HIPAA Compliance Starts With a HIPAA Risk Assessment
A practice-wide, up-to-date HIPAA risk assessment is the foundation of HIPAA compliance, and the very first question on the OCR audit protocol. The Aligned Risk Management (ARM) process will save your staff hundreds of hours of work. ARM’s extensive knowledge and experience in HIPAA compliance consulting will arm you with the tools you need to sleep better and be confident that your compliance strategy is on a sure foundation.
How Do You Conduct an Effective Risk Assessment?
A HIPAA risk assessment is more than a checklist, more than a network scan. It needs to cover all your business processes, not just IT, and it needs to offer specific guidance to improve security.
The ARM process will save your staff hundreds of hours of work and you’ll feel confident that your strategy is on a sure foundation, with a solid plan for moving forward. When you work with ARM, our experts will interview your management and technology staff in person to:
- Inventory all systems, from your electronic health records application to your paper records and staff training
- Review policies and procedures, check business associate agreements
- Identify technical and non-technical process vulnerabilities
- Conduct a vulnerability scan of your local computer network
- Deliver specific, action-oriented recommendations aligned to your strategic goals
Read enough? Get started today.
Risk Assessment Process
We’ll support your practice manager and IT staff through the ongoing risk management process, with an online compliance portal to help you stay organized and quarterly meetings to ensure you are always showing progress.
Policies and Procedures
Policy templates don’t work if you don’t customize them. We don’t offer fill-in-the-blank templates. We deliver complete documentation that accurately reflects your actual policies and procedures.
Security training is essential for mitigating the risk of insider misuse. It’s also required by HIPAA. We can train your staff in-person at your location or ours. Or sign up for our affordable online training, with automatic compliance reporting.
A Risk Management Plan You Can Understand
Our risk assessment report usually weighs in at around 90 pages with 70 or 80 specific recommendations for improving security. Now what?
HIPAA compliance is a journey, not a destination
Your risk assessment will identify actual threats to your patients’ data and realistically evaluate the likelihood of a breach. Likelihood plus potential impact are the key factors to consider when evaluating risk levels. The risk levels identified during the risk assessment phase are what determine the priorities of the ongoing risk management phase.
We deliver our report in print, and also on the ARM Online Compliance Portal, a secure web-based app where your team can manage all your compliance documentation. Your risk management plan is ranked by our proprietary const-benefit algorithm. We meet with clients quarterly to review and update the plan, ensuring you are always demonstrating progress.
The Costs of Non-Compliance
Even small practices risk huge HIPAA fines…
Healthcare is a target in this golden age of data breaches and identity theft. HIPAA enforcement is heating up too, and fines can be astronomical.
The Department of Health and Human Services has identified small healthcare practices as a special focus for upcoming HIPAA audits. Some fines for non-compliance:
- Fresenius Medical Care North America (FMCNA) has agreed to pay $3.5 million to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR)
- The University of Texas MD Anderson Cancer Center (MD Anderson) violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules and granted summary judgment to the Office for Civil Rights (OCR) on all issues, requiring MD Anderson to pay $4,348,000 in civil money penalties to OCR
- Twelve-physician practice. Lost flash drive: $150,000
- Thirteen-physician practice. Laptop smash-and-grab from employee’s car: $750,000
- Two-physician practice, 441 patient records. Stolen laptop: $50,000
- Snooping employee, two patient records compromised: $865,500
In each of these cases, HHS identified the primary HIPAA violation as the failure to conduct a risk assessment. Data breaches can happen even in spite of the best security measures. It’s the presence or absence of a HIPAA risk assessment that determines how high the fines will go.
Why Aligned Risk Management?
A thorough and accurate risk assessment is required by HIPAA, §164.308(a)(1)(ii)(A).
We believe a risk assessment should not be viewed as just a bureaucratic hurdle. A risk assessment is the foundation of any compliance strategy, but it is more. An effective risk assessment is a strategic best practice for any organization and an essential first step towards honoring the trust that patients place in their healthcare providers.
Aligned Risk Management has a unique and proven process for conducting a thorough and accurate HIPAA risk assessment. Our risk assessment report will not only meet regulatory requirements, it will create real business value and inform strategic decision-making.
The Aligned Risk Management approach for HIPAA compliance consulting is hands-on. Our risk analysts will lead deep-dive interviews with key staff at the organization, which may include the HIPAA privacy and security officer, the IT manager, the practice administrator, contractors, outside consultants and others. Critical information is gathered from site visits, policy document analyses and vendor contract reviews. All data is collected and managed in Aligned Risk Management’s proprietary ARMIS (Aligned Risk Management Information System) and delivered digitally and in print. Our risk analysts conduct the assessment according to the standards outlined in NIST Special Publication 800-30 Guide for Conducting Risk Assessments.
Continuous Twelve Month Engagement
Our continuous improvement philosophy means our work does not end when we deliver a report. The consultants at Aligned Risk Management engage for a full 12 months, leading regular risk management follow-up meetings with staff. These meetings will support steady progress implementing and documenting recommended improvements. We also use these meetings to ensure effective resource allocation, and implementation of realistic solutions rather than wasting money on extravagant technology or burdensome procedures that do not fit the way the organization operates.
We always encourage a full 12 month engagement, with deliverables in six weeks, although we will leverage recent work to shorten this time frame.
Aligned Risk Management is a Rio Rancho small business founded in 2015. We have been serving healthcare clients and other covered entities with targeted HIPAA compliance consulting, with Aligned Risk Management serving as a specialized consultancy to help HIPAA covered entities stay compliant, profitable and competitive in the most challenging and regulated of business environments.
Aligned Risk Management currently employs four people, who work at our office in Rio Rancho. The firm represents more than 30 years combined experience conducting HIPAA risk assessments and related services. Our diverse team offers a uniquely broad set of skills in business strategy, healthcare operations, cybersecurity and compliance.
Scope and Methodology
Read more about our scope and methodology here.