We hate to break it to you, but there's a HIPAA requirement you’re more than likely doing wrong. The Department of Health & Human Services’ Office for Civil Rights (OCR) is cracking down on requiring a true Healthcare Security Risk Analysis.
A HIPAA-required risk analysis includes a risk assessment of Patient Healthcare Information (PHI), review of policies and procedures, employee interviews for a HIPAA-HITECH audit, a thorough analysis of operational threats, and more. Even more surprising is the lack of risk assessments and vulnerability audits by healthcare organizations' business associates. Remember - anyone who comes in contact with your patient data is also accountable for protecting it.
An in-depth Healthcare Security Risk Analysis isn’t a new HIPAA requirement. OCR simply wasn’t enforcing it like they are now. So, what has changed?
Crisis in Cybersecurity
In 2017, for nearly 5 million people was exposed or stolen as a result of the roughly 300 reported data breaches. That’s an increase from 2016 of more than 200 breaches. That number is expected to continue to grow at an alarming rate in 2018, which is why the OCR is cracking down on enforcing the complete analysis – it’s a healthcare organization’s best shot at discovering all its vulnerabilities and making changes.
Why It’s Not Happening
Most organization have the best of intentions, but they simply don’t understand the complexity of the HIPAA requirement. They’ve had a network assessment performed or a partial analysis with the expectation that these efforts would suffice auditors and protect their data. However, in 2017 hundreds of organizations were levied millions of dollars in fines when OCR audits revealed they hadn't fully met the risk analysis requirements.
UP NEXT: Where's my PHI?
Many healthcare leaders are unaware that a piece of their PHI is exposed in some way.