TriPoint Healthcare Solutions

Advising, Educating, and Operationalizing Privacy and Security in Healthcare

Archives for April 2015

The Risk of Not Doing a Risk Analysis: Is It Worth It?

by Leave a Comment

Businessman Hand Stop Dominoes Continuous ToppledSome of the most famous people of our past constantly encourage us to take risk to further ourselves and make more opportunities.  We think about these quotes when big decisions are being made in all aspects of lives.  But then we have to stop and think – some risk may be worth taking to better a community, organization, or person; however, the risk of not doing something so vital to an organization, such as a HIPAA Risk Analysis, can be detrimental and can cause an organization to have a data breach or lose valuable patient information needed to support patient care.  In the words of Warren Buffet, “Risk comes from not knowing what you are doing.”  If you apply that concept to the management and protection of patient, risk comes from not knowing how you are protecting patient information, not knowing your security safeguards at your organization, and not knowing where patient information is being stored or how it is being transmitted.  At the HIMSS 2015 conference in Chicago, IL, many of the speakers discussed the importance of knowing where information exists and what is being done with that information in the normal course of business. 

Once process is meant to create the baseline understanding of the current areas of risk for a healthcare organization and is required by the HIPAA Security Rule, the HIPAA Risk Analysis.  In a 2014 study conducted by NueMD, out of 1100 physician practices, only 33% of them were confident that a HIPAA Risk Analysis was completed for their organization.  In the article by Gruessner (2015), he discussed that 22% of eligible providers and 5% of eligible hospitals are failing audits from the Meaningful Use program.  Previous documentation shows that not properly conducting a HIPAA Analysis is a top reason for the failure of the audits (not the only reason – many others exist).  Out of the 23 fines that have been assessed to healthcare organizations since 2009 for data breaches, 15 of the 23 resolutions agreements clearly stated risk assessment was one of the non-compliance areas evaluated for the amount of the fine.  It is clear that many organizations are not doing the HIPAA risk analysis – but is it worth the risk?  Are you willing to take your chances of non-compliance with HIPAA, a large data breach, a million dollar fine from the Office of Civil Rights, and potential class action law suits?  The answer to all healthcare organizations should be NO!  The risk of not doing the risk analysis is not worth is.   

There are many different ways to conduct a risk analysis – there is not right or wrong way!  In 2010, the Office of Civil Rights recommends the following steps to conduct the risk analysis

  1. Define the Scope of the Analysis
  2. Define the Data Collection Process
  3. Identify and Document Potential Threats and Vulnerabilities
  4. Assess Current Security Measures
  5. Determine Likelihood of Threat occurrence
  6. Determine Impact of Threat occurrence
  7. Determine Level of Risk
  8. Finalize Documentation

Check out the detail of the guidance at: http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/rafinalguidancepdf.pdf

After the risk analysis is completed, an organization should spend time evaluating and implementing security controls to mitigate the risks and reduce the likelihood of occurrence.  It is important that as risks identified in the risk analysis process are mitigated, the healthcare organization should assure

Are you willing to take the risk of not conducting a regular risk analysis?  All answers should be NO!  The time is now – follow the famous words of Warren Buffet – understand what you don’t know, mitigate risks that you have, and protect the privacy and security of patient information!   

Danika

References:

http://www.nuemd.com/hipaa/survey/index.html

https://ehrintelligence.com/2015/04/09/meaningful-use-audits-cause-undue-hardships-for-physicians/

Here comes Peter Cottontail – Hopping Down the HIPAA Trail!

by Leave a Comment

Easter BunnyWhen we think about the Easter Holiday and Spring that has found us, the focus shifts from existing in a dull, mundane world into a new world full of new life and new excitement.  The snow melts (if you have snow), the rivers and lakes open, the birds chirp more, and the temperature rises.  At the same time, we prepare for one of our favorite furry friends to come and visit, the Easter Bunny.  With the hope and intent of new and fresh goodies in our bag, the anticipation of the little bunny visiting creates entertainment and excitement!

It is easy for a HIPAA Compliance program to be ordinary and unexciting.  HIPAA consists of many different kinds of regulations that you must comply with just to make the government happy and that might not really work in your organization.  Many organizations focus on writing and creating a process for in order to meet compliance, but over time that process becomes outdated and doesn’t really meet the intent behind the HIPAA regulations. 

It is time to head down the HIPAA Trail and focus on HIPAA in a new way.  As Peter Cottontail comes to provide treats and goodies to everyone’s baskets, it is time to provide your compliance program with a new basket of tools and tricks to make HIPAA fun and enjoyable.  Rather than focusing on HIPAA as something that is forced and mandated just to comply with regulations, change the focus to be something the organizations does to protect the patients they see and the information stored and maintained by the healthcare organization. 

Here is a list of a few ideas to help provide your HIPAA Basket with new and fresh goodies:

  1. Conduct a HIPAA Risk Analysis – the risk analysis allows an organization to review and see potential risks so that they can be mitigated before an unauthorized use or disclosure of health information exists. Get everyone involved – see how your entire organization can help and support the risk analysis process.  Something fun is to go on a HIPAA scavenger hunt for employees – give them a walk through document and send them to another department to see what they can find that might be risks to your organization! 
  2. Refresh HIPAA Training – so often organizations use the same training for HIPAA or the same format for training year after year. While it is important to create consistency and assure proper training is occurring, providing a refresh on the format or content of the training can support a better compliance among employees and a better understanding of the importance of protecting patient information.
  3. Review and Update Policies and Procedures – while no regulations or processes have changed, it is always good to give the policies and procedures that help manage HIPAA compliance a review on a regular basis. While there is not mandate on how often, best practice is to review yearly or upon changes of technology, regulations, or physical space.  Set a timeline for each year to review policies and procedures and commit to that timeline! 
  4. Create a Culture of Privacy and Security Protections – organizations that are most successful with HIPAA compliance create a culture of privacy and security protections. While policies and procedures as well as technical and physical safeguards are a necessity for HIPAA Compliance, workforce members need to buy into the philosophy and intent of protecting and securing patient information.  Many times your employees become the front line defense to the safeguard and protection of patient information.  If they don’t buy in or understand the importance, an organization will struggle for success with their HIPAA compliance. 
  5. Create a HIPAA Governance Structure – there is that word – governance – again! A strong governance and oversight into the management of HIPAA at an organization will help transform from a department or person who manages privacy and security of patient information to an organization who knows the importance of protecting patient information and acts upon it throughout each day and every task.  Have specific leaders through the process and assure that roles are clearly defined!   

Office for Civil Rights (OCR) HIPAA Audits are coming in 2015 – take the time that has been given to fill your HIPAA Compliance Basket with new goodies and tools to be successful.  Figure out how you can breathe new life into your HIPAA program and make it successful in protecting the valuable patient information that the organization is trusted with.  HIPAA can be fun and exciting – just like the change in the season and a full basket of goodies!  Hopefully you will bump into Peter Cottontail hopping down the HIPAA Trail!    

“Most of us feel that our health information is private and should be protected. That is why there is a federal law that sets rules for health care providers and health insurance companies about who can look at and receive our health information.”

—Office for Civil Rights

Danika

Recent Posts

Connect With Us

TriPoint Healthcare Solutions
dbrinda@tripointhealthcaresolutions.com
Phone: 612.325.9742
Fax: 763.322.5027