We commend to your attention an important article that appears in a June 13, 2014, Healthcare IT News posting: “Security tips from the health IT pros,” which is available online at: http://www.healthcareitnews.com/print/80616. This article has useful advice on a number of topics, including the importance of
We want to highlight one quote from this article about the importance of conducting and periodically reviewing for effectiveness the risk analysis:
“Get your risk analysis done—and done properly.
“’This is the single most important document as part of the OCR investigation,’ said Lynn Sessions, partner at Baker Hostetler, who focuses on healthcare privacy. ‘(OCR is) asking for the current one; they are asking for two, three, five years back. They want to see the evolution of what was going on from a risk analysis standpoint at your institution to see if you were appreciating the risk.’”
We have harped on this issue numerous times in previous postings. If you are a covered entity or business associate that is not convinced of the importance of getting the risk analysis done or periodically reviewed and documented, we recommend reading the resolution agreements and corrective action plans at the Office for Civil Rights (OCR) Web site: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/. The cost of conducting a risk analysis based on provisions in National Institute of Standards and Technology (NIST) documents is substantially less than financial settlement of HIPAA violations uncovered in OCR investigations as stated in the resolution agreement examples.
Risk analysis is not only the foundation of the HIPAA Security Rule, but also of Stage 1 and 2 Meaningful Use Security Measures. Risk analysis and risk management based on NIST provisions are addressed in the policies and procedures available for download on this HIPAA Safeguard Web site. Also provided are guidance and references related to all other HIPAA Security Rule safeguard standards and implementation specifications, as modified by the HITECH Act on January 25, 2013, and requiring compliance no later than September 23, 2013. A covered entity or business associate can readily tailor these policies and procedures to its specific business operational environment based on findings from its risk analysis. Finally, HIPAA Safeguard includes a concordance that maps Stage 1 and Stage 2 Meaningful Use Security measures to appropriate HIPAA Security Rule standards and implementation specifications.