Choosing the Right Security Programs Can Mitigate the Financial Penalties Associated with HIPAA Penalties

March 23, 2020 Published Article

What happened?

The Department of Health and Human Services (HHS) issued a press release highlighting the potential financial pitfalls of an improper HIPAA compliance program. HHS reported that Steven A. Porter, M.D. paid $100,000 and is subject to two years of monitoring for his failure to adopt a corrective action plan for breaches to HIPAA sensitive information under the Health Insurance Portability and Accountability Act (HIPAA) Security Rule[1].

What is at risk?

This report reminds us that it is not enough to report a HIPAA breach. A covered entity or business associate must have an internal evaluation of its security plan for potential risks, an established security measure to reduce such risks and vulnerabilities, and adopt a strategy for proper security measures after a breach occurs. Otherwise, an organization is exposed to significant financial penalties, and restrictive oversight that slows operations.

What can you do to make sure you are in compliance?

The National Institute of Standards and Technology has come out with the NIST HIPAA Security Toolkit Application, and The Office of the National Coordinator of Health Information Technology (ONC) and the HHS Office for Civil Rights (OCR) have jointly launched a HIPAA Security Risk Assessment (SRA) Tool. Both can be found on the HHS.gov website and are great starting points to help organizations assess and implement security programs. Internally, the following efforts may include:

  1. Senior leaders assess their security program with their IT department;
  2. Train employees to understand handling of PHI and ePHI;
  3. Develop and maintain reporting and stop gap strategies for security breaches; and
  4. A clear documented program outlining the organization’s efforts to protect PHI and ePHI for potential audits.

How We Can Help

Our firm can first determine whether your organization requires compliance with HIPAA, review your security programs to monitor, protect, store PHI/ePHI, and train your employees how to handle sensitive information. We can also provide clear guidance on how to develop, report, and protect against breaches under HIPAA. Finally, we can serve as defense to any compliance violations brought against your organization.


[1] https://www.hhs.gov/about/news/2020/03/03/health-care-provider-pays-100000-settlement-ocr-failing-implement-hipaa.html