Conducting a risk analysis is the first step in identifying and implementing safeguards that comply with and carry out the standards and implementation specifications in the Security Rule. Therefore, a risk analysis is foundational, and must be understood in detail before OCR can issue meaningful guidance that specifically addresses safeguards and technologies that will best protect electronic health information.
The guidance is not intended to provide a one-size-fits-all blueprint for compliance with the risk analysis requirement. Rather, it clarifies the expectations of the Department for organizations working to meet these requirements.’ An organization should determine the most appropriate way to achieve compliance, taking into account the characteristics of the organization and its environment.
We understand that the Security Rule does not prescribe a specific risk analysis methodology, recognizing that methods will vary dependent on the size, complexity, and capabilities of the organization. Instead, the Rule identifies risk analysis as the foundational element in the process of achieving compliance, and it establishes several objectives that any methodology adopted must achieve.
OCR’s guidance is not prescriptive…
The following questions adapted from NIST Special Publication (SP) 800-665 are examples organizations could consider as part of a risk analysis. These sample questions are not prescriptive and merely identify issues an organization may wish to consider in implementing the Security Rule:
The Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires that covered entities conduct a risk assessment of their healthcare organization. A risk assessment helps your organization ensure it is compliant with HIPAA’s administrative, physical, and technical safeguards. A risk assessment also helps reveal areas where your organization’s protected health information (PHI) could be at risk. Watch the Security Risk Analysis video to learn more about the assessment process and how it benefits your organization or visit the Office for Civil Rights’ official guidance.
Read the HHS Press Release.
Risk assessments are a key component to your compliance strategy. They are used to identify potential threats and weaknesses in our policies and procedures in your security plans. This information is key to the success in protecting your business and network. They also provide the documentation that is needed to be in compliance. In the event of an audit, they first piece of information the auditor will ask for is the documentation from your most recent Risk Assessment. To which you only have Ten days to produce this documentation.
Expect penalties related to risk assessments to increase…
Based on the HITECH Act’s 2009 mandate, OCR plans to continue prioritizing resolution agreements as a means of increasing awareness in the HIPAA-regulated community about continuing issues with noncompliance with the HIPAA Rules. Specific areas on which OCR intends to focus include business associate compliance, compliance with the risk analysis and risk management requirements in the HIPAA Security Rule, breaches due to cyber security incidents, and individual rights under the HIPAA Privacy Rule.
From the most recent annual report published: “Annual Report to Congress on HIPAA Privacy, Security, and Breach Notification Rule Compliance For Calendar Years 2013 and 2014”
|Violation category – Section 1176(a) (1)||Each Violation||All Such Violations of an Identical Provision in a Calendar Year|
|(A) Did Not Know||$100 – $50,000||$1,500,000|
|(B) Reasonable Cause||$1,000 – $50,000||$1,500,000|
|(C) (i) Willful Neglect-Corrected||$10,000 – $50,000||$1,500,000|
|(C) (ii) Willful Neglect-Not Corrected||$50,000||$1,500,000|
As you can see, not only are Risk Assessments and good idea, they are required under the HIPAA guidelines for both covered entities and business associates. That is why, we are very excited to be able to offer one of the most stream lined Risk assessment tools in the industry. Just answer our 55 question Risk Assessment, then let our utility do the rest. These questions can easily be completed by your own office staff or compliance officer.