As we’ve stressed before, your organization’s annual HIPAA Security Risk Assessment and Analysis are only one element of the compliance process.
Whether you’re a Business Associate or Covered Entity, your organization must also “implement security updates as necessary and correct identified security deficiencies”. In other words, you must act via a Corrective Action Plan (CAP) following the required risk assessment process.
Here are a few common Corrective Action Plan steps. These generally include:
- Implement technical policies and procedures to allow access only to those persons or software programs that have been granted access rights to information systems maintained.
- Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.
- Conduct accurate and thorough assessments of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.
- Develop a complete inventory of all its categories of electronic equipment, data systems, and applications that contain or store ePHI, which will then be incorporated into its Risk Analysis, and must complete a Risk Management plan.
What happens if I fail to complete my Security Risk Assessment? What happens next?
Failing to complete your annual Risk Assessment oftentimes means the organization will be required to complete a “robust” Corrective Action Plan (CAP) and often with at least two years of monitoring activity.
Have you ever doubted whether a small Billing Company or independent physician practice actually ever face penalties?
Keep in mind, a Business Associate is a ‘person’ or ‘entity’. This means there is no Billing Company too small or too large to comply with the Federal HIPAA regulations. Again, if you haven’t completed an accurate and thorough security risk assessment prior to that, you could also be penalized under ‘willful neglect’. This category alone is $50,000 per violation!
As we have stressed before, it is important for you to understand that every complaint or potential breach must be investigated by HHS/OCR. If you, a billing company, or other vendor, suspects a breach you must inform the covered entity (your client) and have a breach risk assessment completed to determine key factors and take action.
At Live Compliance, we make checking off your compliance requirements extremely simple.
- Completely online, our role-based courses make training easy for remote or in-office employees.
- Contact-free, accurate Security Risk Assessments are conducted remotely. All devices are thoroughly analyzed regardless of location. Conducting an accurate and thorough Security Risk Assessment is not only required, but is a useful tool to expose potential vulnerabilities.
- Complete set of HIPAA Policies and procedures built directly into your portal. Includes actionability, change management documentation, and Incident Response Policy to assist with your Corrective Action Planning. Easily share policies with staff with one click.
- Built directly into your portal, easily monitor where your workforce may be vulnerable with our Dark Web Breach Searches. Easily expose breach sources with ongoing searching of active employee email or domain ensuring continued awareness of potential breach exposure. Weekly automatic email notifications if new breaches are discovered.
- Short, informative, privacy awareness videos covering technical, administrative, and physical safeguards with topics such as Ransomware, Phishing, the Dark Web, Password Protection, etc. Delivered monthly with no logins required, empower your workforce to make conscious decisions when it comes to your organization’s privacy and security.
Don’t risk your company’s future, especially when we are offering a free Organization Assessment to help determine your company’s status. Call us at (980) 999-1585, or email me, Jim Johnson at Jim@LiveCompliance.com or visit www.LiveCompliance.com For more information please contact us at (980) 999-1585 or email us at firstname.lastname@example.org
For more information please contact us at (980) 999-1585 or email us at email@example.com