Re: Increasing conplexity
@jagibbons your question about partners being on the hook for penalties if there was a problem found in the audit is a good one. The key aspect is understanding that a security risk assessment identifies areas that an organization is lacking in terms of HIPAA compliance as well as protecting patient information. So by doing a security risk assessment the organization is not automatically HIPAA compliant. The security risk assessment might recommend that laptops and USB drives be encrypted or that the organization ensure that servers are stored in a locked server room or closet. It would be the organization's responsibility to implement the additional security that has been recommended in the security risk assessment.
With the above said, HIPAA Secure Now provides $100,000 of financial protection to our clients in the event they are audited and receive any HIPAA related fines or penalties. The financial protection also covers breach related expenses (forensics, patient notification, credit monitoring, etc.). In addition we provide assistance to help the client through the audit. We refer to our compliance portal as a "book of evidence" where we can show auditors the organization's policies and procedures, risk assessment reports and work plans, their security incident response plan, executed business associate agreements, proof that employees have received HIPAA security training, etc.
Let me know if you have any other questions.