On January 15, 2021, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) announced that Excellus Health Plan, Inc., has agreed to pay $5.1 million and implement a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules related to a breach affecting over 9.3 million people. Excellus Health Plan is based out of New York and is a health service corporation that provides health insurance to over 1.5 million. To view the resolution agreement and corrective action plan, please click here.
According to the announcement, the investigation found potential violations of the HIPAA Rules, including failure to conduct an enterprise-wide risk analysis, and failure to implement risk management, information system activity review, and access controls.
"Hacking continues to be the greatest threat to the privacy and security of individuals' health information. In this case, a health plan did not stop hackers from roaming inside its health record system undetected for over a year which endangered the privacy of millions of its beneficiaries," said OCR Director Roger Severino. "We know that the most dangerous hackers are sophisticated, patient, and persistent. Health care entities need to step up their game to protect the privacy of people's health information from this growing threat."
Healthcare Compliance Pros can help fulfill your SRA requirements!
Our Security Risk Analysis (SRA) tool is designed to identify areas of risk that need to be addressed and corrected within your organization. It helps you discover which policies and procedures are effective, needs revision, or are missing altogether. Our SRA tool does the following and more:
- Divides up the SRA into sections for each area you need to evaluate.
- Saves progress so you can work on it throughout the year and make changes as they occur.
- Provides a history of each year's SRA with your Action Plan attached as a cover sheet.
- Is reviewed with your actual compliance program in mind, tying in other information from HCP to back up your responses.
- Allows supporting documentation to be uploaded, so your SRA is a comprehensive record with all applicable information in one place.
If interested in adding our SRA tool to your services or have questions about your current SRA, please contact us today! For more information about SRA please check out our Compliance Solved Podcast covering the importance of completing yearly and thorough risk assessments.