HHS’ Office for Civil Rights reports $28.7M in payments for record HIPAA enforcement year

The Department of Health and Human Services Office for Civil Rights had a record year for settlements from its enforcement of the nation’s largest healthcare privacy law. 

In 2018, OCR settled 10 cases and secured one judgment totaling $28.7 million in fines for healthcare provider and health-related companies’ violations of the Health Insurance Portability and Accountability Act (HIPAA). It is 22% higher than the previous record of $23.5 million in 2016.

That was due in part to the single largest HIPAA settlement in history of $16 million with Anthem Inc. The insurer agreed to pay HHS the settlement in October for a landmark 2015 breach that impacted nearly 79 million consumers.

An investigation by OCR found that the insurance giant failed to conduct an enterprise-wide risk analysis, regularly review system activity or identify and respond to a known threat.

The previous record settlement was $5.5 million in 2016.

  • The University of Texas MD Anderson Cancer Center was ordered to pay a $4.3 million penalty issued by an administrative law judge in June—the second summary judgment victory in OCR’s history of HIPAA enforcement. The cancer center faced penalties over three data breaches dating back to 2012 and 2013, when an unencrypted laptop was stolen from an MD Anderson employee and two unencrypted USB thumb drives containing information on 33,500 patients were lost.

    An investigation found that MD Anderson had written encryption policies dating back to 2006, and an internal risk analysis found a lack of encryption on hospital-owned devices posed a security risk.
  • Fresenius Medical Care, which operates more than 2,200 dialysis clinics, along with outpatient cardiac and vascular labs and urgent care centers, agreed to a $3.5 million settlement after an OCR investigation revealed that the company failed to perform an accurate and thorough risk assessment, which led to five separate data breaches over a five-month period in 2012. 
  • Cottage Health agreed to pay $3 million to OCR and “to adopt a substantial corrective action plan” after OCR received two notifications from Cottage Health regarding breaches of unsecured electronic protected health information affecting over 62,500 individuals in 2013 and 2015. Cottage Health operates Santa Barbara Cottage Hospital, Santa Ynez Valley Cottage Hospital, Goleta Valley Cottage Hospital and Cottage Rehabilitation Hospital in California.
Jan. 2018Filefax Inc. (settlement)$100,000
Jan. 2018Fresenius Medical Care North America (settlement)$3.5M
June 2018MD Anderson (judgment)$4.35M
Aug. 2018Boston Medical Center (settlement)$100,000
Sep. 2018Brigham and Women’s Hospital (settlement)$384,000
Sep. 2018Massachusetts General Hospital (settlement)$515,000
Sep. 2018Advanced Care Hospitalists (settlement)$500,000
Oct. 2018Allergy Associates of Hartford (settlement)$125,000
Oct. 2018Anthem Inc. (settlement)$16M
Nov. 2018Pagosa Springs (settlement)$111,400
Dec. 2018Cottage Health (settlement)$3M

“HHS’ Office for Civil Rights reports $28.7M in payments for record HIPAA enforcement year”. Fierce Healthcare, US. Retrieved February 28, 2019.

Doctors snooped into Humboldt Broncos patient records, privacy commissioner finds

“This has been a major tragedy in our province and I’m disappointed that people got tempted,” information and privacy commissioner Ronald Kruzeniski said.

Saskatchewan’s privacy commissioner has found several people inappropriately gained access to the electronic health records of the Humboldt Broncos team members involved in a deadly bus crash last April.

Sixteen people were killed and 13 were injured in the crash between the junior hockey team’s bus and a semi trailer at a rural Saskatchewan intersection on April 6, 2018.

“This has been a major tragedy in our province and I’m disappointed that people got tempted,” information and privacy commissioner Ronald Kruzeniski said in an interview with The Canadian Press on Monday. “Now that it’s happened … it’s my job to work with others through education and legislative change (to) make the system work.”

In four reports posted on his website, Kruzeniski noted that eHealth Saskatchewan began monitoring the profiles of the patients — which included lab results, medication information and chronic diseases — three days after the crash.

From April 9, 2018, to May 15, 2018, the health agency detected at least seven users, mostly doctors, accessed the system to view the profiles of up to 10 patients.

The reports said that eHealth reported the breaches to the privacy commissioner.

Kruzeniski detailed the privacy breaches in those reports.

In one case, an employee of a medical clinic examined the health information of three people involved in the collision.

The assistant admitted she consulted the records because “her family members had heard one of the individuals had died and she wanted to verify the information; she thought another individual was a patient … (and) she wanted to verify a detail that was reported by the media about one of the individuals.”

The report said the employee’s access to eHealth was suspended and she was given further training, but she has since resigned.

Another case involved a doctor at a Humboldt clinic who viewed the records of two people who were patients prior to the crash.

“Dr. D wanted to know what injuries the individual sustained, if the individual received care or if it was an instant fatality,” said the report. “For the other individual, Humboldt clinic explained to eHealth that Dr. D was concerned.

“Based on these explanations, Dr. D did not have a need-to-know.”

Other breaches included three doctors who provided emergency care at the Nipawin Hospital and who reviewed patient records of those they treated.

“They believed they were in the individuals’ ’circle of care,”’ said the report.

The privacy commissioner said the province’s Health Information Protection Act does not address circles of care so the doctors were no longer authorized to access the records.

“You are entitled to access when you have a need to know, not an anticipated need, not, ’Gee, I might like to know,” he explained.

During the monitoring period, two medical residents also looked at the records of one crash patient when the residents were reviewing the records of dozens of other patients with a particular illness.

Kruzeniski made a number of recommendations to eHealth —including that it conduct regular monthly audits for the next three years of the physicians involved.

The privacy commissioner also recommended that the organization comply with a need-to-know principle rather than a circle-of-care concept and that users of eHealth be made to regularly review their training.

A statement from eHealth said it took a number of measures to address the breaches, including notifying the privacy commissioner and the families affected.

It terminated the account of the medical office assistant, suspended the accounts of the medical residents until they had further training and sent letters to the doctors. It’s reviewing the recommendations from the privacy commissioner.

The Saskatchewan Health Authority said it is also following up on the breaches and apologized to the patients and their families.

“We are deeply sorry that the situations described in the privacy commissioner’s reports may add to their stress,” the authority said in a statement.

“We believe the physicians cited in the cases … specifically those who provided care to the patients affected, acted in good faith and out of sincere concern for the patients and families touched by this terrible tragedy.”

The health authority said it will work with the Ministry of Health on possible amendments to privacy regulations.

“Doctors snooped into Humboldt Broncos patient records, privacy commissioner finds”. National Post, Canada. Retrieved February 15, 2019.

Healthcare record breaches tripled in 2018

There was at least one health data breach a day and 503 health data breaches overall in 2018 according to analysis released this week.

The number of breached patient records tripled in 2018, to the tune of some 15 million patient records, according to research released this week.

Those numbers – 5,579,438 records in 2017 to 15,085,302 records in 2018 – come despite only a modest uptick in health data breaches, from 477 in 2017 to 503 in 2018.

The research, Protenus’ 2019’s Annual Breach Barometer Report, looked at healthcare data breaches reported in 2018, including information taken from the Department of Health and Human Services’ Office for Civil Rights, letters to state attorney generals, and Databreaches.net.

The numbers are about in line with research published throughout the year last year. In August the firm said there were 3.14 million patient records breached across 150 incidents in Q2 alone that year, a number which when extrapolated across a year, gets close to 15 million records.

Looking at the cause of breaches, hacking-related incidents took the cake in 2018, accounting for 44 percent of breaches, a number that correlates to a jump in incidents, 178 in 2017 to 222 in 2018. Insider theft, a topic the researchers included human error and insider wrongdoing incidents in, was still prevalent but less so than the previous year. In 2017 insiders carried out more than a third of breaches, 37 percent. In 2018 insiders committed 28 percent of breaches.

Nearly half, 49 percent, of incidents involved the disclosure of health data by a business association or third party. Family snooping remains a big issue and can cause of breaches too; 67 percent of insider breaches came as the result of family members, while snooping co-workers were responsible for 16 percent.

It should come as little surprise that healthcare providers were among the hardest hit in 2018, accounting for 353 breaches, roughly 70 percent of all breaches. 62 of the breaches were reported by health plans and 39 were reported by other entities.

Those statistics lend credence to research published last November that suggests that more protected health information (PHI) is leaked by healthcare providers, not hackers. Research carried out by Michigan State University and Johns Hopkins University found that a quarter of the cases the researchers looked at were caused by internal unauthorized access or disclosure, more than twice the amount caused by external hackers.

That’s just one research paper, one that looked at breaches between October 2009 and December 2017, it should be added.

The 44 percent figure in Protenus’ research accounts for 11.3 million patient records impacted by hacking in 2018, more than three times the 3.4 million compromised by hacking in 2017.

One of 2018’s biggest breaches came after AccuDoc, a third party billing vendor of Atrium Health, formerly Carolinas HealthCare System, experienced a breach in September. The North Carolina-based healthcare system indirectly had the billing information of 2.65 million people compromised as a result. Insurance policy information, medical record numbers, invoice numbers, account balances and dates of service may have also been accessed.

These days, it’s difficult for healthcare orgs to be completely immune from cyberattacks. A survey published (.PDF) by the Healthcare Information and Management Systems Society (HIMSS) earlier this month said that two-thirds of non-acute and vendor organizations experienced a security incident over the last 12 months. To that effect, only a small fraction of respondents, 22 percent, said they didn’t experience a significant security incident during the past 12 months.

Securing a modern healthcare organization can be a challenge but is essential in order to safeguard patient data. The Office for Civil Rights at the US Department of Health and Human Services encourages organizations to perform security risk assessments to identify vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information. Orgs should also ensure they perform security training, phishing simulation tests, and mitigate issues inherent with legacy systems.

Implementing a data protection platform that can secure PHI, both in the cloud, on internal desktops and laptops, or network servers, can ensure data security while satisfying the requirements of today’s regulatory environment.

“Breached Healthcare Records Tripled in 2018”. Digital Guardian, US. Retrieved February 15, 2019.

Verizon 2018 Data Breach Investigations Report

What went wrong? An exploration in trends and data.

Within the 53,000+ incidents and 2,200-odd breaches you’ll find real takeaways on what not to do, or at the very least, what to watch for.

At first glance, identifying 53K+ incidents in only 12 months suggests an information security dystopia, an uneven playing field where the bad guys consistently win out. And, the 2018 Data Breach Investigations Report (DBIR) is full of nefarious events by offenders both known and unknown.

However, that same catalog of unscrupulous activities offers security pros a first-hand view into current cybercrime trends, and a map towards developing a prosperous and mature security program.

View the full DBIR here.


Healthcare is the only industry where the threat from inside is greater than that from outside. Human error is a major contributor to those stats. Employees are also abusing their access to systems or data, although in 13% of cases, it’s driven by fun or curiosity—for example, where a celebrity has recently been a patient.

The Healthcare vertical is rife with Error and Misuse. In fact, it is the only industry vertical that has more internal actors behind breaches than external. In addition to these problem areas, ransomware is endemic in the industry.

Not easy like Sunday morning

If we were to assess the overall wellness of the Healthcare vertical with regard to security, the prognosis would not be terrifying, but neither would it be encouraging. Something along the lines of “greatly improve your diet, stop smoking and increase your workout routine or else” would cover it. Before we judge them too harshly, however, we must keep in mind a few important facts about the Healthcare vertical:

  • They deal with a vast amount of highly sensitive data that they must retain and protect;
  • That data must be kept current and accurate and must be accessible in a very timely manner for the healthcare professionals who need it (as life or death decisions might be based on it);
  • It is subject to a much higher standard of scrutiny with regard to privacy and disclosure requirements than are most other verticals, due to regulations such as the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act.

Et tu, Brute?

As Caesar found out the hard way, often those who do you the most harm can be those closest to you. The Healthcare industry has the dubious distinction of being the only vertical that has a greater insider threat (when looking at breaches) than it does an external threat. This somewhat bleak finding is linked closely to the fact that there is a large amount of both errors and employee misuse in this vertical. With regard to incidents Healthcare is almost seven times more likely to feature a causal error than other verticals in our dataset, but you might not want to ponder that when you go in to get that appendix removed.

Errors most often appear in the form of misdelivery (62%)—which is the sending of something intended for one person to a different recipient—and is followed by a grouping of misplacing assets, misconfigurations, publishing errors and disposal errors.

Misuse, on the other hand, takes the form of privilege abuse (using logical access to assets, often databases, without having a legitimate medical or business need to do so) in 74% of cases. Interestingly, the motive (when known) is most often (47%) that of “fun or curiosity.” Examples of this are when an employee sees that their date from last weekend just came in for a checkup, or a celebrity visits the hospital and curiosity
gets the better of common sense. Not to be forgotten, our faithful friend avarice is still alive and well, with financial gain being the motivation in 40% of internal misuse breaches.

Ransomware is everywhere

No doubt over Thanksgiving dinner you and your family fell in to conversation about the possible reasons for the rise of the Crimeware pattern to the number two position in the Healthcare vertical. Of course, you did. It’s only natural. It is due to the ransomware epidemic that continues to plague the Healthcare industry. Ransomware accounts for 85% of all malware in Healthcare. Due to Department of Health and Human Services regulations, ransomware outbreaks are treated as breaches (rather than data at risk) for reporting purposes. Consequently, it is difficult to know if Healthcare is more susceptible to ransomware than are organizations in other industries, or if the high percentages of it being recorded are simply a product of more stringent reporting requirements. Regardless of the reason, the wise security practitioner will take immediate steps to combat this ubiquitous attack type. Due to the ease of the attack, the low risk for the criminal, and the potential for high monetary yields, it is likely here for a lengthy stay in spite of the quality of the hospital food.

Please do not feed the phish

Social attacks (mostly phishing and pretexting) appear in approximately 14% of incidents in Healthcare and are a definite matter for concern. Phishing (70% of social attacks) occurs when an attacker sends a communication—usually an email—to an individual attempting to influence them to open an infected file or click on a malicious link. Once the victim clicks, the criminal can upload malware and engage in other insidious acts that will enable prolonged access to the system. Pretexting (20%) is a similar social attack but is somewhat more involved. In this scenario, the criminal emails, calls or even visits an employee in person and engages them in conversation to fool the victim into providing the attacker with credentials, or other sensitive data, with which they can launch an attack. Like a sort of Norman Vincent Peale gone wrong. Healthcare has a wide attack surface for social tactics due to the very nature of what they do. Relatives and friends calling in to check on patients, third-party providers of equipment and services and so on can provide a social engineering criminal with a great deal of both opportunities and cover.

Please report to lost and stolen

The theft of assets accounts for 90% of the physical action types in Healthcare. The number of stolen assets also went up this year, but that is likely caseload bias. Regardless, laptops and other portable devices, and paper documents consistently go missing from healthcare organizations each year. Victim work areas (offices) account for 36% of theft locations, and employees’ personal vehicles account for 32% of theft. The latter is particularly worrisome because in many instances, the asset in question residing in an employee’s personal vehicle was likely to be a policy violation. However, it must be admitted that we do not have the hard data to definitively prove that statement, but it is offered in the same spirit as “Do you know what the penalty for cruelty to laptops is in this state? No, sir, I don’t. Well, it’s probably pretty stiff.”

Things to consider

Dr., I can’t read this Rx

The theft or misplacement of unencrypted devices continues to feed our breach dataset. Full Disk Encryption (FDE) is both an effective and low-cost method of keeping sensitive data out of the hands of criminals. FDE mitigates the consequences of physical theft of assets by limiting exposure to fines and reporting requirements. Reduce your risk footprint where you can. Seriously, please do this as we are tired of repeating this same recommendation!

Institute a smackdown policy

Ensure that policies and procedures are in place which mandate monitoring of internal Protected Health Information (PHI) accesses. Make all employees aware via security training and warning banners that if they view any patient data without a legitimate business need there is potential for corrective actions.

Don’t spread the virus

Preventive controls regarding defending against malware installation are of utmost importance. Take steps to minimize the impact that ransomware can have on your network. Our data shows that the most common vectors of malware are via email and malicious websites, so focus your efforts around those factors.

“2018 Data Breach Investigations Report”. Verizon Enterprise, US. Retrieved February 18, 2019.

Four ways Aligned Risk Management makes HIPAA easier in 2019

Many health care organizations struggle to comply with required HIPAA regulations and many have forfeited important Merit-base Incentive Payment System (MIPS) incentive funds. Aligned Risk Management is here to ensure that every health care organization can affordably comply with HIPAA and MIPS. Below are four simple steps you can take today.

  1. Visit our HIPAA site.
  2. Call or email for a free HIPAA checkup.
  3. Take advantage of our low cost, comprehensive HIPAA privacy and security risk assessment.
  4. Check out our free FAQ.

Visit our HIPAA site.


Here you will find many free educational opportunities, tools, policy and procedure templates, and other important materials to assist you with your HIPAA compliance efforts.

Call or email for a free HIPAA checkup.

505-908-9040 or patrick@riskaligned.com

Have an easy conversation with our certified HIPAA professional and gain confidence about your current HIPAA and MIPS readiness, or find out what steps you can take to benefit your organization and patients.

Take advantage of our low cost, comprehensive HIPAA privacy and security risk assessment.

505-908-9040 or patrick@riskaligned.com

Federal HIPAA regulations and the advancing care information (ACI) category of MIPS require you to perform an audit-worthy security risk analysis and complete a risk management plan to become HIPAA and MIPS compliant. Aligned Risk Management will guide you through the process and provide you with the policy and procedure templates, tools, and materials necessary to comply with HIPAA, pass an audit, and receive the MIPS incentives you deserve.

Check out our free FAQ.


Whether you are new to HIPAA or just need a refresher, you will find our HIPAA webinars informative
and helpful. Join us as we share our HIPAA knowledge and experience, and answer your HIPAA

Memo: Train your staff on the use of password management software

Aligned Risk Management recommends password management software for all staff and especially for staff who work with a large number of external web application accounts.

  • A password manager can help encourage the use of long, complex, and unique passwords.
  • A password manager can reduce the need for users to commit their passwords to memory, making it less likely that they could expose their passwords inadvertently to social engineering attackers.
  • Automated password managers will fail to populate password fields on look-alike phishing pages, which can alert users that they are not accessing the system they expected.
  • Best practices recommended by the National Institute of Standards and Technology (NIST) endorse the use of password managers.

“Verifiers SHOULD permit claimants to use ‘paste’ functionality when entering a memorized secret. This facilitates the use of password managers, which are widely used and in many cases increase the likelihood that users will choose stronger memorized secrets.”

National Institute of Standards and Technology, NIST Special Publication 800-63-3: Digital Identity Guidelines.

EHRs are killing medical innovation

“The purpose of humanity is not just to sit behind a counter and do things. More free time is not a terrible thing.”

Bill Gates, paraphrased

I have innovated. I developed a mutation assay. I discovered that vacuum ultraviolet light from excimer lasers is safe to use on human tissue. I invented an imaging device to detect burn wound depth and discovered the best laser to debride burn wounds. I invented a laser-based treatment for acne. I developed and patented an online gamified collective intelligence solution to identify dermatology images. I have participated and published as a clinician in numerous population health studies. I’ve got a few more things that I want to build and do based on my four years of medical school education, eight years of post-medical school residency and fellowship training in internal medicine, dermatology and cutaneous surgical oncology and two decades of clinical practice. Ideas for innovation arise from experience as a clinician-physician. We physician-clinicians care for patients, use all our senses, and our minds to recognize problems and apply solutions to improve the value (outcomes/costs) of preventive, medical, surgical or palliative outcomes. One needs to spend only a few hours in the basement stacks of Harvard’s Countway Medical Library to recognize the speed of physician-clinician led medical innovation which has in many ways dwarfed Moore’s Law.

For physician-clinician innovation to occur, doctors need extra-hours to work on innovative projects. Clinician-physicians working alone or with others often sacrifice family and friends to accomplish meaningful innovation, but the pay-off intrinsically for the physician and extrinsically for society and patients has been worth it. Impediments to physician-clinician led innovation has devolved during the last five years that are robbing continued progress against diseases and optimized preventive, medical, surgical and palliative care outcomes. The gift of giving clinicians time to gaze, dream and work together to apply the art and sciences of medicine towards the advancement of health care innovation has been stolen by electronic health records (EHR) and insurance company prior authorization (PA) rationing industries.

When EHRs were first introduced, health information technology seemed like a sound idea. Patient personal medical health information, labs, photos as well as physicians’ assessments and plans would be inputted into interoperable EHRs by physicians around the nation. The EHR in return would tabulate and reveal individual and aggregated data from interoperable EHRs according to all medical chart variables resulting in optimized preventive, medical, surgical and palliative outcomes and costs as well as improved clinical safety for patients and clinical efficiency for their physicians. We now know, despite federal law forcing American physicians to lease EHRs plus an additional $35 billion in taxpayer subsidies poured into the EHR industry — none of the assumed clinical advantages of EHRs have reached fruition. Blockchain or FHIR type decentralized interoperable encoded population health benefiting patients and physicians isn’t happening because optimizing data value equals outcomes/cost solutions are proprietary to industry and may diminish the earnings of the health insurance, pharmaceutical, medical malpractice, hospital, and EHR industries.

Another major unintended consequence of the government forcing physicians to use EHRs has been the shift of physician-clinician work, financial resources and time away from direct patient care and innovation into manual data entry. A recent study published in the Annals of Internal Medicine revealed that for every hour a physician spends in direct patient care the physician must perform two hours of EHR data entry. A similar study by the AMA reveal that the physicians EHR data entry tasks often follow the physician home into the late evening hours (pajama time) leaving little time for extra-clinical activities such as family, friends and continuing medical education or innovation. Yet, not one EHR company in America will be transparent and reveal its physician time-motion EHR use data to refute the damning published research. Most patient personal health information, lab data and images entered by physicians (who pay the EHR companies for the privilege of entering data) are sold by the EHR companies to ancillary health care companies but not tabulated, aggregated and returned to physicians or patients to improve outcomes/costs.

With little or no extra time for extracurricular activities beyond their practices and inputting data for sale by the EHR companies, there can be little physician-clinician innovation on any kind of translatable scale.

In addition to the EHR industry, another time drain has devolved to interfere with the ability of the physician-clinicians to innovate. Until recently, physicians would use their clinical intelligence based on years of training, continuing medical education and clinical experience to optimize preventive, medical, surgical and palliative outcomes and costs for their patients and their families. Physicians perform histories and physical examinations often resulting in prescriptions for medications, diagnostic orders, specialist referrals or recommended treatments to optimize prevention, medical, surgical and palliative outcomes for patients and their families. This science of the physician-patient interaction combined with the art of empathy is the essence of what doctors do.

Today, most private health insurance corporations ration and interfere with physicians diagnostics and treatment decisions via a health insurance industry solution termed, “prior authorization” (PA) to enhance insurance company profits. Prior authorization forces millions of patients and their physicians daily to spend hours daily manually completing multiple pages of paper or internet forms for re-submission to a non-physician insurance industry bureaucrat who — after days, weeks or months of delay — decides if the physicians recommended diagnostics or treatments for his or her patient will be reimbursed or allowed by the health insurance company.

Most often, health insurance corporate PA decisions against the patients and against medical advice are not made by a board-certified physician who performs a history or physical exam or discussion with the targeted patient. There is not a patient or physician in America with private health insurance who hasn’t experienced the demeaning and potentially dangerous task of manual PA health care rationing of medications, diagnostics or treatments. What’s good for the patient based on the physician’s assessment may be harmful to the earnings of the insurance or pharmaceutical benefits company, and thus PA rationing was spawned.

Spending tens of hours each week on the clinically valueless and inefficient tasks of data entry into EHRs and attempting to override insurance company prior authorization rationing leaves no time for the physician-clinician to innovate or iterate advances in medicine. The future of health care and the value equals outcomes/costs of health care in America will continue to be damaged by the EHR and health insurance industries by inhibiting clinicians-physicians from participating in medical innovation and clinical translation in America.

“EHRs are killing medical innovation”. Kevin MD, US. Retrieved February 15, 2019.

Critical Parts of a Quality Risk Management Plan (Part 1)

A Risk Management Plan is the part of your compliance approach that plans, identifies, and analyzes risks.

The premier HIPAA compliance consulting firm, Aligned Risk Management.

Parts of a Risk Management Plan

  1. Risk Planning
  2. Risk Identification
  3. Risk Analysis
  4. Risk Response Plans
  5. Risk Register

Risk Planning

Risk is defined by the Project Management Institute as an uncertain event or condition that, if it occurs, has a positive or negative effect on one or more project objectives. Risk management is the process of identifying, analyzing, mitigating, and communicating risks.


All systems have vulnerabilities. The US Department of Health and Human Services defines a vulnerability as:

[a] flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system’s security policy.

The US Department of Health and Human Services defines a risk as:

The net mission impact considering the probability that a particular [threat] will exercise (accidentally trigger or intentionally exploit) a particular vulnerability and the resulting impact if this should occur.

Risks arise from legal liability or mission loss due to:

Unauthorized (malicious or accidental) disclosure, modification, or destruction of information; Unintentional errors and omissions; IT disruptions due to natural or man-made disasters; Failure to exercise due care and diligence in the implementation and operation of the IT system.

When a risk event occurs, it is no longer uncertain. It becomes an issue.

Risk is a function of the likelihood of a given threat exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization, mitigated by controls. The relationship among these five concepts forms the basis of our risk assessment approach, which can be thought of as a formula:

(Impact · Likelihood) × (Threat · Vulnerability)


The risk level is calculated using three underlying components:

  • Likelihood: The probability of the event happening. How likely is it that a threat acts on the vulnerability?
  • Impact: The consequences of the risk event. What happens if the threat acts on the vulnerability?
  • Effectiveness of Existing Controls: Existing controls and their effectiveness at mitigating risk. What is being actively done to mitigate the effects of a risk?

Likelihood × Impact − Controls ⇒ Risk Level

To illustrate, a plane crashing into your office has a high impact, but a low probability. In fact the probability is so low that the overall risk is probably insignificant. On the opposite end of the scale, a road construction project getting delayed due to rain is an event with a low impact but a high probability of occurrence. Thus, it is a significant risk.

A HIPAA Risk Management Plan should begin with an analysis of the risk tolerance of the organization, a Risk Assessment.

  • What projects have been completed in the past and what unexpected issues occurred?
  • What was the response of the organization?
  • What permanent changes were made? Were they justified?
  • Did the response cause a corresponding loss of business?
  • Did the response cause a corresponding loss of future projects?

Risk Levels

Another part of the risk planning portion of the Risk Management Plan is the definition of risk levels. Here is an example:

  • Very Low: The event is highly unlikely to occur under regular circumstances.
  • Low: The event is unlikely but should be noted by the project team.
  • Medium: The event has a normal chance of occurring and the project team should be aware of it.
  • High: The event has a reasonable chance of occurring. It should be regularly discussed and mitigation actions taken.
  • Very High: The occurrence of the event should be actively managed and mitigation actions taken.

Aligned Risk Management breaks down risk levels into four categories: Negligible, Marginal, Serious, and Critical.

Negligible Risk

Theoretical risk. Unlikely to be a serious concern.

  • Vulnerability is very unlikely to be exercised, OR
  • Existing controls are highly effective at mitigating the risk, OR
  • Potential impact on security, privacy and availability of ePHI is low

Marginal Risk

Unlikely to be an immediate concern, especially in light of other, more severe risks.

  • Some likelihood that vulnerability could be exercised
  • Existing controls provide some effective mitigation of risk

Serious Risk

Potential for significant impact on operations. Effective Risk Management or reasonable plan for such recommended in near future.

  • Vulnerability is likely to be exercised
  • Existing controls provide inadequate mitigation of risk
  • Potential for significant impact on security, privacy or availability of ePHI

Critical Risk

Failure to implement controls required by HIPAA. Potential liability and exposure to penalties. Potential for malicious exploitation. Exercise of vulnerability could cause mission-critical damage to business operations. Prompt intervention strongly recommended.

  • Vulnerability is very likely to be exercised or is currently being exercised
  • Existing controls provide little effective mitigation of risk
  • Potential for high or even catastrophic impact on security, privacy or availability of ePHI


A good brainstorming tool is to consider the assumptions made by the project. Most projects have disclaimers in their underlying contracts absolving the performing party of various obvious risks, but what about the next most obvious ones?

  • What assumptions has the project budget made?
  • What assumptions has the project schedule made (completion date, milestones, etc.)?
  • What expertise or prior experience does the company have in this work? How long ago was this experience? What areas require additional training?
  • Which relationships are being assumed to be strong that are not necessarily (owner, sponsor, client, contractor, consultant)?
  • How many previous projects with similar components have been completed successfully? What were the project issues?

Stay tuned for Part 2 of Aligned Risk Management’s series, Critical Parts of a Quality Risk Management Plan.

Project Engineer, Building Better Project Managers.

HIPAA compliance consulting

HIPAA compliance consulting firm
The premier HIPAA compliance consulting firm, Aligned Risk Management.

Aligned Risk Management helps healthcare organizations streamline and simplify HIPAA compliance efforts so that you can get back to providing the critical services your patients need. Our expert consulting staff works with you to ensure the privacy, security, and integrity of your systems. This specialized knowledge makes us the leading consulting firm for HIPAA compliance and healthcare risk management.

We’ll play defense so you don’t have to…

Defense of protected health information and the security of your systems is important to the safety of your patients. But it is also critical to the success of your practice. Data privacy concerns make headlines every day, and healthcare companies are especially vulnerable to the effects of unaddressed risk. Patient concern is growing. Regulations are poised to become more demanding. You want to concentrate on better serving your patients, and we make that possible.

HIPAA compliance has to start somewhere…

Everything starts with a HIPAA risk assessment report, which our analysts will perform and interpret for you. They perform the assessment according to the standards outlined in NIST Special Publication 800-30 (Guide for Conducting Risk Assessments), the gold standard for assessing risk. The results of this report are used to define actionable steps informed by deep-dive interviews with your organization’s key staff, regular site visits, policy document analysis, and vendor contract reviews.

…but our process doesn’t stop with just a risk assessment.

It doesn’t stop there. Risk management is a process, so our program includes regular follow-ups to make sure that you are successful. We assist in implementing recommendations and in documenting your efforts to ensure your success in case of an audit. Together, we’ll find high-value solutions that really matter, instead of wasting resources on unnecessary tools or time-consuming procedures that do not fit the way your organization operates.

Compliance with HIPAA can feel overwhelming. The most frequent question we hear is “Where do I start?” Start right here with Aligned Risk Management, and put yourself ahead of the curve.

Ready to get started? Schedule a meeting with Patrick.

Four easy steps to address the HIPAA elephant in 2019

This is Heather, the HIPAA elephant, because we know that HIPAA can feel like an elephant. How do you tackle Heather, the HIPAA elephant? One bite at a time!

HIPAA fines are up. Audits by the Department of Health and Human Services are up. 2019 is shaping up to be a rather tumultuous and dangerous year for healthcare providers as they ramp up to address their HIPAA privacy obligations.

Here are four steps to FAIL your next HIPAA audit.

And here are four steps to start out ahead this year….


There are so many different ways to start tackling another aspect of HIPAA. Are you wanting to make some headway in implementing technical safeguards? Great! Two-factor authentication. What about administrative safeguards? Awesome. Update your workforce sanctions policy and make sure it’s realistic. What about physical safeguards? Get those contingency operations plans updated. Whatever you decide to do, you’ll have to start somewhere.

“When eating an elephant take one bite at a time.”

Creighton Williams Abrams Jr.

I never said that eating the HIPAA elephant was going to be easy. But since you have to, you might as well start with one bite at a time. Approach HIPAA like you would an elephant and you’ll be surprised at just how much you can accomplish in a short period of time.

2. Business Associate Agreements

I’ve seen a lot of embarrassingly insufficient business associate agreements (BAA). As a recap, a “business associate” is likely a vendor to a healthcare provider, other than a member of the workforce of a covered entity, who provides certain services to a covered entity. Remember, this service directly involves access by the business associate to protected health information (PHI).

Among other confusing relationships that can exist between entities, a covered entity can be a business associate to another covered entity.

As part of your approach to HIPAA in 2019, perhaps it’s time to evaluate the relationship between yourself and your vendors, or between yourself and your clients. Are you a covered entity? Are you a business associate? Do you have business associates?

Once you’ve done some review of those relationships and you’ve identified all your vendors and business associates, it’s time to review those business associate agreements.

There are ten critical terms that must be addressed in these contracts. Find out more about these ten terms here: Requirements of a Business Associate Agreement (BAA).

3. Policies, Procedures and Internal Operations

Cookie cutter policies aren’t going to cut it. In this industry, so highly regulated by HHS, it’s highly unlikely that you’ll get away with taking any shortcuts. Let’s tackle your policies and procedures and how they relate to the realistic operations of your organization.

Are they accurate? I mean, do your policies accurately reflect how your workforce carries out their day-to-day operations? If you’re documenting in your policies that your workforce implements rigorous access revocation procedures upon employee termination, but this isn’t being practiced regularly by your IT staff, that’s not good. You’re saying that you’re doing this, but if that can’t be proven and is likely to be disproved by the dozens of former employee accounts that haven’t been deactivated, HHS will certainly have a field day. At your expense.

Don’t let that happen. Get on top of your policies and procedures. Make sure they’re honest and truthful. Maybe it’s time to actually change some operations and procedures to better protect patient privacy. Maybe you’ll learn something about your own organization. It’s another bite you can take out of the HIPAA elephant. It’s getting smaller!

4. Risk Assessment

Calling in the experts can be totally nerve-racking. You’re inviting others into the sensitive operations of your organization, exposing your internal practices to a stranger. We’re not the bad guys. We’re here to help you.

Updating your risk assessment can give you invaluable insight into modern best-practices that you weren’t aware of. It can make you aware of problematic business operations that really ought to be corrected and streamlined.

And best of all, you’ll get a great plan for continuous improvement: a plan consisting of the best actionable steps you can take to make the most impact in mitigating risk at your organization.

Don’t forget, HIPAA compliance starts with a risk assessment.

“When eating the HIPAA elephant, take one bite at a time.”

Patrick Brenner

Take action. Put yourself at ease and get started. Together, we can minimize your exposure to HIPAA and make 2019 a bad revenue year for HHS.