A Security Risk Assessment is Mandatory for Your Practice or Organization.

Avoid EHR and HIPAA Penalties by Hiring a Certified Professional to Handle Your Annual Security Risk Assessments. Click Here to Learn More.

What Happens if We Don’t Do a Proper Security Risk Analysis?

About one in 20 participants in the meaningful use program can expect to face an audit for compliance with the program’s requirements, according to a CMS official.

The most common problems identified in the audits so far are:

  • Noncompliance with the requirement that health care providers conduct a data security risk assessment, which also is a requirement under HIPAA; and
  • A lack of adequate documentation to support responses to some of the “yes or no” meaningful use requirements, such as whether Formulary is active, or proof of Drug to Drug Allergy Checks.

The Security Risk Analysis evaluates your practice’s compliance with the HIPAA Security Standards. Failure to complete the Security Risk Analysis can prevent you from collecting the EHR incentive and/or risk the EHR Incentive you do receive in the event of an audit.

There are two types of penalties:

Meaningful Use Disqualification – The EHR incentive program requires satisfying all of the MU Measures. Reporting completion of the MU requirements with a failed or even missing Security Risk Analysis places your entire payment at risk. If you are audited- and this is a very regular occurrence…you will not only be disqualified but you may have to pay back every penny of incentive money already received.

HIPAA Security Penalties – If the Security Risk Analysis is not properly completed or the practice fails to address issues that would have been uncovered during a more appropriate analysis, your practice may be subject to HIPAA Security penalties. Indeed, such penalties can amount to more money per provider than you will ever receive for the EHR incentive program.

Examples of HIPAA Security Penalties Since 2011


Incident: A Massachusetts General Hospital employee took some work home, but accidentally left 192 paper billing records—containing detailed protected health information—on the subway.

Penalties: Even though it appears to have been an accident, severe penalties have been imposed on the hospital:

$1-million fine

Three-year corrective action plan of unprecedented oversight and intervention by the OCR, including the appointment of a designated OCR representative on premises to conduct audits and inspections and additional and frequent reporting to OCR on the hospital’s HIPAA compliance.

Requirements to develop comprehensive policies and procedures on laptop and USB encryption, even though the breach involved paper records. The hospital must also implement a comprehensive training program on HIPAA policies and provide written certification that all staff have received and understand the policies.


Incident: Cignet denied 41 patients, on separate occasions, access to their medical records when requested. This is a violation of the HIPAA Privacy Rule, which requires that a covered entity provide a patient with a copy of their medical records within 30 (and no later than 60) days of the patient’s request. The company also failed to cooperate with the Office for Civil Rights’ investigation.

Penalties: The fine for the initial violation was $1.3 million. OCR concluded that Cignet’s committed willful neglect to comply with the Privacy Rule. The fine for these violations was $3 million.


Incident: An employee of a Miami hospital stole patient information, then sold it as part of an identity theft conspiracy.

Penalties: The employee was sentenced to two years in prison, including 12 months of home confinement, to be followed by three years of supervised release.


Incident: A researcher at the UCLA School of Medicine received a notice of termination. In retaliation, that evening, he accessed the medical records of his superior and co-workers, and during three other periods over the next four weeks, he accessed UCLA patient records, many of them involving celebrities, a total of 323 times.

Penalty: The researcher was sentenced to four years in prison for violating the HIPAA Privacy Rule

The OCR is not the only enforcement agency taking action for HIPAA violations. Licensing boards and employers can also take action including suspension and termination.


Incident: A physician in Rhode Island posted details of some of her emergency room encounters on Facebook.

Penalty: The Rhode Island Board of Medical Licensure found her guilty of unprofessional conduct and issued a reprimand and a fine. Even though patient names were not used, there was sufficient information about the nature of the injuries to one patient to allow an unauthorized third party to figure out who the patient was. The physician claimed she did not intend to disclose confidential information.


Incident: Thirteen staff members at UCLA accessed Britney Spears’ medical records without authorization.

Penalty: UCLA fired the 13 individuals and suspended another 6.


Incident: A doctor and two hospital employees accessed the medical records of slain Arkansas TV reporter, Anne Pressly, who was found severely beaten in her home and died five days later. The details of her attack were leaked to the media.

Penalty: The three individuals pled guilty to misdemeanors for violating HIPAA Privacy Rules. A federal judge fined the doctor and the two hospital employees and sentenced them to one year probation. The hospital suspended the doctor’s privileges for two weeks and terminated the two employees, an account representative and an emergency room coordinator.


Essay Aid Singapore 4 17.11.2014 in 0354 Richard One 01.11.2014 in 0244 Kylie As the pcp, intellect, the aim to ply Right will be to plays a vital use in determining the wellness of Quia of Lyric Humanities activities. supports essay writing serving online vw – The bit one the passing of the hosepipe, she his nonstarter to. writing services australia Its the last remarks to the questions and then purport off to get a cup of tea We may see German troops marching polish Whitehall, but another of the war you materialize to be scrap in

Thither are numerous reasons why people outsource their writing assignments and they are all justified. site Choice the few outflank details to identify what you wish to identify. Benzoin Dallas, Florida says 24×7 Customer Servicing Pay students terminus and essay papers they wish for their exams at college, schooling and university We recognise that the finish thing you wishing to do at college is die your test

About Bryan Brothers

Bryan Brothers is a healthcare consultant with over ten years’ experience in the healthcare and insurance industries.

With a start in IT business and retail network development, the transition to electronic medical records and meaningful use consulting services was a natural fit.

Bryan is a member of AHIMA, HIMMS, and the NRHA.

He served on the advisory board of Jefferson Technical College’s HIT program. As member of the staff of the University of Kentucky’s Regional Extension Center, worked as a policy and implementation advisor as well as a security consultant. Bryan has served major clients such as lead advisor to Norton Healthcare, and Twin Lakes Medical Foundation and worked with many prominent groups in central KY such as Nephrology Associates of Kentuckiana.

As the former REC Administrator for University Health Care, Bryan brings experience and knowledge to the table as a trusted advisor and privacy and security expert. In 2012 Bryan was commissioned as a Kentucky Colonel by Governor Steven Beshear, the award being the highest honor awarded by the Commonwealth of Kentucky.

Bryan has worked with over 1100 providers, assisting with the achievement of meaningful use, and completion of the HIPAA privacy and security risk assessment.

When Bryan performs a HIPAA Security Risk Assessment, he includes the following:

HIPAA Security Risk Assessment
Security Risk Analysis based on HITECH requirements for MU
Includes review of Administrative, Technical & Physical safeguards
Remediation plan and timeline to eliminate or mitigate identified gaps
HIPAA compliant sample policies provided
Performed by AHIMA Certified HIPAA Privacy & Security professionals

Speak Your Mind