top of page

What Can We Learn from HIPAA Settlements? Have a current risk assessment.

An important theme that emerges from the Department of Health and Human Services' Office for Civil Rights' dozens of HIPAA settlements and other enforcement actions is that all aspects of compliance are critical and subject to scrutiny by federal regulators, says former OCR director Leon Rodriguez.

"The question of a weak or outdated risk assessment has always been an issue from the very beginning of HIPAA enforcement - and it will continue to be one for the future," Rodriguez says, describing a common shortcoming OCR has frequently spotlighted in settlements that emerge from breach investigations. "That said, one of the things I think is important about ... the settlements over time is the diversity of violations of various sections of the HIPAA security and privacy rules," says Rodriguez.

"You have different violations in different cases - and that's an indicator that you need ... to be looking at all aspects of compliance," he says in an interview with Information Security Media Group.

In addition to making sure they have up-to-date risk assessment, healthcare entities "also need to be looking at their business associate relationships and they need to be looking at self-audits," he says. "There's a broad variety of things that need to be active parts of their HIPAA compliance programs in order to avoid enforcement."

Read full article/video:

bottom of page