Getting audited by the Office for Civil Rights (OCR), the federal agency responsible for enforcing the Health Insurance Portability and Accountability Act (HIPAA), is becoming increasingly likely for medical professionals. Among the questions they will ask is, “Show me your risk assessment.” Will you be ready?
Being prepared for a HIPAA audit is your responsibility. To gain a better understanding of what is expected of you as a Covered Entity, let’s define what a Risk Assessment is and why it matters to you.
What Is a HIPAA Risk Assessment?
Risk assessments are nothing new. In fact, CAP’s Risk Management team has likely worked with you in the recent past to evaluate and strengthen your risk management strategies. While this is helpful, the Risk Assessment requirements under HIPAA are very specific, and they have nothing to do with your medical malpractice risk that CAP is (properly) focused on. A HIPAA Risk Assessment covers five primary categories, detailed as follows: Administrative Safeguards, Physical Safeguards, Technical Safeguards, Organizational Requirements, and Policies and Procedures. The federal guidance for healthcare risk assessments was provided by the National Institute of Standards and Technology (NIST) as part of a risk management framework. Much like your taxes, you can do it yourself, or you can hire a professional compliance company to handle it for you. Most importantly, these Risk Assessments are not optional. You must conduct them – regularly and whenever anything changes organizationally, with your facility, or with your technology.
Why It Matters to You
Point 1 - Since the passage of the Omnibus Rule in 2013, the OCR has been defining and refining its auditing enforcement efforts. After an initial round of audits, they retooled and in 2016 began their Phase 2 round of audits. Phase 2 audit processes include random “desk” audits, where a letter is sent to a randomly selected entity. As stated by OCR, these audits will continue to capture a growing number of Covered Entities and Business Associates year after year.
Point 2 – Cyber-related risks are increasing at an exponential rate. Lax security controls, particularly where prized healthcare records are concerned, are almost a certain breach in waiting. As cyber criminals and their tools proliferate, and the healthcare industry continues to be target number one, it’s become increasingly evident the only chance of protecting our personal health information is through increased diligence by industry stakeholders, even if motivated by the fear of federal penalties.
Point 3 – This year alone, as of the end of April, OCR has assessed a whopping $14.3 million in fines to small and large healthcare organizations. Ramping up their auditing and enforcement teams could generate well over $500 million annually for HHS if the current trend in rising cyber crime continues.
With increased risk and increased enforcement, waiting to conduct a Risk Assessment is flirting with financial disaster for your enterprise. Beyond the financial risk, the larger business risk includes the loss of trust of your patients and the damage to your reputation. After all, what provider wants to contact his or her patients informing them their entire personal identity, including their most personal health information, social security number, and/or other financial identifiers, has been stolen? You’ll be required to do just that if you, or one of your Business Associates, experiences a breach.
CAP has partnered with Acentec to assist you with HIPAA compliance. Your CAP team has negotiated a substantial discount on our HIPAA Security Suite compliance process, including a thorough Risk Assessment. Contact us today at 800-970-0402 to get started.
Jeff Mongelli is CEO of Acentec, Inc., a nationwide provider of HIPAA compliance and medical IT management services. Questions about this article may be directed to jmongelli@acentec.com. The information in this publication should not be considered legal or medical advice applicable to a specific situation. Legal guidance for individual matters should be obtained from a retained attorney.