Doing a half-baked risk analysis is like locking your front door but leaving all the windows wide open. What’s the point? Today, we dive into the first-ever Security Risk Assessment (SRA) violation settlement—a juicy topic for compliance nerds and healthcare pros alike. We’re talking ransomware, compliance checklists (the kind you actually need), and why a “kinda-sorta risk analysis” isn’t going to cut it with the OCR. Along the way, we’ll break down the $90K fine, the three-year corrective action plan, and what this means for everyone still winging their HIPAA risk assessments. Time to up your game folks!
In this episode:
First SRA Violation Settlement – Ep 485
Today’s Episode is brought to you by:
Kardon
and
HIPAA for MSPs with Security First IT
Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity.
Great idea! Share Help Me With HIPAA with one person this week!
Learn about offerings from the Kardon Club
and HIPAA for MSPs!
Thanks to our donors. We appreciate your support!
If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com
Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA
If you see a couple of numbers on the left side you can click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!
Thanks to our donors.
First SRA Violation Settlement
[03:08] In May 2022, OCR received a breach report that Bryan County Ambulance Authority (BCAA) in Oklahoma was hit with a ransomware attack. There were 14,273 patients involved in the encryption attack. This will always prompt an investigation. If they just had their documentation in place to show they were doing at least the bare minimum, that would have ended it. Unfortunately, the investigation found they had failed to conduct a “compliant risk analysis” which means they must have done something but not the right thing.Bryan County Ambulance Authority Resolution Agreement and Corrective Action Plan | HHS.gov
The settlement involved a $90,000 payment and an agreement for a 3 year CAP.
They will be doing the SRA with a risk management plan with written policies and procedures along with “Training its workforce on its HIPAA policies and procedures.”
What is a complaint SRA? According to their CAP it involves the following:
BCAA shall conduct and complete an accurate and thorough analysis of security risks and vulnerabilities that incorporates:
- all electronic equipment,
- data systems,
- programs
- and applications controlled, administered, owned, or shared by BCAA that contain, store, transmit or receive BCAA electronic protected health information (ePHI).
- electronic equipment,
- data systems,
- off-site data storage facilities,
- and applications that contain or store ePHI
which will then be incorporated in its risk analysis.
And the risk management plan shall include a process and timeline for BCAA’s implementation, evaluation, and revision of its risk remediation activities.
HIPAA Checklist Kind Of
[28:11] For everyone who wants a checklist for what you should be doing under the Security Rule they include as close to that as you ever get when they added this to the end of the announcement notice:OCR recommends that health care providers, health plans, health care clearinghouses, and business associates that are covered by HIPAA take the following steps to mitigate or prevent cyber-threats:
- Review all vendor and contractor relationships to ensure business associate agreements are in place as appropriate and address breach/security incident obligations.
- [35:04] Integrate risk analysis and risk management into business processes regularly.
- Ensure audit controls are in place to record and examine information system activity.
- Implement regular review of information system activity.
- Utilize multi-factor authentication to ensure only authorized users are accessing ePHI.
- Encrypt ePHI to guard against unauthorized access to ePHI.
- Incorporate lessons learned from incidents into the overall security management process.
- Provide training specific to organization and job responsibilities and on a regular basis; reinforce workforce members’ critical role in protecting privacy and security.
There you have it – your HIPAA checklist!
So there you have it—a deep dive into the first SRA violation settlement and the lessons it holds for everyone in healthcare. If Bryan County’s $90K fine and three-year corrective action plan don’t motivate you to tighten up your HIPAA game, nothing will. Remember, it’s not just about ticking boxes; it’s about creating a culture where risk management and compliance are as natural as coffee breaks (but hopefully less stressful). Whether it’s updating your inventory, wrangling those sneaky SaaS apps, or finally taking workforce training seriously, the time to act is now—because the OCR is watching, and they brought receipts.
Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!
HIPAA is not about compliance,
it’s about patient care.TM
Special thanks to our sponsors Security First IT and Kardon.
