A key requirement of the HIPAA and HITECH regulations is that covered entities and business associates must conduct a comprehensive and thorough assessment of the potential risks and vulnerabilities to the Confidentiality, Integrity, and Availability (CIA) of all electronic Protected Health Information (EPHI). These HIPAA and HITECH mandates require that organizations must complete a comprehensive and thorough vulnerability assessment on a regular schedule.
The majority of the DHHS civil money penalties and settlements in lieu thereof involve, sometimes with other violations, failure to perform a written risk analysis. These penalties usually are in the seven figure range. Blue Cross Blue Shield of Tennessee, for example, settled for $1.5 million for failing to update its risk analysis when its physical security situation changed. Other seven-figure settlements involved failure to do the required initial risk analysis.
Jonathan P. Tomes is a national HIPAA compliance consultant and attorney admitted in Illinois, Missouri, Kansas, and Oklahoma who practices in Kansas City, Kansas, and the greater Kansas City area. After he had retired from the U.S. Army as a JAGC officer, having been a military judge (which taught him how to read and interpret government regulations) and having spent several years as a military intelligence officer (which taught him about gathering and using information), he taught law at IIT Chicago-Kent College of Law before he opened his own private law practice. Mr. Tomes is President of EMR Legal, a national HIPAA compliance consulting firm. EMR Legal has consulted and trained over 1,000 HIPAA clients since 1998, ranging from Federal, State and County governments to large hospitals to small practices. Jon is currently working on an online HIPAA training video and an online HIPAA risk assessment.