Posts Tagged assessment

Don’t Forget Your Risk Assessments!

Don’t Forget Your Risk Assessments!

Many medical practices are planning their Security Risk Assessments for the new year. Whether to better qualify for the 2019 Merit-based Incentive Payment System (MIPS) or to fulfill obligations to comply with the HIPAA Security Rule, a strong strategy now will reap benefits later. It’s a good time to remember what is required when conducting a Security Risk Assessment, as there tends to be confusion around what the Risk Assessment should include.

Here are some helpful reminders as we move through the first quarter of the year:

It’s Not Just a Checklist. A proper Security Risk Assessment is a thorough process where a covered entity under HIPAA should identify, prioritize and estimate the risks to practice operations resulting from the use of or implementation of a specific technology. Once the risks are identified, a plan of mitigation should be created that provides a roadmap for ongoing risk management.

Don’t Just Focus on EMR. While your EMR system, and the safeguards in place to protect EMR data, should absolutely be part of the Risk Assessment process, time should also be spent analyzing and assessing the risk to protected data that sits outside the EMR system. Identify the ePHI in the practice that resides outside the EMR application (e.g. files stored on users’ personal computers, data stored in ancillary systems, copiers and scanners, etc.) and assess the risk associated with this data as part of the assessment.

No Specific Methodology Required. While OCR has provided practices with guidance regarding the Security Risk Assessment Requirement, there is no mandatory process or method by which a practice must follow to comply with the requirement. However, most security professionals recommend following accepted industry frameworks, such as those provided by the National Institute of Standards and Technology (NIST).

Revisit Previous Risk Assessments to Show Progress. When conducting a new Security Risk Assessment, review past analysis and make an effort to document progress made with regards to risk mitigation. As the spirit of the Security Rule has always been to encourage covered entities to use the Risk Assessment as a starting point for ongoing Risk Management, documenting progress made will show the practice doesn’t simply consider the Assessment a rote exercise but a vital part of managing and mitigating risk on an ongoing basis.

You Don’t Have to Outsource Your Security Risk Assessment. OCR is very quick to point out there is no requirement, neither in the Security Rule nor under MIPS, for covered-entities to outsource their Security Risk Assessment. In fact, OCR has published a free, downloadable tool that practices can use to help with efforts to fulfill requirements ( However, OCR does go out of its way to explain the time commitment and skillset required to adequately evaluate and utilize the tool, and encourages all covered-entities to seek professional assistance when considering using these resources to self-perform the Security Risk Assessment.

A thorough Security Risk Assessment must stand up to an auditor or investigator, especially in the event of a security incident. A lack of proper Risk Analysis is cited in many investigative findings that have also carried large financial penalties. Take the time to consider how your practice will approach the Security Risk Assessment in 2019, and consider it as an opportunity to genuinely look at where you might be vulnerable and how the Assessment can be used as a springboard for true Risk Management.


Nic Cofield is Director of Client Services with Jackson Thornton Technologies LLC (JTT). JTT is one of the Southeast’s leading providers of managed IT services, cybersecurity services/consulting and IT Risk Assessments to health care providers. JTT is wholly owned by Jackson Thornton CPAs & Consultants, which is a partner with the Medical Association.

Posted in: Management

Leave a Comment (0) →

Think Your Practice Management Software Makes You HIPAA Compliant?

Think Your Practice Management Software Makes You HIPAA Compliant?

Complying with HIPAA security standards is a complex matter that demands a comprehensive solution. As a busy healthcare provider, it’s easy and convenient to trust that your practice management software satisfies the necessary HIPAA requirements to keep your electronic medical records safe. But the truth is, in most cases, it doesn’t.

A False Sense of Security

It is a common misnomer that electronic health record (EHR) systems make your practice HIPAA compliant. Companies claim they provide tools that support compliance for technical safeguards. A good thing, but technical safeguards are only one component needed to protect electronic public health information. The HIPAA Security Rule requires two other components: administrative safeguards and physical safeguards. Administrative safeguards include policies and procedures that HIPAA requires and critically important business associate agreements. Physical safeguards protect your data from breaches and unauthorized access. The platform you use to manage your practice might tout that their cloud-based system provides encryption and protection from ransomware. Great, but the question is: do they have all of the crucial aspects needed for HIPAA compliance? Read this next sentence twice. Using practice management software that purports to be HIPAA compliant does not make your practice compliant.

Unfortunately, when it comes to HIPAA compliance, a false sense of security can be dangerous. The violation fines for not following the guidelines enforced by the Department of Health and Human Services’ Office for Civil Rights are costly and can irreparably damage your practice’s reputation. In 2018 alone, HIPAA fines topped $28 million. By not properly protecting your electronic health records, you increase the likelihood of a cyberattack. Being hacked might strike you as a random, unlikely occurrence, but statistics tell a different story. According to a 2016 Lloyd’s Report, 92% of businesses experienced a data breach within a five-year period.

A Complete HIPAA Solution

PCIHIPAA is an industry leader in HIPAA compliance and data breach protection. We alleviate the angst and uncertainties associated with HIPAA compliancy with a powerful tool called OfficeSafe. Here’s how our software solution fully protects HIPAA electronic medical records:

  • Comprehensive Risk Assessment – A risk assessment is an annual audit required under the HIPAA Security Rule. Our audit of your practice’s protected health information produces a 22-page report, identifying the potential risks and vulnerabilities to your practice.
  • Easy Creation of Policies and Procedures – HIPAA regulatory standards mandate that covered entities and business associates develop policies and procedures. OfficeSafe makes regularly updating your policies and procedures easy, ensuring that your staff is informed on important issues such as governing access to electronic public health information and identifying malicious software attacks.
  • Online Employee Training – Improperly trained employees can lead to reckless handling of electronic public health information and costly HIPAA fines. We take this time-consuming task off of your plate and ensure that your staff understands exactly what is required by HIPAA law.
  • Crucial Business Associate Agreements – Every vendor and individual you share protected health information with must have a business associate agreement. OfficeSafe makes creating and securely executing these agreements simple and convenient.
  • $500,000 Cyber Insurance Coverage – Our guaranteed expense reimbursement policy for HIPAA violations covers a range of first and third party exposures, including both physical and non-physical risks. In the event of a HIPAA fine, data breach, or cyberattack, we’ll protect your practice from lost revenue and prevent an interruption to your business.
  • Email Encryption and Encrypted Cloud-Based Data Backup – At PCIHIPAA, keeping your data secure is our top priority. Our data backup solution is HIPAA compliant with 256-bit encryption and SQL database restoration capabilities. It enables you to distribute confidential protected health information without worry of ransomware or an unexpected incident.
  • Incident Response Management – Do you have a plan in place in the event of a hurricane, fire, or ransomware attack? Proper preparation—including a data backup plan, a data restoration plan, and an emergency mode operations plan—is a necessity. With OfficeSafe, once you report an incident we’ll work with your IT provider to mitigate the damage and get your business back on track.
  • PCI Certification – PCI is part of our company name for a good reason. As part of our compliance program, we help you complete the Payment Card Industry (PCI) requirements. Our PCI Compliance program also includes quarterly scans of your network.

The dark web is getting smarter. The risk of not fully and properly securing and maintain your patient’s medical records is a mistake your business can’t afford to make. The good news is peace of mind for your practice and your patients is a click away. Take a complimentary HIPAA Assessment right now, and be on your way toward total HIPAA compliance.

Posted in: HIPAA

Leave a Comment (0) →

Do You Know How to Easily Avoid a HIPAA Penalty?

Do You Know How to Easily Avoid a HIPAA Penalty?


Individuals cannot file a lawsuit for alleged HIPAA violations
but can file a legal action under many state laws?

In situations, such as data breaches, in which individuals’ personal information is compromised, individuals can pursue lawsuits seeking relief for damages.



*There is no obligation to purchase our services. Only an obligation to take the assessment and document your office’s key vulnerabilities.



“OCR is serious about protecting health information privacy and will pursue litigation, if necessary, to hold entities responsible for HIPAA violations.”

Roger Severino
Director, Office for Civil Rights


Free HIPAA Compliance Webinar

Protect your patient’s Protected health Information

Avoid HIPAA violations and penalties

Save yourself from the headaches of HIPAA compliance



Ruling Reaffirms Individuals Cannot File HIPAA Lawsuits

A federal court recently dismissed a case filed by a patient alleging a laboratory violated HIPAA by failing to shield from public view her personal health information displayed on a computer intake station.

The ruling reaffirmed a longstanding precedent that individuals cannot file a lawsuit, known as a “private cause of action,” for alleged HIPAA violations.

Privacy attorney Iliana Peters of the law firm Polsinelli points out, however, that individuals can file legal action under many state laws.

“It’s extremely important to note that although HIPAA does not have a private right of action, many state laws require entities, both healthcare entities and others, to implement HIPAA-like protections for consumer data, and have stiff penalties,” she says.

For alleged HIPAA violation cases, the Department of Health and Human Services Office for Civil Rights and state attorneys general are the only parties that can bring legal action, Golding notes.

Read More


Easily Avoid Penalties for HIPAA Violations

Protect your reputation, practice and patient’s information.

Avoid willful neglect and the associated HIPAA penalties by attending your no-obligation, 30-minute Risk Review after you complete your complimentary HIPAA Risk Assessment.

PCIHIPAA will review your HIPAA risk assessment and suggest HIPAA compliant policies and procedures.


As a member of the Medical Association of the State of Alabama, you will receive (with no further obligation):


  1. Complimentary 2018 HIPAA Risk Assessment
    Now MandatorySection 164.308(a)(1)(ii)(A)
  2. A 23-Page Risk Analysis Report
  3. A Free 30-Minute HIPAA Risk Consultation
  4. 1 Year of Free Identity Restoration Protection



If you have any questions, call PCIHIPAA at (800) 588-0254. Let them know you are a member of the Medical Association of the State of Alabama.

Posted in: HIPAA

Leave a Comment (0) →

HIPAA Illiteracy Is Considered Willful Neglect

HIPAA Illiteracy Is Considered Willful Neglect



Unsure of your practice’s vulnerabilities?




Judge Rules in Favor of OCR and Requires $4.3 Million in Penalties for HIPAA Violations

OCR’s investigation found that MD Anderson had written encryption policies and risk analyses had found that the lack of device-level encryption posed a high risk to the security of ePHI. Despite the encryption policies and high-risk findings, MD Anderson failed to encrypt its inventory of electronic devices containing ePHI.


Easily Avoid Penalties for HIPAA Violations

Protect your reputation, practice and patient’s information. MD Anderson knew of their vulnerabilties and high risk findings, but failed to act.

Avoid Willful Neglect and the associated HIPAA penalties starting with a Confidential Risk Assessment.

Attend your no-obligation risk analysis review and have a PCIHIPAA Senior Compliance Officer review your HIPAA risk assessment and suggest HIPAA compliant solutions to your vulnerabilities.



Not protecting the privacy and security of your patient information leads to non-compliance fines, data breaches and reputational risk.

Practices are responsible for patient’s protected health information no matter the consequences.


Let PCIHIPAA know you are a member of the Medical Association of the State of Alabama and claim:

  1. Complimentary 2018 HIPAA Risk Assessment Now MandatorySection 164.308(a)(1)(ii)(A)
  2. A 23-Page Risk Analysis Report
  3. A Free 30-Minute HIPAA Risk Consultation
  4. 1 Year of Free Identity Restoration Protection



Get on the path to compliance in less than 60 days


PCIHIPAA  |  Products & Services  |  800-588-0254  |

PCIHIPAA takes the guesswork out of HIPAA Compliance.
We make sure HIPAA and PCI Compliance is simple and easy to manage.
We work with 1,000’s of practices like yours.
A+ rating with the BBB.

Posted in: HIPAA

Leave a Comment (0) →

Breach Notification…Who, How, When?

Breach Notification…Who, How, When?

February is typically a very busy month for health care compliance professionals because the majority of breaches are required to be reported to the Department of Health and Human Services (HHS) within the first 60 days of the calendar year following the breach. However, the type of breach determines the applicable deadline so it is very important to know what needs to be reported to whom and when.

Entities regulated by HIPAA, including healthcare providers, health plans and business associates, must identify breaches in an adequate and timely manner and respond to breaches accordingly. This response includes identifying the occurrence, thoroughly investigating the incident, completing a thorough Breach Assessment of the incident and timely reporting conclusions to the appropriate parties.

A “breach” is an impermissible use or disclosure that compromises the privacy or security of protected health information. When a breach occurs in a health care setting, the entity may be required to provide notice of the breach to affected parties, including the patient or client, HHS and in some instances media outlets.


Health care entities are required to assess all breaches by considering the likelihood that patient or client protected health information was compromised. This is different than the previous harm standard, which required a determination of whether the breach caused a significant risk of financial, reputational or other harm. Under the compromise standard, consideration is given to the identity of the individual to whom the information was wrongfully provided and the possibility of that individual being able to retain and/or utilize the information.

Entities rely on their Breach Assessment tool to assist them with developing conclusions about the status of a breach. Unless an entity can substantiate and document that the breach was low-risk, it must be reported to appropriate parties as a breach. Pursuant to federal regulation, specific elements must be considered before an entity can determine a breach to be low-risk. Those elements include:

  • The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
  • The unauthorized person who used the protected health information or to whom the disclosure was made;
  • Whether the protected health information was actually acquired or viewed; and
  • The extent to which the risk to the protected health information has been mitigated.[1]

These elements, in addition to other documented analysis, must be included on the entity’s Breach Assessment. This document should be customized to the entity and identify criteria that would lead to an objective determination about the nature of the breach.

The adequacy of an entity’s Breach Assessment tool is vital to that entity reaching an appropriate conclusion. The Breach Assessment should document the type of breach and the source of the breach. It should reflect whether it was an oral breach or whether documentation was shared. It should consider whether the individual with whom the information was shared is also a workforce member of a HIPAA-covered entity or whether that individual had any duty to keep the information confidential. After considering these questions, in addition to other factors, the entity should be able to make a reasonable determination about whether the protected health information was compromised.

Content of Notice

If an entity determines that a breach occurred and that breach notification is necessary, they must provide notice of the breach, which at a minimum includes the following:

  • A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known;
  • A description of the types of unsecured protected health information that were involved in the breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
  • Any steps individuals should take to protect themselves from potential harm resulting from the breach;
  • A brief description of what the covered entity involved is doing to investigate the breach, to mitigate harm to individuals, and to protect against any further breaches; and
  • Contact procedures for individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, website, or postal address.[2]

Timeliness Requirements

Entities must adhere to specific deadlines for breach reporting. The timeline is considered to have started on the date that the entity “knew or should have known of the breach.” Meaning that the entity either had direct knowledge of the breach or in the exercise of due diligence the entity should have been aware that the breach took place. This should have known element is important because it holds entities responsible for breaches based on an objective standard which discourages entities from pretending to be unaware of breach incidents.

Notification deadlines are directly related to the size of the breach. Breaches fewer than 500 individuals require notification to the patient within 60 days of discovery of the breach, also known as Individual Notice. Additionally, for breaches fewer than 500, notification must be provided to HHS within the first 60 days of the following calendar year.

Breaches involving 500 individuals or greater require entities to meet the Individual Notice standard described above, but it also requires simultaneous notice to HHS and media notice. Media notice is required to take place both in the place where the entity does business and in the location where the individuals affected by the breach reside. For example, a practice is located in Montgomery, Ala., and they provide services to patients in Montgomery and in Huntsville, Ala. The entity will be responsible for contacting media outlets in both Montgomery and Huntsville to ensure that consumers are informed of the breach. Additionally, if the entity has a website the notice must also be placed on the entity website.

Wall of Shame (for breaches of 500 individuals or greater)

The HHS Office of Civil Rights (OCR) notifies the public of large breaches in an effort to strengthen consumer trust and transparency. These breaches can be found on the HHS website and are known in the health care industry as the “Wall of Shame.” This Wall of Shame identifies entities that are currently under investigation, as well as entities who have already settled their cases with HHS or otherwise resolved their cases through administrative proceedings. It documents the name of the entity, the exact number of people involved in the incident and the type of breach. While the Wall of Shame generally reports incidents that occurred within the last two years, there is also an archive section that allows consumers to review cases occurring before that cut off period. You can view the HHS Wall of Shame by utilizing the following link:

Understanding the Breach Notification Rule can be tricky. This area of the regulations has many aspects that require professionals to perform specific analysis as they navigate each incident. Your entity compliance professional should be trained on the requirements and ensure that your policies and procedures are updated regularly. Your entity can report breaches to HHS by utilizing the following link:

Should your entity have questions regarding the Breach Notification Rule, they should contact a healthcare compliance professional for guidance.

[1] 45 CFR 164.402(a)(2)

[2] 45 CFR 164.404 (c)

Article contributed by Samarria Dunson, J.D., CHC, CHPCattorney/principal of The Dunson Group, LLC, a health care compliance consulting and law firm in Montgomery, Ala. The Dunson Group, LLC, is an official partner with the Medical Association.

Posted in: HIPAA

Leave a Comment (0) →