Download presentation
Presentation is loading. Please wait.
Published byJocelin Walsh Modified over 9 years ago
1
Steps to Compliance: Risk Assessment PRESENTED BY
2
Daniel B. Brown, Esq. Healthcare Attorney Taylor English Duma LLP Jason Karn Director Training and IT Total HIPAA Compliance Today’s Presenters
3
This program is educational and does not constitute, and may not be construed as, legal advice to, or creating an attorney-client relationship with, any person or entity. Housekeeping The materials referenced here are subject to change, so frequent review of the source material is suggested. 3
4
What is a Risk Assessment? 4 Requirement for HIPAA Compliance Written evaluation of Administrative, Physical, and Technical processes in your practice Administrative Your written process for protecting PHI Physical How you physically protect PHI Technical How you protect electronic PHI
5
Why You Need to Conduct a Risk Assessment 1. (45 C.F.R. § 164.308(a)(1).) Risk analysis is one of four required implementation specifications that provide instructions to implement the Security Management Process standard. Section 164.308(a)(1)(ii)(A) Required by the HIPAA Law This is the first item an auditor will ask for This gives you an outline to develop your Privacy and Security Policies and Procedures Reveals areas that may require special attention First step to protecting your business and patients 5
6
Penalties Alaska Dept. Health & Human Services fined $1.7 million No Risk Assessment Hospice of North Idaho, settled case for $50,000 Did not conduct a Risk Assessment Fewer than 500 people were affected Anchorage Community Mental Health Services fined $150k Unpatched software Failed to conduct a Risk Assessment 6
7
What is a Meaningful Risk Assessment? A meaningful Risk Assessment is a thorough audit of your practice’s processes, including: AdministrativePhysical Technical 7
8
Administrative 8 Privacy and Security Compliance Officers List of all workforce members, roles, and their access Written disciplinary/sanction policy for HIPAA violations HIPAA Training Program Business Associate Agreements in place Plan for handling Breaches
9
Physical 9 How do you secure your offices…? Locks, key cards, alarms, etc. How and where are personal records secured and stored? Do you have an inventory of your electronic assets? What do you do with old media? How do you dispose of paper records? Who has access to your office space?
10
What is your encryption policy for…? Computers Emails Electronic Files Can you audit who has been accessing records? Does each employee have their own unique password? Do you have…? Data Backup Plan Disaster Recovery Plan Emergency Mode of Operation Plan Technical 10
11
How Do You Complete? 11 Small and medium-size practices can conduct a Risk Assessment using HHS’s free tool. Expect to spend 10-20 hours completing this. http://nue.md/hhsriskassessment Hire an outside vendor to complete Business Associate Agreement is required with this vendor
12
How Often Should I Perform a Risk Assessment? 12 Establish initial assessment Major changes in software or hardware No changes – revisit Assessment every 2-3 years When you’ve had a Breach
13
Special Thanks Taylor English Duma LLP is a full-service law firm built from the ground up to provide highest-quality legal services for optimal value. The firm was founded in 2005 and its attorneys work each day to provide timely, creative and cost-effective counsel to help clients solve problems and achieve goals. Taylor English represents all types of clients— from Fortune 500 companies to start-ups to individuals. 20
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.