HIPAA Compliance Starts With a HIPAA Risk Assessment
A practice-wide, up-to-date HIPAA risk assessment is the foundation of HIPAA compliance, and the very first question on the OCR audit protocol. The Aligned Risk Management (ARM) process will save your staff hundreds of hours of work. You’ll sleep better, confident that your compliance strategy is on a sure foundation.
How Do You Conduct an Effective Risk Assessment?
A HIPAA risk assessment is more than a checklist, more than a network scan. It needs to cover all your business processes, not just IT, and it needs to offer specific guidance to improve security.
The ARM process will save your staff hundreds of hours of work and you’ll feel confident that your strategy is on a sure foundation, with a solid plan for moving forward. When you work with ARM, our experts will interview your management and technology staff in person to:
- Inventory all systems, from your electronic health records application to your paper records and staff training
- Review policies and procedures, check business associate agreements
- Identify technical and non-technical process vulnerabilities
- Conduct a vulnerability scan of your local computer network
- Deliver specific, action-oriented recommendations aligned to your strategic goals
Risk Assessment Process
We’ll support your practice manager and IT staff through the ongoing risk management process, with an online compliance portal to help you stay organized and quarterly meetings to ensure you are always showing progress.
Policies and Procedures
Policy templates don’t work if you don’t customize them. We don’t offer fill-in-the-blank templates. We deliver complete documentation that accurately reflects your actual policies and procedures.
Security training is essential for mitigating the risk of insider misuse. It’s also required by HIPAA. We can train your staff in-person at your location or ours. Or sign up for our affordable online training, with automatic compliance reporting
A Risk Management Plan You Can Understand
Our risk assessment report usually weighs in at around 90 pages with 70 or 80 specific recommendations for improving security. Now what?
HIPAA compliance is a journey, not a destination
Your risk assessment will identify actual threats to your patients’ data and realistically evaluate the likelihood of a breach. Likelihood plus potential impact are the key factors to consider when evaluating risk levels. The risk levels identified during the risk assessment phase are what determine the priorities of the ongoing risk management phase.
We deliver our report in print, and also on the ARM Online Compliance Portal, a secure web-based app where your team can manage all your compliance documentation. Your risk management plan is ranked by our proprietary const-benefit algorithm. We meet with clients quarterly to review and update the plan, ensuring you are always demonstrating progress.
The Costs of Non-Compliance
Even small practices risk huge HIPAA fines…
Healthcare is a target in this golden age of data breaches and identity theft. HIPAA enforcement is heating up too, and fines can be astronomical.
The Department of Health and Human Services has identified small healthcare practices as a special focus for upcoming HIPAA audits. Some recent fines for non-compliance:
- Fresenius Medical Care North America (FMCNA) has agreed to pay $3.5 million to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR)
- The University of Texas MD Anderson Cancer Center (MD Anderson) violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules and granted summary judgment to the Office for Civil Rights (OCR) on all issues, requiring MD Anderson to pay $4,348,000 in civil money penalties to OCR
- Twelve-physician practice. Lost flash drive: $150,000
- Thirteen-physician practice. Laptop smash-and-grab from employee’s car: $750,000
- Two-physician practice, 441 patient records. Stolen laptop: $50,000
- Snooping employee, two patient records compromised: $865,500
In each of these cases, the Department identified the primary HIPAA violation as the failure to conduct a risk assessment. Data breaches can happen even in spite of the best security measures. It’s the presence or absence of a HIPAA risk assessment that determines how high the fines will go.