[ Tuesday, October 18, 2016 ]
Another Day, A
nother big HIPAA settlement: $2,140,500 paid by
St. Joseph Hospital of Irvine, California. The hospital installed a new server for its "meaningful use" process, but didn't remove the default settings that made the server generally accessible over the internet. They hired consultants and did some risk analysis, but none of it was system-wide; I'm not sure that a system-wide review would've fixed the problem, but if we've learned anything lately, the fact that the error didn't cause damage doesn't mean you don't have to pay for it.
Good, solid, system-wide risk analysis, reaching across your entire enterprise (geographically, lines of service, operationally, administratively, whatever) is mandatory, and (if you get caught, even by an unrelated issue) failure to do so will probably bring a fine.
Jeff [12:59 PM]
http://www.blogger.com/template-edit.g?blogID=3380636
Blogger: HIPAA Blog - Edit your Template