Fourth quarter signifies more than a countdown to the holidays, many healthcare organizations are met with the realization that it is time to complete HIPAA risk analysis in order to comply with MACRA – MIPS. Of course, HIPAA risk analyses are nothing new, practices should be conducting them regularly, in light of the HIPAA Omnibus Rule which gave teeth to the regulations and made an annual HIPAA risk analysis a requirement for every healthcare organization.
Recently, I was recently reading a blog post by HIPAA One called “Not All Risk Analysis Tools Created Equal” and it made me think about the requirements for a bona fide risk analysis. I realize that HIPAA One provides a risk analysis solution and therefore, approaches the conversation as a vendor would, however, they are also deeply embedded in the HIPAA risk assessment world and have a unique understanding of what’s happening.
I’ve seen first-hand the principle they describe in the post with many medical practices. Most medical practices are so overwhelmed with the daily grind of dealing with staff issues, schedules, billing, supplies, etc that it’s hard for them to distinguish between a high quality risk analysis tool and one that was built 3 years ago and hasn’t been updated since then.
In HIPAA One’s blog post they offered a list of what you should look for in a HIPAA risk analysis solution and I think this is a great starting point for any organization that needs a tool or is evaluating their existing tool:
- Industry-Certified Auditors on Staff – Verify the vendor has:
- Auditors who are certified professionals, such as CHPS, CISSP, HCISPP, CISA, etc. and
- Previous experience responding to AND PASSING government and private-sector audits.
- Compliance Gap-Assessment – This assessment determines if your workplace meets each of the HIPAA requirements as selected the Office for Civil Rights’ (OCR) HIPAA Audit Protocol.
- Mock-Audit – Put your money where your mouth is. If your workplace maintains HIPAA compliance, prove it with proper supporting documents and examples per the OCR’s HIPAA Audit Protocol.
- Risk Analysis –Bona Fide security risk analysis which digs into any non-compliant areas along with a calculation tool that addresses which gaps are low, medium or high risk to the organization using NIST-based methodologies (i.e. at minimum NIST800-30 rev1 and NIST 800-53 rev 4).
- Remediation Plan – This documented plan answers the questions: “Who will do what by when” in regards to remediating gaps in compliance.
- Final Report – Key deliverable proving compliance with HIPAA security risk analysis.
- Ongoing Tracking – Track the resolution of those gaps in compliance by proving due diligence in the event of an audit.
- Periodic Re-evaluation – Each year take a new “snapshot” performing steps 2-6 on any changes that happened from the previous year.
The item on this list that I see fall short in many solutions and services on the market today is the remediation plan. It’s amazing how many tools only account for a risk analysis, and do not provide any guidance on creating remediation plans for any risks you find. That’s a big deal and could leave you in trouble if your practice is ever audited and hasn’t remediated any of your security deficiencies .
The good news is that HIPAA risk analysis tools have come a long way over the years. ] Much like you need to make sure EHR vendors are updating and improving their systems to meet your needs and comply with changes in government regulations, the same is true with HIPAA risk analysis tools. Make sure you take the time needed to ensure the quality of the tools and services you’re using. Ignorance is not bliss when a HIPAA audit occurs.
Note: HIPAA One is a Healthcare Scene sponsor.