The June 2014 issue of Health Management Technology on pages 18-19 has an excellent article on compliance monitoring by Jason Free entitled: “An in-depth discussion on risk management,” which can be found online at: http://www.healthmgttech.com/articles/201406/an-in-depth-discussion-on-risk-management.php. We recommend that you read this entire article, which is a transcript of a conference call, and that you pay particular attention to the comments of Adam Green on risk analysis, from which we select the following:
“’Risk analysis is really hard. That’s one of the big challenges here. Every client would like a simple checklist that they can go through, check the boxes and feel like they’re done. Risk analysis, the way OCR [HHS Office for Civil Rights] seems to view, really requires some deep thought as to the particular risks [in] your organization…. There’s not a one-size-fits-all solution, and I think entities really had a hard time grappling with that notion sometimes…. They at least have been hearing that risk analysis has been really important. The Meaningful Use requiring risk analysis has brought the healthcare industry a long way on that front. There’s still a number of entities who haven’t got the message and won’t get the message until they are investigated, unfortunately, by OCR and told you need to have a risk analysis.’”
Failure to conduct a risk analysis can be costly. OCR imposed $4.8 in financial penalties on two healthcare organizations—New York-Presbyterian Hospital and Columbia University Medical Center—to resolve HIPAA noncompliance issues. The HHS/OCR news release regarding these resolutions is available at www.hhs.gov/news/press/2014pres/05/20140507b.html.
One of the violations cited in the New York-Presbyterian resolution agreement was “failed to conduct an accurate and thorough risk analysis that incorporates all IT equipment, applications, and data systems utilizing ePHI.” The 12-page Resolution Agreement and Corrective Action Plan for New York and Presbyterian Hospital is available online at: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/ny-and-presbyterian-hospital-settlement-agreement.pdf.
One of the violations cited in the Columbia University Medical Center resolution agreement was “failed to conduct an accurate, and thorough risk analysis that incorporates all IT equipment, applications and data system utilizing ePHI, including the server accessing [New York-Presbyterian Hospital]-ePHI.” The 11-page Resolution Agreement and Corrective Action Plan for Columbia University Medical Center is available online at: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/columbia-university-resolution-agreement.pdf.
In addition to the cost considerations, failure to conduct a risk analysis impairs an organization’s ability to implement a comprehensive risk management plan to achieve HIPAA/HITECH Act compliance. The findings from the risk analysis provide the basis for designing and documenting safeguard policies and procedures, implementing safeguard training for workforce members, and conducting safeguard effectiveness evaluations. Achieving compliance with HIPAA Privacy and Security and HITECH Act Breach Notification Rule standards, implementation specifications, and requirements starts with executing a risk analysis and updating it as business operations or regulations change.
Policies and procedures related to the standards and implementation specifications of the HIPAA Privacy and Security Rules and HIPAA Act Breach Notification Rule, along with a concordance linking Meaningful Use Security Measures to HIPAA Security implementation specifications are available for download on this HIPAA Safeguard Web site. With the guidance and reference material that accompanies each of the policies and procedures, including requirements for conducting a risk analysis based on National Institute of Standards and Technology (NIST) documentation, a covered entity or business associate can readily tailor these required HIPAA/HITECH Act safeguard policies and procedures to a specific business operational environment to demonstrate compliance once the policies and procedures are implemented. Training courses that cover these safeguards and also provide accredited continuing education opportunities are available at: www.hipaaschool.com. As the two Resolution Agreements referenced in this posting indicate, achieving compliance prior to an investigation related to a complaint or breach—or a random compliance audit—is significantly less costly than a determination of noncompliance afterward.