Hospital to Pay $250,000 After Alleged False HITECH Claims
Whistleblowers Say Hospital Falsely Attested to Conducting Risk Analysis for EHR Incentive Program
… The former Coffey CIO and compliance officer were likely concerned about their liability and responsibilities down the road, says Susan Lucci, a senior privacy and security consultant at tw-Security.
“What’s worse here is that … there is a huge HIPAA violation in the open access to health records due to the shared firewall which required no username or password to access medical records,” she notes.
“It’s possible that some other hospitals may have attested [under the HITECH Act] that they completed a security risk analysis but in reality, they performed a HIPAA gap assessment against the HIPAA audit protocol,” notes Keith Fricke, principal consultant at tw-Security. “A HIPAA gap analysis and a risk analysis are not the same.
… Fricke offers a similar assessment. “Organizations may not fully understand what a security risk analysis really entails, and if they attempt completing risk analyses themselves, they may not get it right. In some cases, a risk analysis may have been completed, but no action ever taken on the findings. In other cases, the risk analysis was not complete.”