According to a January 15, 2015 article in Law360 entitled, “Top HIPAA Enforcer Sees Cyber Breaches Rising,” the number of healthcare payers experiencing cyberattacks that result in breaches of protected health information (PHI) is on the rise. Jocelyn Samuels, director of the Office of Civil Rights at the U.S. Department of Health and Human Services, stated “any organization that holds sensitive data is at risk, and this is why it is so important that HIPAA covered entities and their business associates assess and address the risks to the electronic PHI they hold on a regular basis.”

The Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires organizations that handle PHI to regularly review the administrative, physical and technical safeguards in place for the healthcare payer and its vendors to protect the security of patient health data.  Conducting a risk assessment allows a healthcare payer or its vendors to uncover potential weaknesses in their security policies, processes and systems.  Risk assessments also help to address vulnerabilities before health data breaches or other security events occur.

Even though security risk assessments are a key requirement of the HIPAA Security Rule, many healthcare payers do not conduct internal risk assessments and do not require documentation from vendors showing that the appropriate safeguards are in place to support better security for patient health data.

At HRS, our client’s data safety and security is top priority.  To ensure we meet the highest levels of data security, we participate in a rigorous independent regulatory audit program each year.  This audit is administered by Churchill & Harriman, a company recognized as a global leader in data security and risk identification.  Churchill & Harriman utilizes the Shared Assessment Program to provide a comprehensive analysis of our company’s data policies and procedures. Initially developed by leading accounting and financial institutions, the Standard Assessment Program provides standardization, consistency and efficiency when evaluating a vendor’s risk assessment.  The Program is continually updated and refined by risk professionals.  It includes cloud and mobile device data security, as well as traditional areas of risk identification.

If a current or prospective client would like a copy of HRS’s most recent data security audit report, please contact Jackie Lantieri at jlantieri@hrs-recovery.com