Road to HIPAA Compliance: Trends in Enforcement Activity

by KirkpatrickPrice / November 29th, 2016

A Conversation about Trends in HIPAA Enforcement Activity

In this webinar, Joseph Kirkpatrick and Mark Hinely discuss historic and 2016 trends in OCR enforcement activity. 2016 was a record year for enforcement and these trends are the most direct way that the OCR can tell us what or where they’re looking.

Mark Hinely has chosen four cases to discuss that represent 2016 enforcement activity trends: UMass Health, St. Joseph Health, Advocate, and University of Mississippi Medical Center. Each of these organizations had breaches that led to massive penalty fines and extensive corrective actions; Advocate’s multiple breaches led to a $5.5 million fine, making it the largest ever. The trends we’re discussing deal with failure to conduct risk analysis and risk management, failure to create and implement effective policies and procedures, and failure to offer proper training to the workforce.

Joseph and Mark also engaged in a Q&A session to answer many questions regarding risk, including:

Q: How do you keep an organization’s risk analysis fresh from year to year?

A: Don’t copy and paste from last year’s risk analysis. Last year is not effective for this year. You need to determine what contains PHI that didn’t last year. Things have changed, even if you think they haven’t.

Q: How do you make a risk analysis more specific from year to year?

A: Bring in a third party assessor, or any type of third party, who can see what you can’t. Even bring in someone internal, but who’s subject matter is different.

Q: What is the difference between a gap analysis and a risk analysis?

A: A gap analysis takes your organization and compares its gaps against strict, specific, published standards. A risk analysis, though, requires you to think more broadly and determine what risks are unique to your organization.

Q: What’s the difference between a risk analysis and risk management?

A: A risk analysis assesses the potential threats to an organization’s confidential information. Risk management takes the information discovered from a risk analysis and acts on it to protect the confidential information.

Listen to the full webinar to learn about each of the cases listed above, hear more of the Q&A session, and learn even further about the current trends in enforcement activity. Contact us today to speak to a HIPAA expert.