HIPAA Breach Settlements and Ransomware Attacks - Is Your Practice Secure?

by  Wyn Staheli, Director of Research
February 5th, 2018

Two recent reports should make providers stop, take notice and make sure their practice's policies and procedures are up-to-date.

The first one involves a HIPAA Breach settlement of a company with facilities in several states. The OCR memo stated "In addition to a $3.5 million monetary settlement, a corrective action plan requires the FMCNA covered entities to complete a risk analysis and risk management plan, revise policies and procedures on device and media controls as well as facility access controls, develop an encryption report, and educate its workforce on policies and procedures." The following failures were outlined in the report:

  1. Failure "to conduct an accurate and thorough risk analysis of potential risks and vulnerabilities to the confidentiality, integrity, and availability of all of its ePHI."
  2. They "impermissibly disclosed the ePHI of patients by providing unauthorized access for a purpose not permitted by the Privacy Rule."
  3. Failure "to implement policies and procedures to address security incidents."
  4. Failure "to implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain ePHI into and out of a facility; and the movement of these items within the facility.
  5. Failure "to implement policies and procedures to safeguard their facilities and equipment therein from unauthorized access, tampering, and theft, when it was reasonable and appropriate to do so under the circumstances.
  6. Failure "to implement a mechanism to encrypt and decrypt ePHI, when it was reasonable and appropriate to do so under the circumstances."

Every healthcare practice needs to review these six items and ensure that they have taken the appropriate steps to ensure compliance. A Risk Analysis must be conducted annually. It is essential that the previous items are addressed and that you have appropriate policies and procedures in place - which brings us to the next issue.

The second incident involved a ransomware attack on a large EHR company. Approximately 1,500 practices were essentially shut down and in some cases unable to even schedule appointments. While this attack could not have been prevented by those healthcare practices, it shines light on one important HIPAA provision - a disaster plan. The HIPAA Security Officer is responsible for testing and implementing a contingency and disaster recovery plan. Those practices who have complied with HIPAA by having a viable contingency plan are are more effectively able to face situations like this.

To help providers maintain compliance, Find-A-Code's Complete and Easy HIPAA Compliance publication includes, as part of its downloadable, editable templates, a Contingency Plan Procedure (includes a disaster recovery plan) and a Policies and Procedures document.


HIPAA Breach Settlements and Ransomware Attacks - Is Your Practice Secure?. (2018, February 5). Find-A-Code Articles. Retrieved from https://www.findacode.com/articles/hipaa-breach-settlements-and-ransomware-attacks-is-your-practice-secure-32893.html

© InnoviHealth Systems Inc

Article Tags  (click on a tag to see related articles)

Publish this Article on your Website, Blog or Newsletter

This article is available for publishing on websites, blogs, and newsletters. The article must be published in its entirety - all links must be active. If you would like to publish this article, please contact us and let us know where you will be publishing it. The easiest way to get the text of the article is to highlight and copy. Or use your browser's "View Source" option to capture the HTML formatted code.

If you would like a specific article written on a medical coding and billing topic, please Contact Us.


innoviHealth Systems, Inc.
62 East 300 North
Spanish Fork, UT 84660
Phone: 801-770-4203 (9-5 Mountain)
free demo
request yours today
for any budget
sign IN
welcome back!

Thank you for choosing Find-A-Code, please Sign In to remove ads.