Every year millions of doctors around the country are submitting Security Risk Assessments to their EMR in order to be considered “HIPAA Compliant”. Are they really compliant though? Have all of these private practices really taken every step possible to ensure that they are HIPAA compliant to the fullest, and if they were to ever experience a breach of HIPAA information, would be fully protected from fines adding up to millions of dollars?
Zekteck performs an assessment alongside private practice owners, managers, and staff in order to find the gaps that exist between their current status of HIPAA compliance and what qualifies as being fully HIPAA compliant.
Why perform an assessment?
Part of HIPAA compliance is completing an annual security risk assessment. This is often accomplished by completing the SRA provided by HHS. How accurately is it being filled out though?
Here are examples of medical practices that were providing an annual risk assessment to their EMR and still incurred thousands or even millions of dollars in fines:
Dentist Divulges PHI
A private dental practice is fined a REDUCED FEE of $10,000 for disclosing PHI on social media. This could be prevented by training employees on security practices every year. See the press release here.
Allergy Clinic Alerts Press
An allergy practice was fined $125,000 for disclosing patient information to a reporter. See the press release here.
Hospital Keeps Accounts
A Hospital is fined $111,400 for not removing a terminated employees access. Access Management is a crucial part of remaining HIPAA compliant. See the press release here.
No Business Associate Agreements
Center for Children’s Digestive Health is fined $31,000 for not having a Business Associate Agreement in place. See the press release here.
The above cases only represent the fines for smaller practices. Larger practices are often fined millions of dollars, one of the biggest was associated with the Anthem breach at $16 million.
These cases also only represent the fine owed to the Office of Civil Rights and HHS. They do not account for the cost of corrective action that is mandated to take place in order to stay in business, which could range anywhere from $10,000 a year to a few million dollars a year.
The Way this assessment works
- The private practice will provide Zekteck with the most recent Security Risk Assessment (SRA) that was submitted to the EMR.
- Zekteck will perform, with the private practice owner, managers, and staff, a new SRA with a more investigative approach than is being performed every year.
- Zekteck will perform an analysis of the two SRAs
- Gaps and recommendations will be presented to the private practice and their team.