Security Risk Assessment as a Service (SRAaaS)

Chris Bowen

Author: Chris Bowen
Chief Privacy and Security Officer and Founder, CISSP, CIPP/US, CIPT

In 2017, OCR increased its HIPAA compliance investigations and settlements that resulted in civil monetary fines.  It now has adequate resources from these fines averaging about $2 million, a significant increase from previous years.  OCR has now concluded that the healthcare industry is failing, even though sufficient time was given to develop a strong data security program; therefore, we expect more investigations in the coming years.

Because of this increased scrutiny, it is critical to understand that if investigated and fined, settlements can carry substantial penalties. In addition, those who are investigated and must settle based on findings can expect to adopt an expensive and time-consuming comprehensive corrective action plan.

What are the Civil Monetary Penalties for Failure to Comply?

Prior to February 18, 2009, civil penalties could not be imposed for more than $100 for each violation and they capped at $25,000 per calendar year.  The civil penalties imposed following the HITECH Act § 13410 and the HHS Omnibus Rule clarifications (for violations of the HIPAA Privacy and Security Rules) have become significantly more stringent.

The table below summarizes these penalties introduced by HITECH § 13410:

Tier (Level of Culpability) – Least harsh to Severe Min penalty per each violation All such violations of an identical provision in a calendar year
A – must show that the “person did not know and by exercising reasonable diligence would not have known” of the violation – objective standard that asks, “what would a reasonable person do?” $100 w/ annual maximum of $25,000 for repeat violations $50,000 w/ annual maximum of $1.5 million
B – showing of “reasonable cause” as to why compliance with a provision was not met $1,000 w/ annual maximum of $100,000 for repeat violations $50,000 w/ annual maximum of $1.5 million
C – culpability level due to “willful neglect” that has been corrected $10,000 w/ annual maximum of $250,000 for repeat violations $50,000 w/ annual maximum of $1.5 million
D – culpability level of “willful neglect” that has not been corrected $50,000 w/ annual maximum of $1.5 million $50,000 w/ annual maximum of $1.5 million

Source: American Medical Association

It is important to keep in mind that all culpability levels carry minimum fines and higher culpability levels carry increasingly higher penalties.  The higher penalties that are for culpability level of “willful neglect” are defined as being “clueless and/or cavalier” toward compliance obligations.

Here are some examples that demonstrate “willful neglect”:

  • Have no Security Risk Assessment in place, nor plans in place to show how full compliance will be achieved; not in compliance currently
  • Have no verifiable evidence of training staff as required by the regulations
  • EHR system is running on a local server and the “server room” is not secured— anyone (including public) has access
  • Have no plan for notifying patients and Secretary (and potentially the media) when unsecured ePHI has been breached

While fines can vary based upon the severity of the incident, keep in mind that the Office for Civil Rights (OCR) is taking all incidents very seriously, recently fining Advocate Health Care Network $5.55 million in addition to requiring that they adopt a corrective action plan.  This settlement is the largest to date against a single entity.

“We hope this settlement sends a strong message to covered entities that they must engage in a comprehensive risk analysis and risk management to ensure that individuals’ ePHI is secure,” said OCR Director Jocelyn Samuels. “This includes implementing physical, technical, and administrative security measures sufficient to reduce the risks to ePHI in all physical locations and on all portable devices to a reasonable and appropriate level.”

Complying with the HIPAA Security Rule makes sense when considering the costs associated with a breach investigation, breach notifications, government investigations, government fines, continued government monitoring pursuant to a HHS-imposed corrective action plan, and defending lawsuits related to the breach.

How can ClearDATA help?

ClearDATA provides a compliance curriculum and remediation support for our clients that have a Security Risk Assessment as a Service (SRAaaS) contract.  ClearDATA’s Security Risk Assessment (SRA) team can help by scheduling a time to answer questions and provide guidance with the remediation efforts and with future Security Risk Assessments.  On-going security risk assessments involve guidance to ensure the ePHI inventory is updated as newer technologies are implemented, and reviewing the current Security Program Remediation Plan that reflects the remediation status for each gap identified in previous years.

These are efforts to assist healthcare entities and business associates maintain a strong focus of ensuring processes are in place by conducting regular and comprehensive risk analyses and being prepared to show the HHS auditors verifiable evidence of the current compliance processes that will help to avoid these high culpability “willful neglect” or “reckless indifference” penalties.

“Patients seeking healthcare trust that their providers will safeguard and protect their health information. Compliance with the HIPAA Security Rule helps covered entities meet this important obligation to their patient communities.”
– Roger Severino, OCR Director

Learn more at