After a small orthopedic clinic in Georgia was fined $1.5 million for HIPAA violations, Healthcare Risk Management turned to health care and data privacy attorney Erin Dunlap to share what smaller providers can do to protect themselves from cyber risk and government enforcement.

Erin, a nationally recognized expert in health care data privacy and security, explains that although the HIPAA Security Rule has existed for nearly 20 years, many smaller healthcare providers lack adequate security measures to protect against increasingly pervasive cyber risk. She advises providers to conduct a risk analysis — which is the first critical step in meeting HIPAA security requirements and can be done internally or by an outside vendor.

If resources are limited, she points providers to the Security Risk Assessment Tool that has been provided by the U.S. Department of Health and Human Services, Office for Civil Rights (OCR), which is the agency that enforces HIPAA. Erin then advises providers to create a corresponding risk management plan to correct or mitigate the risks discovered through the risk analysis. These two steps, even if imperfect, will help an organization in any OCR investigation.

Erin’s extensive knowledge regarding HIPAA, 42 C.F.R Part 2 and state privacy laws helps her counsel health care organizations and companies working in the health care space across the country on compliance issues. She has led numerous clients through privacy and security-related investigations, including investigations following small and large data breaches. Erin is a firm believer in being proactive in terms of privacy and data security, particularly in the health care space. In the end, an organization cannot always control what may happen in a given day, but preparation, education and documentation are key.

Read the full article here.