SRA

MMG Fusion HIPAA Settlement
Abyde News, Fines, HIPAA

15 Million Reasons to Review Your Business Associates: Lessons from the MMG Fusion Settlement

March 6, 2026 No comments yet

March 6, 2026 They say a mistake ignored is a disaster in the making. For one dental software provider, a 2020 breach became a 15-million-patient nightmare in 2026. MMG Fusion LLC, a dental marketing software business in Maryland, is in the crosshairs of the OCR and the subject of the latest HIPAA enforcement action. MMG agreed to a $10,000 settlement and a 3-year Corrective Action Plan (CAP).  The latest HIPAA settlement, and the 12th Enforcement Action in the Office for Civil Rights (OCR) Risk Analysis Initiative, highlighted the importance of completing a thorough Security Risk Analysis (SRA), proper Breach Notification, and choosing the right Business Associate (BA).  What Happened?  In December 2020, a malicious actor infiltrated MMG’s systems. Over 15 million patients’ Protected Health Information (PHI) was exposed in the cybercrime and leaked to the dark web.  Under the HIPAA Breach Notification Rule, a BA must notify affected Covered Entities (the dental practices) within 60 days of discovering a breach. However, the OCR didn’t learn about this 2020 incident until a complaint was filed in March 2023, more than two years later. The investigation uncovered a critical flaw: MMG Fusion lacked a compliant Security Risk Analysis (SRA). The SRA is a comprehensive review of an organization’s physical, technical, and administrative safeguards to protect PHI. A thorough SRA likely would have identified the very system vulnerabilities that the hackers exploited in 2020. Although the OCR factored in MMG’s “small business” status when determining the $10,000 fine, this amount does not account for the years the investigation took, the accumulated costs of legal counsel, stress, and reputational damage that occurred before the fine was made public. Additionally, MMG will also need to report to the OCR for 3 years in accordance with the CAP settlement.  Streamline Your Compliance This case highlights three non-negotiable pillars for every HIPAA-regulated entity: compliant HIPAA risk assessments, timely breach notification to the OCR and impacted parties, and choosing the right business partner to handle your sensitive information.  Managing vendors and staying on top of SRAs is overwhelming for a busy healthcare organization.  Modern software solutions automate the SRA process and generate compliant Business Associate Agreements (BAAs) for Covered Entities and BAs to use, ensuring both parties are held accountable.  Ready to learn more? Meet with an expert today!

Top of the World Ranch Treatment Center HIPAA Settlement
Abyde News, Fines, HIPAA

2026 HIPAA Compliance Alert: $103,000 Settlement for Risk Analysis Failure

February 23, 2026 No comments yet

February 23, 2026   The Office for Civil Rights (OCR) is back with a massive settlement to start 2026.  A rehab center in Illinois, Top of the World Ranch Treatment Center (TWRTC), recently agreed to a $103,000 and 2-year Corrective Action Plan (CAP) settlement following a security breach that exposed major security vulnerabilities. This settlement is also the 11th enforcement of the Risk Analysis Initiative.  The Top of the World Ranch Treatment Center HIPAA settlement was announced just days after the OCR officially enacted the Part 2 changes to the Notice of Privacy Practices. As of Feb 16, all Covered Entities, regardless of scope of practice, must update their Notices of Privacy Practices (NPP) to include special provisions regarding the handling of Substance Use Disorder (SUD) Protected Health Information (PHI).    What Happened?  In March 2023, an employee’s email account was compromised in a phishing attack, exposing fewer than 2,000 records. In the world of healthcare data breaches, where numbers often reach the millions, this was a relatively small but still severe incident. However, the OCR’s enforcement was not based on the size of the breach, but on missing paperwork. This breach report initiated an investigation that led the OCR to find the SUD facility had failed to complete a compliant Security Risk Analysis (SRA). The SRA is the foundation of a HIPAA-compliant practice and an extensive assessment of the potential vulnerabilities your practice might face. The SRA reviews the administrative, physical, and technical safeguards your practice must have in place.  Since TWRTC hadn’t completed this proactive assessment, they missed the specific vulnerabilities in their technical defenses that eventually allowed a phishing email to succeed.   The Bottom Line The Top of the World Ranch Treatment Center HIPAA settlement proves that the OCR doesn’t punish based on how ‘big’ a mistake is, but for a lack of preparation. Breaches happen, but your team’s readiness and response are what determine whether you face an enforcement action. You might think your practice is too small to be a target, but this settlement shows that if you have a breach, no matter the size, the first thing the OCR will ask for is your SRA. If you don’t have it, the legal repercussions could be far more painful than the breach itself. Is your SRA current for 2026? If not, meet with our team of experts today to get compliant.

End of Year HIPAA Checklist
Abyde News, Best Practices, HIPAA

End of Year HIPAA Checklist: 5 Things to Wrap Up Before 2026

December 30, 2025 No comments yet

December 30, 2025   You may be done wrapping gifts, but year-end is the perfect time to wrap up compliance loose ends and start the new year with everything tied up in a neat bow.  As your office returns to normal after a post-holiday haze, use the (hopefully) quiet time to get your compliance program in order. Here’s your practice’s end-of-year HIPAA checklist to help you confirm the essentials are handled and documented before 2026 begins.   Confirm HIPAA Training is Complete (and Documented) HIPAA training is required yearly and for all new staff members upon joining the team. As the year comes to a close, it’s strongly recommended to review all training documentation. This should include confirming that any new hires have received HIPAA onboarding training, verifying that all current staff completed training during the calendar year, and ensuring that your practice has the necessary documentation, such as training certificates, to prove it.  Maintaining records of your training is crucial. Not only does it keep your documentation organized, but the Office for Civil Rights (OCR) will require this proof if your practice is ever investigated.   Make sure your Right of Access Process is Crystal Clear to all Staff While patient record requests might seem simple, they’re one of the most common HIPAA violations. In fact, the latest HIPAA fine, exceeding $100,000, was issued due to one patient’s complaint after their records weren’t properly released.  Ensure your staff is aware of the process for releasing patient records and the strict timelines your practice must follow. On a federal level, records must be released within 30 days; however, depending on the state, they may be released even sooner.    Review your Business Associate Agreements (BAAs) This is one of the most common gaps across practices: vendors have access to PHI, but the paperwork isn’t complete or updated. The vendors, or Business Associates (BAs), with which your practice works must also follow HIPAA requirements. To protect your practice, ensure your practice has a Business Associate Agreement (BAA) in place with any vendors you work with. A BAA establishes legal liability if your BA experiences a breach. It also outlines the steps your vendor must take to maintain the security of Protected Health Information (PHI) and how to respond to a data breach.    Confirm your Security Risk Analysis (SRA) is Current The Security Risk Analysis (SRA) is at the foundation of a compliant practice. The SRA is a comprehensive review of all physical, technical, and administrative safeguards your practice has in place. For example, the SRA would review how your practice checks patients, as well as the operating system used on the computers in your practice.  Take this downtime to review your SRA. The OCR expects this to be an active, living document, not something that sits in a folder gathering dust. Ensure you have identified any new risks, such as new software implementations or changes in office layout, and have updated your SRA accordingly.    Update Your Policies and Procedures Operating on “outdated instructions” is a major liability. HIPAA requires that your written policies and procedures accurately reflect your practice’s current daily operations. If you’ve implemented new technology in your practice or changed any internal workflows, now is the time to ensure that the policies and procedures show that.  While policies and procedures might feel like just paperwork, alongside thorough training, they are the primary tools for ensuring your staff knows exactly how to handle and protect patient data.   Streamline Compliance in 2026 If this End of Year HIPAA checklist feels overwhelming to manage while running a busy practice, you’re not alone. The good news? You don’t have to do it manually. Smart compliance software is designed to eliminate the guesswork from the process. From dynamically generating your policies and procedures to automating employee training and guiding you through your SRA, turning hours of “paperwork” into a few simple clicks. Meet with a compliance expert today to see how you can streamline compliance in 2026.

HIPAA government shutdown
Abyde News, HIPAA, Legislation

Beyond the SRA: Keeping HIPAA on Track When Government Tools Go Dark

October 29, 2025 No comments yet

October 29, 2025   By now, you’d have to be hiding under a rock to miss the headlines surrounding the government shutdown. The impact of this federal funding freeze is hitting nearly every major industry in the United States. While we aren’t sure when it will end, it’s shaping up to possibly be the longest government shutdown ever. However, lost in the political chess match is news about a vital resource for medical practices: The Health and Human Services Office for Civil Rights (HHS OCR) Security Risk Analysis (SRA) tool has been taken offline.   The SRA website as of October 29, 2025 This tool is necessary for healthcare practices to analyze the technical, physical, and administrative safeguards they have to secure Protected Health Information (PHI). Without it, practices could be left with serious violations that jeopardize their practice and their patients’ confidential information.  While it may not seem like a big deal for a government website to be hit with a “be back soon” message, the SRA is a major resource for healthcare practices looking to implement the most effective and appropriate precautions necessary for compliance. During the last round of audits, only 14% of practices were able to produce compliant documentation, but with the SRA tool rendered ineffective, that number could go even lower.  Unfortunately, this isn’t the first time the tool has gone down. So, what do practices do in the meantime?  The instability of the government-run SRA highlights the importance of implementing a comprehensive compliance program for every single practice that wants to meet the requirements of federal and state regulations. (Hint: that should be every practice.)   How Compliance Software Can Help Your Practice Fortunately, there are solutions available that aren’t beholden to DC downtime, like Abyde. Abye’s medical compliance software offers an SRA tool that was built using the government’s requirements, but presented in a more digestible format. This tool (which is online today!) gives practices the same insight into potential vulnerabilities that could violate compliance and lead to serious consequences.  But even better, the software solution dives deeper – after all, the information revealed by the SRA is just the tip of the iceberg.  HIPAA compliance is a thorough and continuous process, and your practice must cultivate a culture of compliance to pass audits, protect patient data, and maintain the integrity of your business.  The right software can help you not only spot vulnerabilities but mitigate them with end-to-end training, dynamic policy and procedure generation, BA documentation, and more. It also provides resources like compliance checklists that can shield your practice from common pitfalls and costly fines. Beyond the tangible benefits, thorough compliance software offers expert support to assist with HIPAA compliance questions, complaints, breaches, and audits. The SRA tool is a stepping stone to compliance; a centralized hub lets your practice know exactly where it stands.    Getting Compliant Today Even amid a shutdown, your HIPAA obligations don’t pause. Sooner or later, the two sides will play nice and we’ll be back to our regularly scheduled investigations. Don’t let your compliance slide in the meantime! A modern platform centralizes your SRA, policies, BAAs, training, and support so you always know what’s done, what’s due, and what’s at risk. Meet with a compliance expert today to learn more about HIPAA compliance in your practice. 

Security Risk Analysis software for healthcare
Abyde News, HIPAA

Introducing Abyde’s Security Risk Analysis for Covered Entities

September 23, 2025 No comments yet

September 23, 2025   At the foundation of every HIPAA-compliant practice is a Security Risk Analysis (SRA).  The SRA is a thorough assessment of all administrative, physical, and technical safeguards your practice has in place to secure Protected Health Information (PHI). The comprehensive SRA needs to include everything your practice does, from using a sign-in sheet to alarms in the practice to how your computer systems are handled. This documentation must be updated annually and completed for every location of a practice. It is also required for MIPS.  This analysis allows your practice to identify vulnerabilities before an issue occurs. If your SRA shows a server running an outdated version, fix it now; don’t wait for it to become a breach.  A missing SRA is one of the most common HIPAA violations discovered by the Office for Civil Rights (OCR). In fact, during the last round of audits, 86% of Covered Entities, or practices, couldn’t produce a compliant SRA.  The OCR has also introduced the Risk Analysis Initiative, focusing on this document when investigating practices. Since the end of 2024, there have been 10 enforcements of this initiative, totalling over a million dollars in fines. During any investigation, the OCR can and will ask you to provide proof of this document.  This document sets the groundwork for compliance in your practice and is key to proving proactive compliance if a situation arises.  However, completing an SRA is easier said than done. With intricate complexities and the different areas of your practice that must be reviewed, it’s tough to figure out where to start.  Manually completing an SRA takes time and is prone to mistakes. Hiring a third-party consultant can get expensive, and you could lose patient time if they need to close your practice while completing the documentation.    Streamlining the SRA There is a better way.  Abyde has released its Security Risk Analysis for Covered Entities solution to simplify completing this documentation.  While this feature is implemented in the full HIPAA for Covered Entities product, alongside training, dynamic policy and procedure documentation generation, Business Associate Agreements, event logs, live support, and more, Abyde has created our latest product to assist practices in taking their first step toward compliance.  The Security Risk Analysis for Covered Entities solution is crafted for healthcare practices and streamlines the SRA into an intuitive questionnaire. Instead of closing your practice for the day, complete this questionnaire within an hour with cloud-based software.  After completion, the Security Risk Analysis software for healthcare will generate a Scorecard report, highlighting any recommendations for your practice to achieve compliance.  The full SRA only needs to be completed once. After that, the software prompts you with ongoing questions whenever updates are required. For example, if your practice isn’t encrypting emails, it will flag this as a high risk and remind you on a monthly basis until your practice takes the proper precautions.  Enjoy the SRA? You can easily upgrade the Security Risk Analysis software for healthcare to Abyde’s full HIPAA for Covered Entities product and maintain your SRA.    Get Compliant Today A Security Risk Analysis doesn’t have to be complicated or time-consuming.  With Abyde’s Security Risk Analysis for Covered Entities software, your practice can complete a thorough, compliant SRA quickly and accurately, without disrupting patient care.  Ready to streamline your SRA? Meet with a compliance consultant today.

Business Associate Phishing Fine
Abyde News, Business Associates, Fines, HIPAA

Phished and Fined: A $175,000 HIPAA Lesson for Business Associates

August 26, 2025 No comments yet

August 26, 2025 When scrolling through your inbox, letting your guard down is easy. Maybe you click on that email that looks like it’s from your bank without hesitation, or are swayed by the unsolicited message for a random all-expenses-paid trip. Unfortunately, phishing emails are everywhere, and they target the healthcare industry due to the sensitive nature of Protected Health Information (PHI). BST & Co., CPAs, LLP, known as BST, is a victim of phishing scams. The New York accounting and consulting firm, which works with practices, received the latest HIPAA enforcement, with a $175,000 fine and a two-year Corrective Action Plan or close monitoring by the Office for Civil Rights (OCR). The OCR discovered, after the fallout of a phishing email, that the Business Associate (BA) had failed to complete a Security Risk Analysis (SRA). This is the 10th enforcement of the Risk Analysis Initiative since its introduction last year. An SRA is a requirement for all HIPAA-regulated entities to assess all potential vulnerabilities of any physical, technical, or administrative safeguard in their organization. By identifying any concerns before a breach occurs, organizations are able to better safeguard PHI, keeping both their business and patients safe. This fine reminds us that BAs are just as responsible for upholding HIPAA as traditional medical practices and that completing the SRA is paramount. What Happened? On December 4, 2019, malware entered BST’s network after a successful phishing attempt. From December 4 to December 7, 170,000 patients’ PHI was exposed. The OCR began its investigation after BST reported the breach in February 2020. The OCR discovered that BST had not completed a thorough SRA. With a thorough SRA, BST could have seen the vulnerabilities regarding emails, or even how they secured Covered Entities’ PHI, and either prevented this breach or minimized its impact. Compliant Business Associates Keep Patients Safe Even though BST wasn’t treating patients directly, as an accounting and consulting firm they still had access to a Covered Entity’s PHI. That’s a clear reminder of just how important it is to make sure your Business Associates (BAs) are fully compliant. When your BA follows a comprehensive HIPAA compliance program, your practice gains peace of mind and a stronger, more secure partnership. The right solution helps you stay ahead of your BA responsibilities, whether that’s generating and maintaining Business Associate Agreements, providing staff training with practical tips like email safety, or completing a Security Risk Analysis (SRA) to uncover hidden risks. Connect with our team of compliance experts today to learn more.

Abyde News, HIPAA

Introducing SRA Contributor: Master Your HIPAA Risk Analysis

June 3, 2025 No comments yet

June 3, 2025 Have you ever been stumped by a HIPAA Security Risk Analysis (SRA) question because you didn’t know the answer? Even the most seasoned HIPAA Compliance Officers encounter administrative and technical security questions outside their area of expertise, and that’s completely normal. Remember, you’re not expected to have all the answers. So, how are you supposed to get the right answers for the questions you don’t know from those who do? Abyde’s latest update, SRA Contributor, helps you get the necessary answers. This feature allows you to send questions internally to other Abyde users (at your practice) or externally to trusted contacts of your Business Associates (BAs), allowing you to complete your SRA confidently.  The Users section has now been updated to include both Users and Contributors. Once in this section, click the SRA Contributor tab to add external individuals, such as your IT partner, who can assist in answering SRA questions.   Then, complete the SRA. We encourage users to mark uncertain questions with ‘Don’t Know’. Once the SRA is complete, Abyde users can access the SRA Contributor feature from their Scorecard module and securely send any questions as needed. Hit the Abyde Flag icon to the right of any question on your Scorecard to activate the SRA Contributor pop-up and select your Contributors. As a reminder, you can add a note to any question for your Contributors.   Once flagged, the question(s) are batched and ready to be sent. Abyde recommends reviewing any and all questions for Contributors and sending them in one batch to reduce the number of emails. After all questions are flagged, send them together by hitting the send icon on the Contributor line below the question or from the global SEND button at the top of the Scorecard module.  Once sent, your SRA Contributors (and other Abyde users) will receive an email to the secure SRA Contributor Portal. The Contributor Portal includes all flagged questions. Your Contributors can answer your questions, add notes, and send their responses to you once they complete the portal.  From there, you will receive an email notification that your question has been answered and is ready for review. Then, you can either reject or approve an SRA Contributor’s answers. If approved, their answer and note (if present) replace your initial response on the SRA. If rejected, you can send the question again to other contributors or manually change the answer yourself. SRA Contributors’ answers and Contributor Portal links (if they never answered the question) can also be deleted from the Scorecard by clicking the Trash Can icon.  Why This Matters A thorough and accurate Security Risk Analysis (SRA) is paramount for safeguarding patient data and ensuring compliance. It is the foundation of a compliant practice.  The SRA Contributor enables you to complete the SRA more efficiently and confidently, enhancing collaboration with your business associates and other Contributors who manage the more technical aspects of your practice.  This ensures that the required SRA is completed accurately and thoroughly, giving you confidence in the integrity and completeness of your answers.  To learn more, contact our support team at support@abyde.com, or call 1.877.816.1620. 

Small Healthcare Practice HIPAA Fine
Abyde News, Fines, HIPAA

Small Size, Same Rules: HIPAA Fine Serves as Reminder for All Healthcare Providers

May 19, 2025 No comments yet

May 19, 2025   HIPAA compliance is not just a recommendation; it’s a requirement, no matter how small your organization is. The latest HIPAA fine is a testament to this, with Vision Upright MRI the latest practice to be penalized.  The small California MRI center experienced a significant breach, which exposed several violations in the fallout. Acting Office for Civil Rights (OCR) Director Anthony Archeval emphasized the widespread cybersecurity risks, noting that these threats impact healthcare providers of all sizes:  “Cybersecurity threats affect large and small covered healthcare providers.”  Vision Upright MRI was fined $5,000 and will now face a two-year Corrective Action Plan (CAP), being monitored by the OCR.  This fine showcases that no practice, big or small, must be followed to keep patient data safe.     What Happened? At the end of 2020, Vision Upright MRI experienced a breach in its systems due to an insecure server. This cybercrime exposed over 21,000 patients’ medical images, leading to the OCR’s investigation.  The investigation discovered that the MRI center had never completed a Security Risk Analysis (SRA). The SRA thoroughly examines a practice, reviewing all current safeguards to secure Protected Health Information (PHI). These safeguards can include physical barriers the practice has implemented, like locked doors and alarms, and the administrative techniques the practice follows, like routinely checking access to sensitive patient data.  The SRA is critical for a compliant practice and should be completed annually and after any breaches.  While the SRA is a fundamental requirement for a practice, it is unfortunately often overlooked. The OCR has implemented a Risk Analysis Initiative to ensure practices are completing this requirement, and has reinstated the audit program, reviewing if regulated entities are maintaining this document.  In addition to missing the SRA, Vision Upright MRI did not properly notify affected parties within 60 days, violating the Breach Notification Rule.  The Breach Notification Rule requires practices to notify patients within 60 days of discovering a breach, regardless of how many were impacted. This short timeline allows patients to take the necessary precautions for the safety of their data. The practice should also provide credit monitoring. Since this event impacted well over 500 patients, the threshold to consider the situation a large breach, Vision Upright MRI also needed to notify the media and the OCR within a 60-day timeline. Communicating this is imperative, allowing the OCR to swiftly begin its investigation and potentially affected patients to receive information through media channels. These serious missteps led to the monetary settlement and years of government monitoring.    Streamlining HIPAA Compliance Even a small practice doesn’t require overwhelming resources to be HIPAA compliant. The right compliance program can simplify HIPAA compliance. With smart solutions, the SRA can be completed easily, reviewing questions and potential vulnerabilities the practice faces. Additionally, breaches can be reported in intelligent software, with compliance experts assisting practices through alerting patients and the OCR.  Meet with an expert today to learn how to automate your compliance program.   

Risk Analysis Initiative HIPAA Fine
Abyde News, Fines, HIPAA

Don’t Be Next: HIPAA Fine Shows Risk of Ignoring Security Risk Analysis

April 17, 2025 No comments yet

April 17, 2025 Let’s make this clear: The Security Risk Analysis (SRA) is at the foundation of a compliant practice. The SRA is the proactive assessment of your practices’ physical, technical, and administrative safeguards. Physical safeguards include alarms, codes, and other procedures or devices your practice might deploy. Technical safeguards involve cybersecurity protocols, like firewalls, antivirus software, encryption, and other security measures. Lastly, the administrative safeguards are your practice’s actions, such as using visitor IDs, maintaining a sign-in sheet, or even posting about patients on social media. The latest HIPAA fine is another reminder of the importance of the SRA in protecting patient data. This is the sixth Risk Analysis Initiative enforcement since the end of last year. The Office for Civil Rights (OCR) is serious about ensuring that practices know this requirement. This focus has remained consistent even during administration transitions. Said best by OCR Acting Director Anthony Archeval, “A failure to conduct a risk analysis often foreshadows a future HIPAA breach.”   What Happened?  Northeast Radiology, P.C. (NERAD), a healthcare provider specializing in medical imaging clinical services in New York and Connecticut, experienced a significant breach that exposed nearly 300,000 patients’ Protected Health Information (PHI). The breach, which occurred from April 2019 to January 2020, was caused by unauthorized individuals accessing radiology images of patients due to a compromised server. When the OCR began investigating the practice in March 2020, it was discovered that NERAD did not have an SRA. Due to the absence of this document and the sheer size of the breach, the organization was fined $350,000 and will undergo a two-year Corrective Action Plan (CAP).   Completing an SRA NERAD’s HIPAA settlement with the OCR is a clear reminder that your practice needs to complete an SRA long before a breach occurs. While an SRA might seem daunting, addressing problems before patients’ information is at risk is much easier. Completing this risk assessment can help your practice identify vulnerabilities before they escalate into compliance issues. While the SRA mandates practices to analyze and review existing procedures thoroughly, this process doesn’t need to be overwhelming or costly. With smart solutions, your practice can answer simple questions about your practice while the software intuitively builds out an SRA report, analyzes the current situation, and provides recommendations to mitigate potential risks. To learn more about how your practice can streamline the SRA, schedule a consultation with an expert today.

Multi-Location HIPAA Security Risk Analysis
Best Practices, HIPAA

Location-Specific SRAs: A Must-Have for Healthcare Organizations

December 17, 2024 No comments yet

December 17, 2024 Keeping all locations in line with HIPAA regulations can be quite a challenge, especially when managing a multi-location practice. It’s a complex puzzle that requires careful attention to detail and a proactive approach to ensure compliance across the board. And we hate to break it to you, but a blanket Security Risk Analysis for your organization isn’t enough. A Security Risk Analysis, or SRA, is a thorough review of your organization’s physical, administrative, and technical safeguards to protect patient data. Even when you’re managing compliance at a single location within a multi-location organization, you are responsible for ensuring an SRA is completed for your location. The Office for Civil Rights (OCR) is serious about this requirement, as indicated by a recent significant fine. A penalty of over $500,000 was recently announced for the Children’s Hospital of Colorado system. While this investigation was sparked by a phishing attack, one of the major findings was missing SRAs for all locations. Completing this SRA is imperative. As the OCR spearheads new enforcement and initiatives, it’s time to get compliant. What is a SRA? The SRA is an in-depth review of everything your practice does to ensure patient data is safe. This means everything from whether your practice utilizes alarms and codes on doors to the servers you use and even how your staff handles patient intake, like how the sign-in sheet process works. The SRA is the first step of a compliant practice because it allows you to review your vulnerabilities and make changes to uphold your commitment to keeping data safe. The SRA is also a requirement for MIPS. Unfortunately, the SRA is a commonly missed requirement for medical practices. In fact, 86% of all practices could not show an adequate SRA in the last round of random HIPAA audits. Completing a sufficient Security Risk Assessment (SRA) is essential for maintaining a compliant medical practice. This process is closely linked to the Office for Civil Rights (OCR) Risk Analysis Initiative, which mandates that medical practices and organizations carry out this required assessment. Recently, the Bryan County Ambulance Authority was fined $90,000 for failing to conduct an SRA, marking the first enforcement action under this new initiative. This incident demonstrates the OCR’s commitment to this initiative and its dedication of resources to ensure compliance. Importance of Location-Specific SRAs When conducting a SRA, assessing every location within your organization is vital. While performing a single SRA for the entire entity might seem easier, compliance is more intricate and requires ongoing attention rather than being a one-off endeavor. Each location has distinct vulnerabilities that must be acknowledged and addressed. For instance, one location might have different vendors than another, and another location might be in an older building, with different security to keep Protected Health Information (PHI) safe. Although some overarching requirements may come from the main location, capturing each site’s specific conditions is essential. This thorough documentation demonstrates that every location takes compliance seriously, addresses vulnerabilities, and keeps patient data safe. How to Complete an SRA With the right resources, managing and completing an SRA for a multi-location practice can be simplified. Organization is key: ensuring each location completes all SRAs and can be easily accessed in a centralized location. Your organization can efficiently complete this requirement by having a tailored set of questions for each location. To learn more about streamlining your multi-location SRAs for your organization, schedule a consultation with a HIPAA expert today.

Want an inside look at how the OCR operates? Watch our latest webinar with Iliana Peters, former Acting Deputy Director for HIPAA at the HHS OCR.

WATCH RECORDING
X