Risk Analysis is Key Document in Achieving HIPAA Security Compliance

We commend to your attention an important article that appears in a June 13, 2014, Healthcare IT News posting:  “Security tips from the health IT pros,” which is available online at: http://www.healthcareitnews.com/print/80616.  This article has useful advice on a number of topics, including the importance of

 

  • Encryption to safeguard protected health information (PHI) at rest in a database and on portable devices and in motion during transmissions; and
  • Policies and procedures in place as the foundation of workforce safeguard education and training. 

 

We want to highlight one quote from this article about the importance of conducting and periodically reviewing for effectiveness the risk analysis:

 

“Get your risk analysis done—and done properly. 

 

“’This is the single most important document as part of the OCR investigation,’ said Lynn Sessions, partner at Baker Hostetler, who focuses on healthcare privacy.  ‘(OCR is) asking for the current one; they are asking for two, three, five years back.  They want to see the evolution of what was going on from a risk analysis standpoint at your institution to see if you were appreciating the risk.’”

 

We have harped on this issue numerous times in previous postings.  If you are a covered entity or business associate that is not convinced of the importance of getting the risk analysis done or periodically reviewed and documented, we recommend reading the resolution agreements and corrective action plans at the Office for Civil Rights (OCR) Web site: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/.  The cost of conducting a risk analysis based on provisions in National Institute of Standards and Technology (NIST) documents is substantially less than financial settlement of HIPAA violations uncovered in OCR investigations as stated in the resolution agreement examples.

 

Risk analysis is not only the foundation of the HIPAA Security Rule, but also of Stage 1 and 2 Meaningful Use Security Measures.  Risk analysis and risk management based on NIST provisions are addressed in the policies and procedures available for download on this HIPAA Safeguard Web site.  Also provided are guidance and references related to all other HIPAA Security Rule safeguard standards and implementation specifications, as modified by the HITECH Act on January 25, 2013, and requiring compliance no later than September 23, 2013.  A covered entity or business associate can readily tailor these policies and procedures to its specific business operational environment based on findings from its risk analysis.  Finally, HIPAA Safeguard includes a concordance that maps Stage 1 and Stage 2 Meaningful Use Security measures to appropriate HIPAA Security Rule standards and implementation specifications.

 

Categories



Archives

  • October 2017 (1)
  • August 2017 (3)
  • July 2017 (1)
  • June 2017 (7)
  • May 2017 (12)
  • April 2017 (10)
  • March 2017 (2)
  • February 2017 (3)
  • January 2017 (4)
  • December 2016 (4)
  • November 2016 (7)
  • October 2016 (7)
  • September 2016 (2)
  • August 2016 (1)
  • July 2016 (3)
  • June 2016 (1)
  • May 2016 (1)
  • April 2016 (8)
  • March 2016 (6)
  • February 2016 (2)
  • December 2015 (1)
  • November 2015 (1)
  • October 2015 (4)
  • September 2015 (1)
  • June 2015 (8)
  • May 2015 (3)
  • April 2015 (2)
  • March 2015 (1)
  • November 2014 (1)
  • September 2014 (15)
  • August 2014 (6)
  • July 2014 (1)
  • June 2014 (13)
  • May 2014 (11)
  • April 2014 (13)
  • March 2014 (6)
  • February 2014 (12)
  • January 2014 (3)
  • December 2013 (1)