Most organizations fail their HIPAA audit because they haven’t completed a HIPAA Risk Analysis. It’s a core HIPAA requirement but is often overlooked.
What is a HIPAA Audit?
The government does HIPAA audits, randomly, to figure out who complies and who doesn’t. They are looking for up-to-date policies and good risk management. The best way to pass an audit is to make sure you’ve completed a HIPAA-compliant Risk Analysis. It’s the key to full compliance, and your path to an A grade on a HIPAA audit.
When HIPAA Risk Analysis is overlooked bad things happen.
The Office for Civil Rights (OCR) is the agency which oversees HIPAA compliance and does the audits. OCR found that 94% of covered entities and 88% of business associates failed the Risk Management section of HIPAA audits. But if done right, and refreshed every year, it’s the perfect blueprint to prevent data breaches and fines for noncompliance.
One common mistake is to tackle only the IT side and do a “security risk assessment.” But this is not the full picture – a complete HIPAA Risk Analysis – Risk Management plan covers all the HIPAA Rules – Privacy, Security, Breach Notification and Enforcement. Our solution covers it all, and gives you the tools to do it yourself.
When OCR investigates, they can impose fines, but they also usually require annual Risk Analysis – Risk Management through a multi-year “corrective action plan.”
Cottage Health Systems and Touchstone Medical Imaging both paid OCR $3,000,000 in fines this year, and were mandated to complete HIPAA-compliant Risk Analysis – Risk Management in future years as part of the settlements.
One of the biggest settlements last year was Fresenius Medical Care North America, where OCR made the point that Risk Analysis must be done at every location. Fresenius also paid $3,500,000 in fines.
Instead of getting caught and being forced, why not learn to do it and avoid the headache and costs?
Why are healthcare organizations failing OCR’s HIPAA Audits?
Because Risk Analysis is misunderstood or overlooked. Does this sound like you?
- We’re not sure how
- It’s too difficult
- It’s too expensive
- It takes too much time
- It’s not necessary
- Maybe next year we’ll do it
We know how to help you do it, calmly, completely and confidently. This year.
What is HIPAA Risk Analysis – Risk Management?
A Risk Analysis is an inventory of locations and risks to protected health information (PHI).
- The inventory must include both electronic and non-electronic information
- It must include every location
- Do it once a year
Risk Management is a plan to reduce the risks you identify. It does not require perfection, or budget-breaking changes.
- Put in place “Administrative, Technical, and Physical Safeguards” to protect PHI
- Reduce risks to a reasonable and appropriate level
- Work on it throughout the year
Risk Analysis uncovers risks (once a year) and Risk Management helps you reduce risks (throughout the year).
Risk Analysis is More than a NIST Security Risk Assessment
Be sure to include an analysis of non-electronic assets and information. Many IT experts focus on a “security risk assessment” which is important, but not the whole picture – a fully compliant HIPAA Risk Analysis is more than the NIST Security Risk Assessment. (National Institute of Standards and Technology)
Step-by-step guidance makes HIPAA Risk Analysis easy.
Our approach at The HIPAA E-Tool® is to break it down into 3 parts, like a 3-Act play. It’s designed for a busy office manager or compliance officer to do it themselves, as time allows. You can do a chunk at a time saving your work as you go. And there’s no need for expensive outside consultants.
HIPAA Risk Analysis is like middle school math – you have to show your work.
From The HIPAA E-Tool®
Act 1 is the inventory, starting with a simple list of PHI locations, a list of staff and a list of your business associates. You figure out the risks by naming “threats and vulnerabilities” for the PHI. The HIPAA E-Tool® is interactive, so everything you enter in this first section shows up in later sections, so you don’t have to re-enter anything.
Act 2 is the job assignment section. Who will do the action steps required to reduce your risks? What are the deadlines? When have they been completed? Everything you entered in the first sections shows up in this section, keeping you organized and on track.
Act 3 is documentation of everything. If OCR comes calling, this is your proof of compliance!
The Dashboard tracks your progress and reminds you what to do next. You don’t have to complete the Risk Analysis on one day in a busy office. Save your work, check the Dashboard and pick it up again.
Once complete, you archive the whole thing. Next year when you do it again, your information is ready to go. You can easily add, subtract and refresh everything. Every year after the first is easier and faster. But it’s also comprehensive and complete.
With the right tools and step-by-step guidance, you can do a full HIPAA Risk Analysis by yourself. Prevent breaches, avoid fines and pass your HIPAA audit!
And if you have questions along the way, we have answers.
For more detailed discussion on Risk Analysis topics, see: