Close this search box.

HIPAA penalty shows need for compliance-risk audit

By Carl Cadregari, on February 4th, 2016

Just last month, the investigation of a 2013 phishing incident resulted in a $750,000 penalty against University of Washington Medicine. Government Info Security reported that the malware-related breach affected 90,000 people. After its investigation of the incident, the Department of Health and Human Services Office for Civil Rights stressed the need for organizations to conduct a comprehensive, timely and enterprise-wide risk analysis.

OCR said in a statement, “UWM did not ensure that all of its affiliated entities were properly conducting risk assessments and appropriately responding to the potential risks and vulnerabilities in their respective environments.”

This breach and the resulting penalty and HIPAA resolution agreement provide solid affirmation that risk assessments must be complete—covering not just electronic medical records (EMR), but the entire scope of electronic protected health information (ePHI). In addition, it’s essential that organizations put in place a robust vendor-management program that assesses all business associates for IT vulnerabilities.

In 2015 alone, the OCR levied about $6 million in penalties over six cases. There could be more in 2016. If your organization isn’t actively conducting the right compliance-risk analysis, the time to act is now.

Carl Cadregari is an executive vice president based out of our Rochester, NY office.

This material has been prepared for general, informational purposes only and is not intended to provide, and should not be relied on for, tax, legal or accounting advice. Should you require any such advice, please contact us directly. The information contained herein does not create, and your review or use of the information does not constitute, an accountant-client relationship.

Share on LinkedIn
Share on Facebook
Share on X

Written By

Carl Cadregari April 2020
Carl Cadregari
Senior Council

Related Articles