June 25, 2022

Volume XII, Number 176

Advertisement
Advertisement

June 24, 2022

Subscribe to Latest Legal News and Analysis

June 23, 2022

Subscribe to Latest Legal News and Analysis
Advertisement

Plan for the Worst, Hope for the Best: Why You Must Have a HIPAA Risk Assessment

When the Office for Civil Rights (“OCR”) auditor drops by your health facility to ensure that you are complying with HIPAA, one thing is for certain: he will be asking to see your Risk Assessment. Do you have one? Is it completed? Has it been used to develop and implement appropriate policies and procedures?

“The single biggest and most common compliance weakness is the lack of a timely and thorough risk analysis.”
-Leon Rodriguez, former head of the U.S. Health and Human Services Office for Civil Rights

Audit Risks Are Real

The OCR is cracking down on covered entities’ and business associates’ compliance with HIPAA. Audits are becoming commonplace and resulting in more and more providers being hit with fines and sanctions. You may think that even if you are subject to an audit, then penalty will be a slap on the wrist. Think again. The maximum penalty for a HIPAA violation is now $1.5 million. Maybe you are too small of a provider to be the target of an audit? Think again, again. In January of 2013, Hospice of North Idaho agreed to pay the Department of Health and Human Services (“HHS”) $50,000 to settle potential HIPAA violations stemming from a 2010 incident involving a stolen, unencrypted laptop. It was the first HIPAA breach settlement involving less than 500 people. The hospice did not have a risk assessment in place.

Risk Assessments Are Not Optional

A HIPAA risk assessment is a thorough investigation and analysis of areas where there is potential risk of violating HIPAA laws. A risk assessment is not optional and it is not just a checklist. Covered entities, and now business associates, are required to have an assessment done. Specifically, entities must:

Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.

These assessments are critical to compliance with the HIPAA Security Rule. An assessment should include questions addressing administrative, physical, and technical safeguards, and the Breach Notification Rule. Many assessments are created in the form of a table and not only analyze the level of the risk, but also whether there is a policy in place and who should be responsible for ensuring each provision is implemented.

Risk Assessments Are Just the First Step

Once your facility’s risk assessment is complete, then it and any relevant accompanying documents should be kept in your HIPAA security files. Assessing risks is only a first step. You must use the results of your risk assessment to develop and implement appropriate policies and procedures. The use of a privacy officer is highly recommended. Consider offering training to employees where a sign-in sheet is required and certifications are provided once training is complete. This kind of documentation will be very beneficial when the OCR auditor is at your door.

© 2022 by McBrayer, McGinnis, Leslie & Kirkland, PLLC. All rights reserved.National Law Review, Volume V, Number 181
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Molly Nicol Lewis, McBrayer Law Firm, Health Care Attorney
Associate

Molly Nicol Lewis is an Associate of McBrayer, McGinnis, Leslie & Kirkland, PLLC. She practices in the firm's Lexington office, where she is a member of the Health Care Law section.

859-554-4414
Advertisement
Advertisement
Advertisement