In general, a provider or facility must consider at least two kinds of risk under their HITECH/HIPAA compliance governance strategy. One is clearly compliance risk (i.e. the risk of fines under HITECH's Enhanced Enforcement-Subtitle D).
The other type of risk, business risk, may ultimately be more damaging. In short, what is your reputation worth? We are living on Internet time and any significant (or insignificant) breach related to PHI is going to make national headlines.
Not only are you now required to provide notification (if the PHI is "unsecured") but your patients, partners, and federal/state agencies are all going to hear about it. In addition, your EHR incentive payments may be put at risk.
The graphic below summarizes this perspective:
Looking for a best of breed HIPAA Compliance Software?
To stay current on the HITECH Act and its quickly changing regulatory scheme visit the HITECH Survival Guide website and/or sign up for our free monthly compliance newsletter. Also, check out our FREE EHR Checklist.
If you need tools that will help with your compliance initiatives then check out the HSG Store. Do you need an Internet Lawyer with HITECH / HIPAA experience?
