This post was contributed by a community member. The views expressed here are the author's own.

Community Corner

HIPAA Risk Analysis - Techniques to Find and Manage Security Risks

Overview: The session will present how to use risk analysis techniques to help make good compliance decisions that are defensible and sensible. For many compliance questions, careful consideration of the likelihood of the issue being a problem, and the potential impact if it is a problem, can help provide understanding of how to prioritize and compare risk issues and make day-to-day decisions. 

This session will cover the requirements for risk analysis and assessment in the HIPAA rules and provide a framework for analysis of risks for compliance with HIPAA Security Rule requirements (in §164.308(a)(1)) and the new breach determination requirements in the updated HIPAA Breach Notification Rule, and show how the two are related in a good compliance program. We will show how to go about assessing your risks and organizing your compliance plan, and show how having that information makes it easier to assess risks in the event of a breach. 

For the Security Rule, we will explain what is called for in the rule and show a way to approach the work in an organized way that saves effort and produces meaningful results, with examples of how to conduct the risk analysis, and sample documents and templates provided. For the updated Breach Notification Rule, we will explain how the new process differs from the old "harm standard" that has been removed from the rule. If none of the defined exceptions for notification apply, the breach is reportable unless you can show, by a risk analysis, that there is a "low probability of compromise." The risk analysis must include at least four factors: 1) what the data is, how well identified is it, and how sensitive it is, 2) to whom the data was improperly disclosed, 3) whether or not the information was actually viewed or accessed, and 4) how the breach was mitigated. Issues with any one of the four factors can require reporting the breach. We will explain how to consider these factors. 

The session will also include information on HIPAA Audits and how to be prepared to show that you have the right policies and procedures in place and are using them. To withstand random audits and investigations of non-compliance that may result from a breach report or complaint, thorough documentation of compliance-related activity is required. We will explain how to document your compliance using the HIPAA Audit Protocol as a guide, so you can be sure to avoid trouble if HHS ask questions about your compliance. 

Areas Covered in the Session:

  • Identification of requirements for Risk Analysis in HIPAA Privacy, Security, and Breach Notification, and Meaningful Use Rules
  • Presentation of methods for identifying and evaluating risks
  • Techniques for organizing issues and prioritizing risk mitigation
  • How a thorough Risk Analysis satisfies many requirements in HIPAA at once
  • The difference between a HIPAA Risk Analysis and a Meaningful Use Risk Analysis
  • The Four Factors to consider in a Risk Assessment for determining whether or not to report a breach
  • Evaluating and comparing risks and risk mitigation methods
  • Policy versus Technology - both can bring compliance, but both must be audited by you

Who Will Benefit:
  • Compliance Director
  • CEO
  • CFO
  • Privacy Officer
  • Security Officer
  • Information Systems Manager
  • HIPAA Officer
  • Chief Information Officer
  • Health Information Manager
  • Healthcare Counsel/lawyer
  • Office Manager
Jim Sheldon-Dean is the founder and director of compliance services at Lewis Creek Systems, LLC, a Vermont-based consulting firm founded in 1982, providing information privacy and security regulatory compliance services to a wide variety of health care entities. 


MentorHealth
Phone No: 800-385-1607
FaX: 302-288-6884 
webinars@mentorhealth.com
Event Link: http://bit.ly/1fZlWnE
http://www.mentorhealth.com/
We’ve removed the ability to reply as we work to make improvements. Learn more here

The views expressed in this post are the author's own. Want to post on Patch?