ECR’s HIPAA Risk-Assessment-as-a-Service delivers security assessment services on an ongoing basis throughout the year. An effective security assessment needs to be reviewed, retested, and repeated on a periodic basis. Security risk assessments are essential to discovering risk and for defining appropriate security and risk mitigation strategies that fit your company’s objectives.
The Health Insurance Portability and Accountability Act’s (HIPAA) security rule requires covered entities to conduct an annual risk assessment. This assessment helps an entity ensure it is compliant with HIPAA physical, administrative, and technical safeguards. Section 164.308(a)(1)(ii)(A) clearly states that an accurate and thorough assessment of risks and vulnerabilities. HIPAA has a tiered penalty system as follows:
May 2019 – A Medical Software Company paid 100,000 in fines after the Department of Health and Human Services (HHS) revealed that they did not conduct risk analysis before a breach.
A proper risk assessment can help identify areas of concern where potential breaches could occur. HHS has imposed fines of over 128 million dollars against providers, hospitals, and pharmacies.
ECR provides excellent compliance guidance in identifying and lowering the risks of having a breach with costly fines and penalties that can be detrimental to a small practice. Most insurances will not pay fines or penalties when due diligence was not done previously.
Forward-looking companies don’t look at these security assessments as one-time events, but rather a series of recurring events that provide them with timely strategic, planning, and risk assessment information. ECR can provide its Risk-Assessment-as-a-Service on a monthly or annual basis. This allows for a period to period comparisons and the setting of baselines to measure progress as required by HIPAA.