Failure to Run a HIPAA Security Risk Analysis Gets Costly

You Won’t be Able to Protect PHI Without a Security Risk Analysis

Effective cybersecurity and HIPAA security starts with an accurate and thorough security risk analysis and implementing all of the Security Rule requirements. Anything short of that can lead to major and costly consequences, as happened with one university.

Itʼs risky to take shortcuts in your risk analysis. In fact, it could cost you hundreds of thousands of dollars when a HIPAA breach occurs, not to mention your credibility. The experts at PrivaPlan can help ensure that wonʼt happen. But first, letʼs take a look at a recent organization that had not conducted an accurate and thorough security risk analysis which then gave a hacker access to its web server. This HIPAA breach occurred six years ago; this year a big fine was enforced.

Oklahoma State University Center for Health Sciences (OSUCHS) paid $875,000 to the Office for Civil Rights (OCR) at the US Department of Health and Human Services (HHS) and agreed to implement a corrective action plan to settle potential violations of the HIPAA Privacy, Security, and Breach Notification Rules. The resolution and corrective agreement can be found here.

What Potential HIPAA Violations Were Found?

An unauthorized third party gained access to a web server that contained electronic protected health information (ePHI). The hacker then installed malware that resulted in the disclosure of the ePHI of 279,865 individuals, including their names, Medicaid numbers, healthcare provider names, dates of service, dates of birth, addresses, and treatment information. OSUCHS initially reported that the breach occurred in 2017, but later reported that the ePHI was first impermissibly disclosed in 2016. A list of the potential HIPAA violations that were found in the breach:

  1. impermissible uses and disclosures of PHI and ePHI
  2. failure to conduct an accurate and thorough risk analysis
  3. failure to perform an evaluation
  4. failures to implement audit controls, security incident response and reporting
  5. failure to provide timely breach notification to affected individuals and the HHS

“HIPAA covered entities are vulnerable to cyberattackers if they fail to understand where ePHI is stored in their information systems, said OCR Director Lisa J. Pino. Effective cybersecurity starts with an accurate and thorough risk analysis and implementing all of the Security Rule requirements.

Protect PHI & ePHI with a Risk Analysis

First, read Pinoʼs quote again, focusing on the bolded line especially. Then review your risk analysis protocol to ensure it is accurate, thorough, and up to date. Donʼt guess. Know. We can take the guesswork out of it for you. With years of experience conducting HIPAA Security Risk Analyses and other HIPAA service solutions, PrivaPlan stands behind our work and in front of yours to ensure patient data is protected and hackers arenʼt. For more information, contact us at or call 8772187707.

Related Posts

Access PrivaPlan Toolkit

Access CMA-PrivaPlan Toolkit

Sign up for updates

Sign up. Learn about Compliance

Subscribe now for up-to-date information about privacy & security compliance! You’ll receive emails regarding news about compliance & alerts for new blog posts.