OCR HIPAA Breach Settlement Stems from Failure to Conduct Risk Analysis

The Office of Civil Rights (OCR) has recently announced a HIPAA settlement regarding a breach of unsecured electronic protected health information (ePHI) that stemmed from hackers infiltrating a provider’s information system. The hackers employed a phishing campaign to access employee emails that contained PHI. OCR found that the provider had failed to conduct a risk analysis to assess the risks and vulnerabilities related to its ePHI, and had therefore failed to implement the necessary security controls to adequately safeguard its information.

As a reminder to employers sponsoring group health plans subject to HIPAA – a risk analysis is required by the Security Rule, and is fundamental to a successful risk management program. Benefit Comply’s Self-Service Online HIPAA Tool provides a template Risk Analysis for customers to use, and our full consultancy HIPAA services include a completed Risk Analysis as one of the deliverables. For more information regarding our HPIAA consulting services, please contact our Sales Department at ARadecki@BenefitComply.com.