If you look at [Risk Analysis] like a compliance exercise, you won’t do enough.
Nashville, Tenn. (PRWEB) June 04, 2014
Even as enforcement increases and penalties stiffen, most organizations are still not adequately responding to their responsibilities under HIPAA to execute a comprehensive approach to risk analysis and risk management, according to a panel of national experts in information privacy and security.
Clearwater Compliance recently convened its HIPAA Blue Ribbon Panel to address the continuing confusion that exists among organizations when it comes to assessing and managing risks to protected health information (PHI). The panel of national experts engaged in an interactive online event with compliance professionals from across the country to discuss best practices and common mistakes made when conducting risk analysis and risk management activities.
Panelists acknowledged that assessing and managing risk is hard work, and that many organizations simply don’t enter into these activities with the right perspective.
“It’s time consuming, and it’s more work than most people really want to tackle,” said John Christiansen, Principal at Christiansen IT Law. “The tendency is for organizations to try and do just enough to get by instead of coming up with meaningful solutions.”
Healthcare organizations approaching Risk Analysis with the goal of minimum compliance will miss the mark.
“It’s all about intent,” said Kamal Govindaswamy, President of Risk & Compliance Consulting Group. “You can’t view this as an obligation. You have to see it as something that has enormous repercussions on your ability to keep patient data safe and secure, as well as protecting your organization’s finances and reputation. If you look at it like a compliance exercise, you won’t do enough.”
Results of Phase 1 HIPAA security audits conducted by the HHS Office for Civil Rights in 2012 leave little room for doubt about the need for better Risk Analysis and Risk Management. In Phase 1, 68% of entities audited or investigated for HIPAA compliance were found to have incomplete or inadequate Risk Assessment. And, a recent announcement from OCR about the focus of 2014 and 2015 Phase 2 audits only underscores the point; HIPAA Security Risk Analysis and Risk Management are a top focus.
Bob Chaput, CEO of Clearwater Compliance and Blue Ribbon Panel moderator, emphasized that compliance is an ongoing activity, which begins with a comprehensive Risk Analysis to surface and document an inventory of assets, related threats and operative vulnerabilities. When an asset, threat and vulnerability come together you have a “Risk.”
However, that is just the first step in the journey, panelists warned.
“You are never really done. This is a lather, rinse, repeat situation,” said Christiansen. “If you have the mentality that there is an end to the work, you aren’t being realistic. You must consistently reevaluate and adjust accordingly. Particularly when there are material changes within your organization or your environment."
Fellow Panelist, Gregory J. Ehardt, HIPAA/Assistant Compliance Officer for Idaho State University, shared the silver lining his organization realized after an OCR investigation emphasizing there is value in “…just being more aware, and changing the paradigm in the organization. When you experience a breach, it makes you better than you were yesterday. It raises awareness and gets everyone more involved.”
While interacting with attendees live, The HIPAA-HITECH Blue Ribbon Panel shared best practices for HIPAA Risk Analysis and Risk Management.
- Make sure executive management is aware of any developments or changes in an organization’s Risk Management Plan.
- Evaluate worst-case scenarios regularly, and compare the cost of a data breach vs. the cost of a Risk Assessment.
- Ensure an “emergency plan” is in place to allow quick response when issues arise.
- Identify where all ePHI is located. This asset inventory is a critical first step for being able to safeguard the data.
- Identify all potential risks your company currently faces or could face in the future.
- Carefully administer access rights for those who can access data. For example, be certain access rights are terminated when an employee leaves the company.
- Ensure a Business Risk Management Plan is in place, and educate your organization about implementation of the plan.
- Evaluate and review the Security Risk Analysis annually.
In the end, the panel left attendees with the perspective that appropriately addressing risks requires sacrifice in the short term but delivers significant long-term value for the organization.
“Risk analysis is the right thing to do. It’s the required thing to do. But it’s also a valuable investment to make,” said Panelist Rick Kam, President of ID Experts. “When you compare the cost of a breach to conducting a thorough risk analysis and taking appropriate actions to manage risk within your organization, you will discover a very compelling business case for doing this the right way.”
About the HIPAA-HITECH Blue Ribbon Panel
Clearwater Compliance convenes the HIPAA-HITECH Blue Ribbon Panel monthly for 90-minute interactive sessions via an ongoing series of live web events. Each session features 5-6 national experts who share insight and exchange ideas while fielding questions from attendees.
About Clearwater Compliance: http://www.clearwatercompliance.com
Clearwater Compliance, LLC, focuses on helping healthcare organizations and their service providers become and remain HIPAA-HITECH Compliant. Owned and operated by veteran, C-suite health care executives, Clearwater Compliance provides comprehensive, by-the-regs HIPAA software and tools, risk management solutions, training, and professional services for small medical practices and healthcare startups to major healthcare systems, health plans and Fortune 100 companies. Since 2003, the company has served more than 350 organizations. Find out more about our HIPAA compliance software, solutions and consulting services at clearwatercompliance.com or connect via Twitter: @ClearwaterHIPAA.