Don’t Forget Your HIPAA Security Risk Analysis

September 30, 2020
OSHA Review
California Dental Regulation, Dental Bytes, OSHA Review

According to the ADA News, Athens Orthopedic Clinic in Georgia recently settled with the US Health and Human Services (HHS) Office for Civil Rights (OCR) for potential violations of the Health Insurance Portability and Accountability Act (HIPAA). The settlement consisted of a monetary payment of $1.5 million to OCR, as well as an agreement to implement a corrective action plan to meet HIPAA requirements.

What Happened

Back in 2016, the notorious hacker “thedarkoverlord” (TDO) allegedly was able to hack into the clinic’s database using credentials it had stolen from a business associate, giving TDO access to Athen’s electronic medical database, which included a cache of sensitive patient health information, including Social Security numbers. TDO then posted the confidential patient information online after failing to extort Athens.

OCR’s subsequent investigation of Athens discovered longstanding, systemic noncompliance with the HIPAA Privacy and Security Rules including failures to conduct a risk analysis, implement risk management and audit controls, maintain HIPAA policies and procedures, secure business associate agreements with multiple business associates, and provide HIPAA Privacy Rule training to workforce members.

Conduct a Security Risk Analysis

Under HIPAA, all HIPAA-covered entities, including dental offices, are required to perform a security risk analysis to assess vulnerabilities and the mechanisms currently in place to mitigate them. Additional controls should be implemented as needed for compliance. The HHS does not specify how frequently to perform a security risk analysis. The frequency of performance will vary among covered entities. Covered entities may perform the analysis annually or as needed (i.e. every two or three years) depending on circumstances of their business.

For our OSHA Review Subscribers: The November/December 2018 issue of OSHA Review in Section X of your OSHA Review binder covers HIPAA requirements and includes information about conducting a security risk analysis. Additionally, a HIPAA risk analysis checklist is available from OSHA Review’s website.

Since 1992, OSHA Review, Inc. has provided dental professionals with comprehensive programs to support regulatory compliance and infection control. We are a registered continuing education provider in the state of California, specializing in Dental Practice Act, infection control, and OSHA training.