Many medical practices attesting for meaningful use these days are asking me specifically for a HIPAA Risk Analysis to fulfill the Meaningful Use Incentives requirement (Stage 1 and State 2).
The underlying purpose of a HIPAA Risk Analysis is to uncover risks and vulnerabilities with your PHI that need to be taken care of. HIPAA/HITECH is all about patient privacy and security. You know it is a requirement that every practice must do a risk analysis or face hefty fines and penalties. However, with all the other things practices need to deal with, like ICD-10, PQRS, etc., it's no wonder that the risk analysis is something that has taken a back seat at many places. Since HIPAA does not provide implementation details on how to do a risk analysis, there are many questionnaires, spreadsheets and checklists out there that people use to do self-assessments and "comply" with the risk analysis requirement. There are even some businesses that do a risk analysis over the phone or online. ONC/HHS even made available a Security Risk Assessment Tool meant to assist providers and professionals as they perform a risk assessment. However, this is just a tool to assist and does not guarantee compliance. According to their disclaimer: The Security Risk Assessment Tool is not intended to be an exhaustive or definitive source on safeguarding health information from privacy and security risks. It is possible for small practices to do risk analysis themselves using self-help tools. However, doing a thorough and professional risk analysis that will stand up to a compliance review will require expert knowledge that could be obtained through services of an experienced outside professional1.
The security of your computer network cannot be properly assessed without an onsite physical network diagnostic test. Would you be comfortable getting screened for a disease over a phone call or website? Of course not! You need to have some tests done and then have the results looked at and explained by a healthcare professional. The same goes with your computer network. Conducting a thorough risk assessment requires onsite access to your office network for a network diagnostic check by a HIPAA-trained IT professional (not all IT providers are HIPAA certified and/or knowledgeable). Then you need documentation of everything assessed matching and referencing the security rules. It's important to understand that it's not just about being compliant, it's about being protected against a breach. Being compliant does not mean you are fully protected the same way having a driver's license does not mean you are a good driver.
Here are two examples of breaches that have occurred because of incomplete and inadequate risk analysis. Yes, they met the requirement of conducting a risk analysis, but they were not complete and comprehensive.
1. $4.8 million settlement - New York Presbyterian/Columbia University
"Moreover, OCR determined that neither entity had conducted an accurate and thorough risk analysis that identified all systems that access NYP ePHI."
2. $400,000 settlement - Idaho State University
"OCR’s investigation indicated that ISU’s risk analyses and assessments of its clinics were incomplete and inadequately identified potential risks or vulnerabilities"
Not all HIPAA Risk Analysis are the same. The WorryFreeMD HIPAA Risk Assessment is your best opportunity to protect yourself from a costly violation of the HIPAA Security Rule and the stiff fines that are often levied on those who fail to take pro-active measures to prevent them.
Schedule your comprehensive HIPAA Risk Assessment atwww.WorryFreeMD.com .
1. Read: Top 10 Myths of Security Risk Analysis.https://www.healthit.gov/providers-professionals/top-10-myths-security-risk-analysis
||About Fernando Sosa
Fernando Sosa is a technology consultant, project management professional, and software developer who helps small businesses and nonprofit organizations make the most of their information technology resources.