Contact Us
Subscribe to this blog via RSS
Join us on LinkedInCategories
- Data Privacy
- Department of Health and Human Services' Office of Civil Rights
- Medical Malpractice
- Medical Cannabis
- Workplace health
- Workplace Violence
- Assisted Living Facilities
- EMTALA
- FDA
- Reproductive Rights
- Roe v. Wade
- SCOTUS
- COVID-19
- Prescription Drugs
- Telemedicine
- Medical Spas
- Code Enforcement
- Corporate
- United States Department of Justice ("DOJ")
- Employee Contracts
- Non-Compete Agreement
- Compliance
- HIPAA
- Kentucky Board of Nursing
- Managed Care Organizations (“MCOs”)
- Primary Care Physicians ("PCPs")
- Accountable Care Organizations (“ACO”)
- Anti-Kickback Statute
- Centers for Medicare & Medicaid Services (“CMS”)
- Data Breach
- Electronic Protected Health Information (ePHI)
- False Claims Act
- Federally Qualified Health Centers (“FQHCs”)
- Health Information Technology for Economic and Clinical Health Act (HITECH Act)
- Health Insurance Portability and Accountability Act of 1996 (HIPAA)
- HPSA
- KASPER
- Kentucky Board of Medical Licensure
- Kentucky’s Department for Medicaid Services
- Medicaid
- Medicare
- Mental Health Care
- Office for Civil Rights ("OCR")
- Office of Inspector General of the United States Department of Health and Human Services (OIG)
- Patient Protection and Affordable Care Act (“ACA”)
- Pharmacists
- Physician Assistants
- Qui Tam
- Rural Health Centers (“RHCs”)
- Stark Laws
- Telehealth
- Affordable Care Act
- APRNs
- Charitable Hospitals
- Health Professional Shortage Area ("HPSA")
- Hospitals
- HRSA
- Mid-Level Practitioners
- Rural Health Clinic
- Business Associate Agreements
- Compliance Programs
- ERISA
- Fraud
- Hospice
- Overpayments
- Part D
- Appeal
- Denied Claims
- Electronic Health Records (“EHR")
- Physician Payments
- Qualified Health Plan ("QHP")
- Advanced Practice Registered Nurses
- Business Associates
- Division of Regulated Child Care
- Employee Agreement
- Fair Labor Standards Act (FLSA)
- Licensed practical nurses (LPN)
- Licensure Requirements
- Nurse practitioners (NP)
- Part A
- Part B
- Patient Autonomy
- Personal Health Information
- Personal Service Entities
- Registered nurses (RN)
- Abuse and Waste
- Occupational Safety and Health Administration (“OSHA”)
- Department of Health and Human Services (HHS)
- Health Insurance
- Healthcare Regulation
- Health Care Law
McBrayer Blogs
Plan for the Worst, Hope for the Best: Why You Must Have a HIPAA Risk Assessment
“The single biggest and most common compliance weakness is the lack of a timely and thorough risk analysis.”
-Leon Rodriguez, head of the U.S. Health and Human Services Office for Civil Rights
When the Office for Civil Rights (“OCR”) auditor drops by your health facility to ensure that you are complying with HIPAA, one thing is for certain: he will be asking to see your Risk Assessment. Do you have one? Is it completed? Has it been used to develop and implement appropriate policies and procedures?
Audit Risks Are Real
The OCR is cracking down on covered entities’ and business associates’ compliance with HIPAA. Audits are becoming commonplace and resulting in more and more providers being hit with fines and sanctions. You may think that even if you are subject to an audit, then penalty will be a slap on the wrist. Think again. The maximum penalty for a HIPAA violation is now $1.5 million. Maybe you are too small of a provider to be the target of an audit? Think again, again. In January of 2013, Hospice of North Idaho agreed to pay the Department of Health and Human Services (“HHS”) $50,000 to settle potential HIPAA violations stemming from a 2010 incident involving a stolen, unencrypted laptop. It was the first HIPAA breach settlement involving less than 500 people. The hospice did not have a risk assessment in place.
Risk Assessments Are Not Optional
A HIPAA risk assessment is a thorough investigation and analysis of areas where there is potential risk of violating HIPAA laws. A risk assessment is not optional and it is not just a checklist. Covered entities, and now business associates, are required to have an assessment done. Specifically, entities must:
Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.
These assessments are critical to compliance with the HIPAA Security Rule. An assessment should include questions addressing administrative, physical, and technical safeguards, and the Breach Notification Rule. Many assessments are created in the form of a table and not only analyze the level of the risk, but also whether there is a policy in place and who should be responsible for ensuring each provision is implemented.
Risk Assessments Are Just the First Step
Once your facility’s risk assessment is complete, then it and any relevant accompanying documents should be kept in your HIPAA security files. Assessing risks is only a first step. You must use the results of your risk assessment to develop and implement appropriate policies and procedures. The use of a privacy officer is highly recommended. Consider offering training to employees where a sign-in sheet is required and certifications are provided once training is complete. This kind of documentation will be very beneficial when the OCR auditor is at your door.
If you are a provider and would like help creating and implementing a HIPAA risk assessment, contact the health care attorneys at McBrayer PLLC. We are available to provide privacy and security training, along with a risk assessment tool which can be catered to individual providers. It is not a question of if there is a breach at your facility, but rather when. Let us help you be prepared.
Services may be performed by others.
This article does not constitute legal advice.
