In the last couple of years, the U.S. Department of Health & Human Services’ Office for Civil Rights has become more aggressive in enforcing HIPAA regulations.
Besides being catastrophic for your business and your public image, data breaches can also lead to stiff fines from the Office for Civil Rights. Check out this article about Metro Community Provider Network’s email phishing incident, and how it led to the discovery that they had not performed proper risk assessments. They were fined $400,000—a relatively low amount, as most fines like this are in the millions.
Proper vulnerability assessments, security education for your employees, and proactive security measures are far cheaper than the fines levied by OCR for violating HIPAA regulations, and might just save your business.
OCR’s guidance on the Security Rule may be found at https://www.hhs.gov/hipaa/for-professionals/security/guidance/index.html