The Texas Health and Human Services Commission is facing a massive fine for failing to conduct an organization-wide HIPAA risk analysis. How much could it cost, you might be wondering?
Can you afford that kind of fine? If not, then you better make sure you properly assess your HIPAA risks and ongoing compliance.
This fine is a part of the fallout the Texas Health and Human Services Commission has experienced in the wake of a data breach they experienced in 2015.
The Department of Aging and Disability Services, a part of the Texas Health and Human Services Commission, reported the potential breach of their patients’ data, including names, addresses, Social Security and Medicaid numbers, and treatment or diagnosis details.
In response to the reported breach, the Office for Civil Rights launched a compliance review. In examining the organization’s HIPAA compliance, the following was determined:
As a result of these failures, the Texas Health and Human Services Commission now faces a $1.3 million fine.
The question is – have you failed in any of the same ways?
If you want to avoid the same noncompliance risks and fines as the Texas Health and Human Services Commission, make sure your HIPAA risk assessment includes:
1. The Scope of the Analysis: Any potential risks and vulnerabilities to the privacy, availability, and integrity of the PHI, such as portable media, desktops, and networks.
2. Data Collection: Locate where the data is being stored, received, maintained or transmitted.
3. Identify and Document Potential Threats and Vulnerabilities: Identify and document any anticipated threats to sensitive data, and any vulnerabilities that may lead to leaking of PHI.
4. Assess Current Security Measures: What kind of security measures are you taking to protect your data?
5. Determine the Likelihood of Threat Occurrence: Take account of the probability of potential risks to PHI—in combination with the third item on this list, this Analysis allows for estimates on the likelihood of ePHI breaches.
6. Determine the Potential Impact of Threat Occurrence: By using either qualitative or quantitative methods, assess the maximum impact of a data threat to your organization.
7. Determine the Level of Risk: Take the average of the assigned likelihood and impact levels to determine the level of risk.
8. Finalize Documentation: Write everything up in an organized document. Make sure that any risks that you’ve identified be documented and a separation “Action Plan” for addressing those items is included.
9. Periodic Review and Updates to the Risk Analysis: It is important to conduct a risk analysis on a regular basis. The HHS says that this guidance is not intended to provide a one-size-fits-all blueprint for compliance with the risk analysis requirement. Rather, it clarifies the expectations of the department for organizations working to meet these requirements.
Unsure of where to begin? Allow BlueHat Cyber to help – we’ll assess your risks, review our findings with you, and help you remedy any issues. BlueHat Cyber is here to help with your cyber security consulting needs.
Like this article? Check out the following blogs to learn more: