Does your organization perform routine HIPAA Security Risk Analyses? If so, are those analyses “good enough”? With the 2016 Office for Civil Rights (OCR) audits currently underway, and more audits looming for 2017, healthcare organizations would be wise to shore up their security regimens to ensure compliance with the HIPAA Security Rule.
Most healthcare organization are undoubtedly performing routine risk analyses. But do those analyses meet all requirements of the HIPAA Security Rule? Following the “spirit” of the law but failing to follow the “letter” of the law can result in serious consequences including fines, negative publicity, OCR audits and OCR corrective action plans.
The HIPAA Security Rule defines routine risk analyses as the very foundation of security compliance. While the Rule does not require a specific risk analysis methodology, it does require the scope of the analysis to encompass the potential risks and vulnerabilities to the confidentiality, availability and integrity of all ePHI that an organization creates, receives, maintains, or transmits. This includes ePHI in all forms of electronic media. The Security Rule also establishes certain objectives that the analysis method must contain:
- Identification and documentation of “reasonably anticipated” threats
- Assessment of current security measures
- Assessment of likelihood of threat occurrence
- Assessment of threat impact
- Determination of risk level
- Final assessment documentation
- Periodic review and update
From there, organizations should have an active risk management plan that addresses all physical, technical and administrative vulnerabilities identified in the analysis. The plan should clearly outline remediation items, corrective strategies, resource assignment and projected completion dates. The overall regimen should include implementation of policies and procedures to “prevent, detect, contain, and correct security violations”.
It is also important to demonstrate evidence that the remediation items are acted upon regularly, and that reasonable progress is being made based upon an organization’s resources. Keep in mind that open remediation items are still potential violations, so it is critical to resolve these issues as quickly as possible.
Finally, don’t underestimate the complexity of HIPAA compliance. Complex, ever-changing regulations, increased vulnerabilities, implementation of new technologies and changes in business processes can make it difficult to stay in front of emerging threats. Consider hiring a compliance partner to help navigate the process by designing a customized approach based on your organization and tailored to meet your specific regulatory requirements and state statutes.
BlueOrange Compliance has been providing privacy and security assessments, remediation, training and guidance since the inception of HITECH. Our team is comprised of former healthcare IT executives and top security, privacy and technology analysts. Our national client base consists of hospitals, physician provider practices, Nursing Facilities, LTC Pharmacies, LPCs, CCRCs, homecare, hospice and business associates. If you want to learn how BlueOrange Compliance can help you turn HIPAA complexity into HIPAA compliance, visit us at blueorangecompliance.com.