Risk Assessment Draft

Download Report

Transcript Risk Assessment Draft 

Steps to Compliance:
Risk Assessment
PRESENTED BY
Today’s Presenters
Daniel B. Brown, Esq.
Healthcare Attorney
Taylor English Duma LLP
Jason Karn
Director Training and IT
Total HIPAA Compliance
Housekeeping
This program is educational and does not
constitute, and may not be construed as,
legal advice to, or creating an attorney-client
relationship with, any person or entity.
The materials referenced here are subject to change, so
frequent review of the source material is suggested.
3
What is a Risk Assessment?
 Requirement for HIPAA Compliance
 Written evaluation of Administrative, Physical, and
Technical processes in your practice
 Administrative
• Your written process for protecting PHI
 Physical
• How you physically protect PHI
 Technical
• How you protect electronic PHI
4
Why You Need to Conduct a Risk Assessment
 Required by the HIPAA Law
• This is the first item an auditor will ask for
• This gives you an outline to develop your Privacy and
Security Policies and Procedures
 Reveals areas that may require special attention
 First step to protecting your business and patients
1. (45 C.F.R. § 164.308(a)(1).) Risk analysis is one of four required implementation
specifications that provide instructions to implement the Security Management
Process standard. Section 164.308(a)(1)(ii)(A)
5
Penalties
 Alaska Dept. Health & Human Services fined $1.7 million
• No Risk Assessment
 Hospice of North Idaho, settled case for $50,000
• Did not conduct a Risk Assessment
• Fewer than 500 people were affected
 Anchorage Community Mental Health Services fined $150k
• Unpatched software
• Failed to conduct a Risk Assessment
6
What is a Meaningful Risk Assessment?
A meaningful Risk Assessment is a thorough audit
of your practice’s processes, including:
Administrative
Physical
Technical
7
Administrative
 Privacy and Security Compliance Officers
 List of all workforce members, roles, and their access
 Written disciplinary/sanction policy for HIPAA violations
 HIPAA Training Program
 Business Associate Agreements in place
 Plan for handling Breaches
8
Physical
 How do you secure your offices…?
• Locks, key cards, alarms, etc.
 How and where are personal records secured and stored?
 Do you have an inventory of your electronic assets?
 What do you do with old media?
 How do you dispose of paper records?
 Who has access to your office space?
9
Technical
 What is your encryption policy for…?
• Computers
• Emails
• Electronic Files
 Can you audit who has been accessing records?
 Does each employee have their own unique password?
 Do you have…?
• Data Backup Plan
• Disaster Recovery Plan
• Emergency Mode of Operation Plan
10
How Do You Complete?
 Small and medium-size practices can conduct a
Risk Assessment using HHS’s free tool.
• Expect to spend 10-20 hours completing this.
• http://nue.md/hhsriskassessment
 Hire an outside vendor to complete
 Business Associate Agreement is required with this vendor
11
How Often Should I Perform a Risk Assessment?
 Establish initial assessment
 Major changes in software or hardware
 No changes – revisit Assessment every 2-3 years
 When you’ve had a Breach
12
Special Thanks
Taylor English Duma LLP is a full-service law firm built from the ground up to provide
highest-quality legal services for optimal value. The firm was founded in 2005 and its
attorneys work each day to provide timely, creative and cost-effective counsel to help
clients solve problems and achieve goals. Taylor English represents all types of clients—
from Fortune 500 companies to start-ups to individuals.
20