Security Risk & Audit Services

In today’s information security world the information management security bare minimum is just NOT good enough. That strategy deems that it’s only a matter of time until an organization with ePHI responsibility has a major system disruption or a ePHI security breach.    Or both.  

If your business creates, receives, stores, transmits or otherwise possesses patient data you are bound by HIPAA laws.

Covered entity AND business associates are directly OR financially  liable for violations of the HIPAA regulations.

How can we help you?

Our Audit services will help you understand your organization’s ePHI management strengths and weakness.

You can afford compliance, you can not afford non-compliance.

We start with a simple questionnaire to determine your organizational compliance program maturity that creates our scope of work. This becomes our project plan & starting point. From there we create a custom ongoing strategic compliance documentation, operations and management program plan for your organization.

Clinical Service provider note:

If you have attested for Meaningful Use incentive money, then you also have pledged to state &/or federal government agencies that you have taken the necessary steps to examine & protect your patient data. Therefore your non compliance management failure, if audited could cost your organization significant amounts of money. The burden of proof of compliance is on the shoulders of your healthcare organizations leaders.  

The fines and charges are broken down into 2 major categories: “Reasonable Cause” and “Willful Neglect”. Reasonable Cause ranges from $100 to $50,000 per incident and does not involve any jail time. Willful Neglect ranges from $10,000 to $50,000 for each incident and could result in criminal charges.

HIPAA violation categories and their respective penalty amounts are outlined in the chart below.  These amounts are per violation of an identical provision in a calendar year:

Type of Violation Penalty per record Maximum fine per incident

Did not know you had a problem, could have fixed it $100 – $50,000 $1,500,000

You should have known you had a problem but could not have avoided the violation

$1,000 – $50,000 $1,500,000

Willful Neglect – You knew you had a problem and chose not to correct it

$10,000 – $50,000 $1,500,000

Willful Neglect – Problem Ignored and no action taken to correct the problem.

$50,000 $1,500,000

Source: HHS, Federal Register.gov 

It is essential that organizations that handle patient information conduct a Privacy & Security Risk Assessment and Vulnerability audit. The penalties are too big if you are not prepared. 


Can you answer these questions about your health care operation?

  • Is your healthcare data management plan continuously updated?
  • Do you know what your data security risks are?
  • Is all of your ePHI encrypted?
  • Have you conducted a risk analysis since upgrading your EMR?
  • Are your Business Associates providing ample protection of your data?

If the answer to any of the above questions is “No”, then you are running a VERY high risk of non compliance that has huge financial ramifications.