Why you have to have a Risk Management Program (Part One) 2.2 million reasons

Posted by Thomas Davon on

Risk Management is a mandatory part of the HIPAA HITECH law that Congress put into place to protect the data of patient’s and their identity. Below is the exact language from the Government Publishing Office (GPO).

“§ 164.308 Administrative safeguards. (1)(A) Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.”

I can hear you now, so what if I don’t want to maintain a Risk Management Program? What is the Government really going to do to me? Well that depends on what the problem is that caused the government to take a look at your business, and how bad the problem was. Let’s say you expose a couple thousand medical records due to a computer virus. It’s mandatory that you report any compromise to you systems covered by HIPAA, so you have to report to The Office of Civil Rights (OCR) that a compromise has taken place. We’ll discuss the possible consequences of failing to report in another article.

They’ll first give you a phone call and some nice people will start sending you letters and emails in regards to the event that compromised your systems. Depending on the information gathered during the first stages of the investigation, they may need to show up to your place of business and personally investigate the issue and audit your systems. That’s it, not so bad. Well, I mean they will put you on the HIPAA wall of shame see “https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf“. They will also Give you a small fine, in example: MAPFRE Life Insurance Company got hit with a Failure to Conduct a HIPAA Risk Analysis and Implement Safeguards charge, and was fined $2,200,000.

So think about it, companies like Davon Networks manage their clients risk management programs for free. Or like MAPFRE Life Insurance Company you can pay two million bucks and reputational damage to your company to not have a Risk Management Program. This is why a Risk Management program is a must, unless you have unlimited dollars and your reputation doesn’t matter.

Subscribe to this blog's RSS feed using https://davonnetworks.com/blogs/news.atom


Leave a comment

Please note, comments must be approved before they are published