HIPAA Security Rule enforcement is ramping up – follow these steps to stay compliant
The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently settled with a New York accounting firm serving clients in healthcare for violation of the HIPPA Security Rule protecting ePHI (Electronic Personal Health Information). BST & Co. CPAs, LLP, will pay $175,000 and submit to two years of supervision of its risk management.
The violation: “OCR found no evidence to suggest that a HIPAA-compliant risk analysis had been conducted” before a ransomware attack hit in 2019, HIPAA Journal reports
It’s a common story of needless negligence. HIPAA Journal reports “so far this year, OCR has announced nineteen enforcement actions that included a financial penalty to resolve HIPAA noncompliance. Sixteen of those investigations uncovered risk analysis failures.”
The cumulative fines are running into the millions – and OCR is not done yet. HIPAA Journal reports that “2025 looks set to become the most active year for OCR in terms of HIPAA enforcement.”
What’s so onerous about complying with the Security Rule? Well, nothing, really, if you follow the quantitative approach to risk management. You can find a roadmap to compliance in our whitepaper on HIPAA Security Rule cybersecurity program requirements by Jacqueline Lebo, SAFE’s healthcare cyber risk management expert.
Key points from the HIPAA Security Rule whitepaper
HIPAA security requirements scale to the size of the organization. A small clinic might be expected to implement strong but basic access controls while a large hospital system must have advanced security controls and performance monitored in regular audits.
HHS gets specific about the elements of a risk analysis (but not the method). Some must-haves include:
- All-encompassing inventory of ePHI and tracking of its movements.
- Identify threats and vulnerabilities and account for the controls in place and their effectiveness.
- Determine likelihood and impact of cyber loss events and assign risk levels
- Conduct ongoing reviews and updates
Practitioners of FAIR cyber risk quantification will be at home with the key concepts in the HIPAA regulations.
Risk is determined by the likelihood that a particular threat will exploit a vulnerability and the potential impact if that exploitation occurs (all in the context of confidentiality, integrity and availability of ePHI).
OCR enforcement predictably comes down on specific types of misbehaviors, such as…
- Superficial or limited risk assessments that don’t identify all the ePHI at risk or the probable threats and vulnerabilities
- Failure to document risk management procedures
- Failure to prioritize risks or address vulnerabilities with due diligence
- Lack of Business Associate Agreements (BAAs) with third-party vendors that have access to ePHI.
The SAFE One platform comes with HIPAA compliance built in
- Automated ePHI asset identification & assessment
- Threat-informed risk identification
- Continuous risk monitoring & automated control validation
- Real-time financial risk analysis for planning & mitigation:
- Industry-accepted frameworks (FAIR, MITRE ATT&CK) for clear communication
- Cost-effective vs. paying fines
As our whitepaper says, “Building a continuous Cybersecurity Risk Management Program aligned with HIPAA is essential for regulated organizations in the healthcare industry. The SAFE platform provides the necessary tools and capabilities to achieve and maintain compliance, enabling organizations to effectively manage cybersecurity risks and meet their regulatory obligations.”
Talk to SAFE about building your program for HIPAA – and optimizing your entire risk management program. Contact us for a demo.
SUBSCRIBE TO WEEKLY BLOG NEWSLETTER
SHARE THE PAGE
