Presentation is loading. Please wait.

Presentation is loading. Please wait.

Steps to Compliance: Risk Assessment PRESENTED BY.

Similar presentations


Presentation on theme: "Steps to Compliance: Risk Assessment PRESENTED BY."— Presentation transcript:

1 Steps to Compliance: Risk Assessment PRESENTED BY

2 Daniel B. Brown, Esq. Healthcare Attorney Taylor English Duma LLP Jason Karn Director Training and IT Total HIPAA Compliance Today’s Presenters

3 This program is educational and does not constitute, and may not be construed as, legal advice to, or creating an attorney-client relationship with, any person or entity. Housekeeping The materials referenced here are subject to change, so frequent review of the source material is suggested. 3

4 What is a Risk Assessment? 4  Requirement for HIPAA Compliance  Written evaluation of Administrative, Physical, and Technical processes in your practice  Administrative Your written process for protecting PHI  Physical How you physically protect PHI  Technical How you protect electronic PHI

5 Why You Need to Conduct a Risk Assessment 1. (45 C.F.R. § 164.308(a)(1).) Risk analysis is one of four required implementation specifications that provide instructions to implement the Security Management Process standard. Section 164.308(a)(1)(ii)(A)  Required by the HIPAA Law This is the first item an auditor will ask for This gives you an outline to develop your Privacy and Security Policies and Procedures  Reveals areas that may require special attention  First step to protecting your business and patients 5

6 Penalties  Alaska Dept. Health & Human Services fined $1.7 million No Risk Assessment  Hospice of North Idaho, settled case for $50,000 Did not conduct a Risk Assessment Fewer than 500 people were affected  Anchorage Community Mental Health Services fined $150k Unpatched software Failed to conduct a Risk Assessment 6

7 What is a Meaningful Risk Assessment? A meaningful Risk Assessment is a thorough audit of your practice’s processes, including: AdministrativePhysical Technical 7

8 Administrative 8  Privacy and Security Compliance Officers  List of all workforce members, roles, and their access  Written disciplinary/sanction policy for HIPAA violations  HIPAA Training Program  Business Associate Agreements in place  Plan for handling Breaches

9 Physical 9  How do you secure your offices…? Locks, key cards, alarms, etc.  How and where are personal records secured and stored?  Do you have an inventory of your electronic assets?  What do you do with old media?  How do you dispose of paper records?  Who has access to your office space?

10  What is your encryption policy for…? Computers Emails Electronic Files  Can you audit who has been accessing records?  Does each employee have their own unique password?  Do you have…? Data Backup Plan Disaster Recovery Plan Emergency Mode of Operation Plan Technical 10

11 How Do You Complete? 11  Small and medium-size practices can conduct a Risk Assessment using HHS’s free tool. Expect to spend 10-20 hours completing this. http://nue.md/hhsriskassessment  Hire an outside vendor to complete  Business Associate Agreement is required with this vendor

12 How Often Should I Perform a Risk Assessment? 12  Establish initial assessment  Major changes in software or hardware  No changes – revisit Assessment every 2-3 years  When you’ve had a Breach

13 Special Thanks Taylor English Duma LLP is a full-service law firm built from the ground up to provide highest-quality legal services for optimal value. The firm was founded in 2005 and its attorneys work each day to provide timely, creative and cost-effective counsel to help clients solve problems and achieve goals. Taylor English represents all types of clients— from Fortune 500 companies to start-ups to individuals. 20


Download ppt "Steps to Compliance: Risk Assessment PRESENTED BY."

Similar presentations


Ads by Google