steps to compliance: risk assessment presented by
TRANSCRIPT
Steps to Compliance: Risk Assessment
PRESENTED BY
Daniel B. Brown, Esq.Healthcare Attorney
Taylor English Duma LLP
Jason KarnDirector Training and ITTotal HIPAA Compliance
Today’s Presenters
This program is educational and does not constitute, and may not be construed as, legal advice to, or creating an attorney-client relationship with, any person or entity.
Housekeeping
The materials referenced here are subject to change, so frequent review of the source material is suggested.
3
What is a Risk Assessment?
4
Requirement for HIPAA Compliance Written evaluation of Administrative, Physical, and
Technical processes in your practice Administrative• Your written process for protecting PHI
Physical• How you physically protect PHI
Technical• How you protect electronic PHI
Why You Need to Conduct a Risk Assessment
1. (45 C.F.R. § 164.308(a)(1).) Risk analysis is one of four required implementation specifications that provide instructions to implement the Security Management Process standard. Section 164.308(a)(1)(ii)(A)
Required by the HIPAA Law• This is the first item an auditor will ask for
• This gives you an outline to develop your Privacy and Security Policies and Procedures
Reveals areas that may require special attention
First step to protecting your business and patients
5
Penalties
Alaska Dept. Health & Human Services fined $1.7 million• No Risk Assessment
Hospice of North Idaho, settled case for $50,000
• Did not conduct a Risk Assessment
• Fewer than 500 people were affected
Anchorage Community Mental Health Services fined
$150k
• Unpatched software
• Failed to conduct a Risk Assessment6
What is a Meaningful Risk Assessment?
A meaningful Risk Assessment is a thorough audit of your practice’s processes, including:
Administrative Physical Technical
7
Administrative
8
Privacy and Security Compliance Officers
List of all workforce members, roles, and their access
Written disciplinary/sanction policy for HIPAA violations
HIPAA Training Program
Business Associate Agreements in place
Plan for handling Breaches
Physical
9
How do you secure your offices…?
• Locks, key cards, alarms, etc.
How and where are personal records secured and stored?
Do you have an inventory of your electronic assets?
What do you do with old media?
How do you dispose of paper records?
Who has access to your office space?
What is your encryption policy for…?• Computers• Emails• Electronic Files
Can you audit who has been accessing records?
Does each employee have their own unique password?
Do you have…?• Data Backup Plan• Disaster Recovery Plan• Emergency Mode of Operation Plan
Technical
10
How Do You Complete?
11
Small and medium-size practices can conduct a
Risk Assessment using HHS’s free tool.
• Expect to spend 10-20 hours completing this.
• http://nue.md/hhsriskassessment
Hire an outside vendor to complete
Business Associate Agreement is required with this vendor
How Often Should I Perform a Risk Assessment?
12
Establish initial assessment
Major changes in software or hardware
No changes – revisit Assessment every 2-3 years
When you’ve had a Breach
Special Thanks
Taylor English Duma LLP is a full-service law firm built from the ground up to provide highest-quality legal services for optimal value. The firm was founded in 2005 and its attorneys work each day to provide timely, creative and cost-effective counsel to help clients solve problems and achieve goals. Taylor English represents all types of clients—from Fortune 500 companies to start-ups to individuals.
20