Medical Informatics Engineering, Inc (MIE) is an Indiana business that provides electronic medial records and software services to healthcare providers. MIE has agreed to take corrective action and pay a $100,000 dollar fine to settle potential violations of the HIPAA Privacy and Security Rules.
Their breach was filed on July 23, 2015, and detailed that MIE had discovered a hacker had used a compromised user ID and password to access the electronic protected health information (ePHI) of their patients, numbering approximately 3.5 million. A user ID and password could be compromised in any number of ways, including through spyware, poor password hygiene, or a third-party breach. However, the OCR’s investigation into the MIE breach revealed that they had not conducted a comprehensive risk analysis, commonly called a Security Risk Analysis or SRA. Such an SRA is required by HIPAA Rules, and the absence of this record represents a violation that likely led to the fine levied.
SRAs are a vital part of an organization’s cyber security and HIPAA compliance plan, as these in-depth reviews can reveal any gaps that exist or may arise in the future. Not only that, the risk analysis serves as the basis by which all measures can be judged as reasonable or appropriate. What is vital for a 200 bed hospital may be ludicrous for a 2 doctor practice, and the risk analysis helps define what is logical for each individual medical practice as they build their compliance roadmap.
It is important to note that, while investigating potential HIPAA violations, the OCR heavily weighs whether an organization has taken all the required steps and acted in good faith to attempt to minimize the risks of a breach. In the current landscape of technology, it is impossible to prevent all breaches. Simply having a breach does not mean that an organization will be fined. However, as this example shows, when it comes to light that the basic steps have not been followed to either reduce risk or improve response to a breach, the OCR is more likely to levy a fine.
Healthcare Technology Advisors advocates a yearly SRA carried out by a third party. This risk analysis can be used to build the yearly cyber security and compliance plan that will govern how staff is trained, how technology is handled, and how procedures are changed. That plan should be reviewed every quarter when meeting with your IT team and internal staff, to ensure that it is both still reasonable and possible to implement, and to check on its progress.
Having these steps in place and documented will not only greatly improve your practice’s security, it will help protect you against HIPAA liability should a breach occur.