Small Practice Non-Compliance Doesn’t Fly Under The Radar

Small Practice Non-Compliance Doesn’t Fly Under The Radar – Are You At Risk?

It can be easy to assume that the Department of Health and Human Services Office for Civil Rights (OCR) is only really concerned with the “big fish” in HIPAA compliance. Investigations can take years, so why would they worry about smaller healthcare organizations like yours and your potentially minor data breach, when they can focus on major ones?

Case in point – America’s second-largest health insurer, Anthem, was hit with a record-breaking $16 million fine for exposing the medical data of more than 79 million Americans. With cases like that to consider, why would the OCR care about you?

Unfortunately, this thinking isn’t exactly realistic…

Cybercrime And HIPAA Compliance Need To Be Top Priorities For Small Medical Practices

The OCR is just as willing to investigate your minor data breach as they are major ones like Anthem’s. Fresenius Medical Center was handed a $3.5 million fine after five data breaches, each of which affected fewer than 300 patients.

Similarly, you can’t assume that you’re safe from cybercriminals either. Smaller organizations in the healthcare community aren’t flying under the radar. You’re in just as much danger as larger medical practices, or perhaps, even more so, if you don’t have the right cybersecurity measures in place.

For example, a Wyoming community health system, with no more than 90-beds, was hit by ransomware late last year. In the aftermath, they had to cancel appointments and suspend services, severely affecting their patients, and their ability to operate.

Nearly half of all reported data breaches in 2019 affected small businesses, because they’re incredibly easy targets. The fact is that most cybercriminals aren’t spending all that much time or effort on any attack – they’re just sending phishing emails, setting up malware traps, and other largely passive and automated tactics.

That’s why you need to understand your level of risk of a data breach and a HIPAA fine…

Is It Time To Assess Your HIPAA Risks?

If you want to avoid the same noncompliance fines as Fresenius, make sure your HIPAA risk assessment includes:

1. The Scope of the Analysis: Any potential risks and vulnerabilities to the privacy, availability, and integrity of the PHI, such as portable media, desktops, and networks.
2. Data Collection: Locate where the data is being stored, received, maintained or transmitted.
3. Identify and Document Potential Threats and Vulnerabilities: Identify and document any anticipated threats to sensitive data, and any vulnerabilities that may lead to leaking of PHI.
4. Assess Current Security Measures: What kind of security measures are you taking to protect your data?
5. Determine the Likelihood of Threat Occurrence: Take account of the probability of potential risks to PHI—in combination with the third item on this list, this Analysis allows for estimates on the likelihood of ePHI breaches.
6. Determine the Potential Impact of Threat Occurrence: By using either qualitative or quantitative methods, assess the maximum impact of a data threat to your organization.
7. Determine the Level of Risk: Take the average of the assigned likelihood and impact levels to determine the level of risk.
8. Finalize Documentation: Write everything up in an organized document. Make sure that any risks that you’ve identified be documented and a separation “Action Plan” for addressing those items is included.
9. Periodic Review and Updates to the Risk Analysis: It is important to conduct a risk analysis on a regular basis. The HHS says that this guidance is not intended to provide a one-size-fits-all blueprint for compliance with the risk analysis requirement. Rather, it clarifies the expectations of the department for organizations working to meet these requirements.

Need a hand assessing your HIPAA compliance? Don’t worry, it’s OK to ask for help from when the stakes are this big. You can partner with to have your compliance practices double-checked and supported by the right technology.

Like this article? Check out the following blogs to learn more:

Four Ways to Leverage Cloud Technologies to Keep Your Business Safe

Relief Efforts Underway for Bahamas Hurricane Recovery 

4 Ways IT Outsourcing Helps Your Business

James Ritter

Experienced Chief Executive Officer with a demonstrated history of working in the information technology and services industry. Skilled in Customer Relationship Management (CRM), IT Service Management, Team Building, IT Strategy, and Management. Strong entrepreneurship professional with a Master of Business Administration (M.B.A.) focused in Computer/Information Technology Administration and Management from Humboldt University of Berlin (Humboldt-Universität zu Berlin).