Risk Assessment Draft
Download
Report
Transcript Risk Assessment Draft
Steps to Compliance:
Risk Assessment
PRESENTED BY
Today’s Presenters
Daniel B. Brown, Esq.
Healthcare Attorney
Taylor English Duma LLP
Jason Karn
Director Training and IT
Total HIPAA Compliance
Housekeeping
This program is educational and does not
constitute, and may not be construed as,
legal advice to, or creating an attorney-client
relationship with, any person or entity.
The materials referenced here are subject to change, so
frequent review of the source material is suggested.
3
What is a Risk Assessment?
Requirement for HIPAA Compliance
Written evaluation of Administrative, Physical, and
Technical processes in your practice
Administrative
• Your written process for protecting PHI
Physical
• How you physically protect PHI
Technical
• How you protect electronic PHI
4
Why You Need to Conduct a Risk Assessment
Required by the HIPAA Law
• This is the first item an auditor will ask for
• This gives you an outline to develop your Privacy and
Security Policies and Procedures
Reveals areas that may require special attention
First step to protecting your business and patients
1. (45 C.F.R. § 164.308(a)(1).) Risk analysis is one of four required implementation
specifications that provide instructions to implement the Security Management
Process standard. Section 164.308(a)(1)(ii)(A)
5
Penalties
Alaska Dept. Health & Human Services fined $1.7 million
• No Risk Assessment
Hospice of North Idaho, settled case for $50,000
• Did not conduct a Risk Assessment
• Fewer than 500 people were affected
Anchorage Community Mental Health Services fined $150k
• Unpatched software
• Failed to conduct a Risk Assessment
6
What is a Meaningful Risk Assessment?
A meaningful Risk Assessment is a thorough audit
of your practice’s processes, including:
Administrative
Physical
Technical
7
Administrative
Privacy and Security Compliance Officers
List of all workforce members, roles, and their access
Written disciplinary/sanction policy for HIPAA violations
HIPAA Training Program
Business Associate Agreements in place
Plan for handling Breaches
8
Physical
How do you secure your offices…?
• Locks, key cards, alarms, etc.
How and where are personal records secured and stored?
Do you have an inventory of your electronic assets?
What do you do with old media?
How do you dispose of paper records?
Who has access to your office space?
9
Technical
What is your encryption policy for…?
• Computers
• Emails
• Electronic Files
Can you audit who has been accessing records?
Does each employee have their own unique password?
Do you have…?
• Data Backup Plan
• Disaster Recovery Plan
• Emergency Mode of Operation Plan
10
How Do You Complete?
Small and medium-size practices can conduct a
Risk Assessment using HHS’s free tool.
• Expect to spend 10-20 hours completing this.
• http://nue.md/hhsriskassessment
Hire an outside vendor to complete
Business Associate Agreement is required with this vendor
11
How Often Should I Perform a Risk Assessment?
Establish initial assessment
Major changes in software or hardware
No changes – revisit Assessment every 2-3 years
When you’ve had a Breach
12
Special Thanks
Taylor English Duma LLP is a full-service law firm built from the ground up to provide
highest-quality legal services for optimal value. The firm was founded in 2005 and its
attorneys work each day to provide timely, creative and cost-effective counsel to help
clients solve problems and achieve goals. Taylor English represents all types of clients—
from Fortune 500 companies to start-ups to individuals.
20