HIPAA's top cop signaled that 2017 will be no different and OCR will be cracking down on these things this year:

  1. Failure to Conduct a Risk Analysis.  Every provider and business associate is required by HIPAA to do a comprehensive HIPAA risk analysis - and document it.  If you haven’t done one, you are exposed to potential six and seven figure penalties.
  2. Deficient Breach Reporting.  If a breach of patient information occurs, you must report it.  OCR just fined an agency $475,000 for failing to timely report a breach.
  3. Lack of Safeguards for Malware.  You need good technical protections and a plan for handling a malware attack.  If you don’t, you risk big fines, like the one UMass just paid for a Trojan attack. 
  4. Burdensome Record Access Policies.  If you make patients jump through too many hoops to get a copy of their records, they can complain and OCR can come after you.
  5. Lack of Business Associate Agreements.  Several providers were fined hundreds of thousands of dollars in 2016 for, among other things, failure to have valid business associate agreements in place.   


Join us this Spring at the Certified Ambulance Privacy Officer course where, in just two days, you’ll discover:

  • How to conduct a simple, 4-step risk analysis for your agency
  • What qualifies as a HIPAA “breach,” and when and how to report it
  • Strategies to back up your data to combat malware attacks and new threats like ransomware
  • What you can and can’t ask requesters to do when they ask for a copy of their records
  • How to identify business associates, and the new provisions your business associate agreements need to contain 
  • And so much more.