A clinical laboratory in May agreed to pay $25,000 to the Office for Civil Rights (OCR) and implement a corrective action plan to settle potential HIPAA Security Rule violations. What happened? The organization failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its electronic PHI (ePHI), according to the resolution agreement with OCR.
The foundation of a thorough risk assessment is to properly define its scope, according to Dan L. Dodson, CEO of Franklin, Tennessee–based cybersecurity firm Fortified Health Security. Dodson recommends that organizations determining scope must first under- stand the location (systems and assets) that store, process, transmit, or interact with ePHI within the organization and the data flow or exchange with its vendors and third parties.
To read the full article visit, Revenue Cycle Advisor.