Just last month, the investigation of a 2013 phishing incident resulted in a $750,000 penalty against University of Washington Medicine. Government Info Security reported that the malware-related breach affected 90,000 people. After its investigation of the incident, the Department of Health and Human Services Office for Civil Rights stressed the need for organizations to conduct a comprehensive, timely and enterprise-wide risk analysis.
OCR said in a statement, “UWM did not ensure that all of its affiliated entities were properly conducting risk assessments and appropriately responding to the potential risks and vulnerabilities in their respective environments.”
This breach and the resulting penalty and HIPAA resolution agreement provide solid affirmation that risk assessments must be complete—covering not just electronic medical records (EMR), but the entire scope of electronic protected health information (ePHI). In addition, it’s essential that organizations put in place a robust vendor-management program that assesses all business associates for IT vulnerabilities.
In 2015 alone, the OCR levied about $6 million in penalties over six cases. There could be more in 2016. If your organization isn’t actively conducting the right compliance-risk analysis, the time to act is now.
Carl Cadregari is an executive vice president based out of our Rochester, NY office.
This material has been prepared for general, informational purposes only and is not intended to provide, and should not be relied on for, tax, legal or accounting advice. Should you require any such advice, please contact us directly. The information contained herein does not create, and your review or use of the information does not constitute, an accountant-client relationship.