Updated: Feb 21, 2019
From our "Keys to Preventing a Breach 2.19" article on this page.
The output of the HIPAA mandatory risk analysis should be a risk register that explains each risk that is spawned from a vulnerability (the lack of a sufficient security control). Once identified, risk must be managed and action taken — not just made into a good intention.
Recognizing that there may be more risks identified than there is time to handle each, tackle the highest-level risks and consider finding a part-time employee or contractor to reduce the CE risk profile below a risk tolerance threshold. The failure to properly manage and update a risk register may result in OCR finding “Willful Neglect” during an audit or investigation.
There are four OCR accountability levels used to base a corrective action plan or civil monetary penalty, of which the most expensive is “Willful Neglect.” Willful neglect penalties not corrected within 30 days beginning on the first date the CE liable for the penalty knew, or, by exercising reasonable diligence, would have known that the violation occurred are $50,000 per violation, capped at $1,500,000 for identical violations per year.
Willful neglect means conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated.
It is human nature to believe that breaches and OCR settlements will only happen to someone else, but they happen many times a week to Covered Entities large and small.
Link to complete whitepaper: https://docs.wixstatic.com/ugd/6be7c6_2865b729fd434ec98b8d94332267e82c.pdf