HIPAA Risk Analysis

William R. Pupkis, CMPE, Healthcare Consultant
HIPAAThe Health Information Portability and Accountability Act (HIPAA) privacy and security enforcement has grown this year. Combined with the recent very high fines for non-compliance, your practice can’t let its guard down where protected health information is concerned. Under the New HIPAA Security Rule’s Meaningful Use measures and the Health Information Technology for Economic and Clinical Health (HITECH) Act, your practice is required to perform a risk analysis to identify possible security breach areas. If your practice does not, it could incur a $10,000 minimum penalty for “willful neglect” of compliance.

The recent multi-million dollar HIPAA joint settlement by New York-Presbyterian Hospital (NYP) and Columbia University (CU) was the largest payout of any kind – $4.8 million – to settle a HIPAA case. NYP and CU failed to conduct an accurate and thorough risk analysis of all systems utilizing electronic personal health information (ePHI), which led to the release of the NYP ePHI of 6,800 patients to Google and other Internet search engines when a computer server was errantly reconfigured. Other recent cases involved the settlement of Concentra Health Services for $1,725,220 and QCA Health Plan, Inc. in the amount of $250,000. Both companies experienced the theft of an unencrypted laptop containing patient PHI.

"your practice can't let its guard down..."

HIPAA compliance extends beyond your in-office privacy practices. The U.S. Department of Health & Human Services (HHS) Office for Civil Rights has issued more guidance on what your business associate agreements (BAAs) should look like. If you're not complying with the BAA rules, you're inviting trouble. A covered entity and a business associate are any organization or corporation that directly handles PHI or personal health records (PHR). The most common examples of covered entities include hospitals, doctors’ offices, and health insurance providers. Covered entities are required to comply with HIPAA and Health Information Technology for Economic and Clinical Health Act (HITECH) mandates for protection of PHI and PHR. A business associate under the HIPAA Privacy Rule is a person or organization that uses or creates protected health information on behalf of a covered entity while performing certain functions or activities. These activities can include such things as claims processing, billing activities, legal services, accounting services, consulting services, administrative services, and even software or hardware support.

During the first five years of required compliance with the privacy rule (2003 through 2007), no money changed hands.  That approach was in line with the Bush administration's stated policy. However, from 2008 through 2011, there were a few settlements in the million dollar range. In 2009, as part of a series of more stringent privacy protections included in the American Recovery and Reinvestment Act, Congress mandated that HHS begin a series of audits of healthcare organizations for adherence to privacy and security rules. Also in 2009, with the beginning of the Obama administration and particularly under the leadership of former federal fraud prosecutor Leon Rodriguez, starting in 2011, the OCR gradually shifted away from jawboning healthcare organizations into compliance with HIPAA privacy and security rules in favor of implementing more aggressive settlement agreements, some with sizable penalties.

A first round of 115 audits was completed in late 2012. A final report on the results of that audit program has not been released, but Rodriguez has said publicly the audits showed “a good number” of organizations had problems meeting the risk assessment requirement under the law.

With all these penalties and audits taking place, you need a resource by your side to reduce your HIPAA breach dangers, tighten up your electronic health record (EHR) privacy, update business associate agreements, and learn how to create a good risk analysis plan. HHS.gov provides information on the latest HIPAA and HITECH updates, including valuable resources, such as sample business associate agreements, and training materials (see www.hhs.gov/ocr/privacy/hipaa/understanding/training) to help ensure your practice’s compliance.

If your practice wrote a stout privacy and security compliance program, it should stand up well to federal HIPAA audits. Proactive healthcare organizations are generally rewarded when it comes to data breach avoidance and remediation. An important piece of this equation is performing consistent risk analyses. Please view a copy of the OCR’s Guidance on Risk Analysis Requirements under the HIPAA Security Rule [PDF].

See the following article, OCR and HIPAA Compliance for more information.

Terms and Conditions

Statements and opinions expressed in the Newsletter, Preferred Talk, are those of the author(s) and do not necessarily reflect those of DT Preferred Group, LLC. DT Preferred Group, LLC makes no representations as to the accuracy or completeness of any information on this site or found by following any link on this site. In publishing this Newsletter, neither the authors nor DT Preferred Group, LLC are engaged in rendering medical or other professional service. If medical advice or other expert assistance is required, the services of a competent professional should be sought. DT Preferred Group, LLC will not be liable for any losses, injuries, or damages from the display or use of this information. This policy is subject to change at anytime.


This entry was posted on Wednesday, May 28th, 2014 at 12:52 pm and is filed under Practice Management. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

Comments are closed.