It’s no secret that the Department of Health and Human Services under the Office for Civil Rights is heavily enforcing HIPAA and entering into settlement agreements for those who egregiously violate HIPAA. And according to the Ponemon Institute, the 2017 average cost of a data breach in the US has risen to a record $7.35 million. The OCR’s goal is not to cause organizational turmoil, but rather they are leading organizations to take security and privacy seriously in an industry where the stakes have hit an all-time high.
Below are steps organizations can take to protect and secure your organization’s ePHI and reduce OCR settlements.
Run Risk Analysis of all systems holding ePHI
Position your organization for a strong security and compliance posture by conducting a risk analysis of all systems holding ePHI. A risk analysis looks to where your ePHI is stored and orders the prioritization of systems holding ePHI. With the large number of mergers and acquisitions in the health care industry, coupled with the robust number of cloud applications touching an EMR application, ePHI is difficult to track in today’s digital age. Under the HIPAA Security Rule all applications containing PHI are subject to the HIPAA Laws. Conducting a risk analysis to identify all systems and applications that contain ePHI will allow you to better monitor patient information.