Annual Risk Assessments

HHS OCR Guidance

Conducting a risk analysis is the first step in identifying and implementing safeguards that comply with and carry out the standards and implementation specifications in the Security Rule. Therefore, a risk analysis is foundational, and must be understood in detail before OCR can issue meaningful guidance that specifically addresses safeguards and technologies that will best protect electronic health information.

The guidance is not intended to provide a one-size-fits-all blueprint for compliance with the risk analysis requirement. Rather, it clarifies the expectations of the Department for organizations working to meet these requirements.’ An organization should determine the most appropriate way to achieve compliance, taking into account the characteristics of the organization and its environment.

We understand that the Security Rule does not prescribe a specific risk analysis methodology, recognizing that methods will vary dependent on the size, complexity, and capabilities of the organization. Instead, the Rule identifies risk analysis as the foundational element in the process of achieving compliance, and it establishes several objectives that any methodology adopted must achieve.

What is a Risk Analysis?

OCR’s guidance is not prescriptive…

The following questions adapted from NIST Special Publication (SP) 800-665 are examples organizations could consider as part of a risk analysis. These sample questions are not prescriptive and merely identify issues an organization may wish to consider in implementing the Security Rule:

  • Have you identified the e-PHI within your organization? This includes e-PHI that you create, receive, maintain or transmit.
  • What are the external sources of e-PHI? For example, do vendors or consultants create, receive, maintain or transmit e-PHI?
  • What are the human, natural, and environmental threats to information systems that contain e-PHI?

What is Risk Assessment?

The Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires that covered entities conduct a risk assessment of their healthcare organization. A risk assessment helps your organization ensure it is compliant with HIPAA’s administrative, physical, and technical safeguards. A risk assessment also helps reveal areas where your organization’s protected health information (PHI) could be at risk. Watch the Security Risk Analysis video to learn more about the assessment process and how it benefits your organization or visit the Office for Civil Rights’ official guidance.

Read the HHS Press Release.

Risk assessments are a key component to your compliance strategy. They are used to identify potential threats and weaknesses in our policies and procedures in your security plans. This information is key to the success in protecting your business and network. They also provide the documentation that is needed to be in compliance. In the event of an audit, they first piece of information the auditor will ask for is the documentation from your most recent Risk Assessment. To which you only have Ten days to produce this documentation.

HIPAA Violations & Penalties

Expect penalties related to risk assessments to increase…

Plans for Future Increased Enforcement

Based on the HITECH Act’s 2009 mandate, OCR plans to continue prioritizing resolution agreements as a means of increasing awareness in the HIPAA-regulated community about continuing issues with noncompliance with the HIPAA Rules. Specific areas on which OCR intends to focus include business associate compliance, compliance with the risk analysis and risk management requirements in the HIPAA Security Rule, breaches due to cyber security incidents, and individual rights under the HIPAA Privacy Rule.

From the most recent annual report published: “Annual Report to Congress on HIPAA Privacy, Security, and Breach Notification Rule Compliance For Calendar Years 2013 and 2014”

Violations & Penalties

Violation category – Section 1176(a) (1) Each Violation All Such Violations of an Identical Provision in a Calendar Year
(A) Did Not Know $100 – $50,000 $1,500,000
(B) Reasonable Cause $1,000 – $50,000 $1,500,000
(C) (i) Willful Neglect-Corrected $10,000 – $50,000 $1,500,000
(C) (ii) Willful Neglect-Not Corrected $50,000 $1,500,000

As you can see, not only are Risk Assessments and good idea, they are required under the HIPAA guidelines for both covered entities and business associates. That is why, we are very excited to be able to offer one of the most stream lined Risk assessment tools in the industry. Just answer our 55 question Risk Assessment, then let our utility do the rest. These questions can easily be completed by your own office staff or compliance officer.

Request for Free Consultation

CEC Networks Inc.

Stay Connected