excess of $1 million to two organizations that were investigated post minor breaches. And these organizations were found to be lacking in current risk assessment as required under HIPAA. The Department of Health and Human Services’ Office for Civil Rights issued a $1.5 million HIPAA penalty against one of the organizations, Massachusetts Eye and Ear Infirmary as part of a settlement agreement. The report of a breach involving a physician’s stolen unencrypted laptop also sparked an OCR investigation.
Likewise an investigation triggered by the theft of an unencrypted storage device in June, resulted in the OCR issuing a $1.7 million penalty against the Alaska Department of Health and Social Services. While each case had alleged HIPAA compliance shortcomings, the lack of risk assessments seemed to be strategic in the regulator’s decisions to impose hefty penalties.
An enterprise that is able to enforce strict corporate policies and adhere to all the latest regulatory requirements will be able to protect vital information assets, keep customer confidence, and safeguard business interests. Many industry experts opine that such incidents emphasize the need for organizations to improve their HIPAA compliance efforts. The recent final rules for Stage 2 of the HITECH Act, electronic health record incentive program are another excellent gauge of the significance that is placed by regulators on risk assessments as well as encryption.
As any failure to conduct a thorough, timely risk assessment will result in severe penalties by the OCR in the coming months, health care organizations need a reliable solution that can take care of all the security requirements. Secure GRC from eGestalt is one such solution that has an in-built HIPAA compliance framework and allows organizations to steer clear of security challenges by effectively addressing all its compliance, audit, assessment, and risk management needs.