An effective Risk Analysis is the absolute key to HIPAA compliance, and an effective Gap Analysis is the absolute key to an effective Risk Analysis. If you implement a security measure without first having performed a Risk Analysis, you are just guessing. And if you try to conduct an initial Risk Analysis or to update your current Risk Analysis without first having figured out where the gaps in your compliance efforts are, you are just guessing.
Risk Analysis is a required implementation specification under the Security Management Process Standard in 45 C.F.R. § 164.308(1)(ii)(A). Most of the HIPAA settlements with the Department of Health and Human Services (“DHHS”) to date have included failure to conduct a Risk Analysis, along with other violations, such as failure to implement policies and procedures and failure to train workforce members as required by HIPAA. For example, Blue Cross Blue Shield of Tennessee entered into a $1.5 million settlement for failure to update its Risk Analysis when it moved its electronic equipment and media to a new leased location.
So you have to perform Risk Analysis. If you have no idea how to start the process of Risk Analysis or have no time or expertise or staff members to do so and know that you need help, see our new tool in our store, Gap Analysis Survey Questionnaire with confidential report and phone consultation. If you have conducted a Risk Analysis but circumstances have changed in your organization, such as a change in technology, how you do business, or a new risk, you need to update your Risk Analysis, and you should update it at least annually. Use this new tool to help you with that initial or update Risk Analysis process. Yes, the Gap Analysis Survey Questionnaire is the one that is on the HIPAA Documents Resource Center CD, 5th edition, for those of you who have the Compliance Library, but this new tool pairs that questionnaire with a confidential report based on your answers to the Gap Analysis Survey Questionnaire and a phone consultation with one of the HIPAA experts at Veterans Press/EMR Legal.
The Omnibus (some call it Mega) Rule deadline of September 23, 2013, is fast approaching. Would you be ready to survive a DHHS audit? Are you sure? Do you have the documentation to prove it? Get our new tool, get started immediately, and be well on your way to being able to show a good faith effort to achieve HIPAA compliance.
