Risk Assessment: Why is this such a big deal?
Answer: Conducting regular risk assessments is fundamentally good business practice.
Risk Assessment - In our business, we talk with covered entities (CE) who will sometimes tell us, “Oh yeah! We’re HIPAA compliant. We have an EMR system that takes care of all of that stuff for us.” Of course we remind them that an EMR system does not make an organization HIPAA compliant; far from it.
Security Rule ignored
The Office of Civil Rights (OCR) has reported that organizations continue to ignore the HIPAA Security Rule requirement to conduct periodic risk assessments. Of the 25 Settlement Agreements between non-compliant organizations and OCR since 2008, 18 (72%) had not conducted a bona fide risk analysis.
So we state again that in addition to being a regulatory requirement for HIPAA, PCI and MU, conducting regular risk analysis is fundamentally good business practice, yet organizations largely have been found lacking in this area.
What is a Risk Assessment?
According to the OCR Guidance on Risk Analysis Requirements under the HIPAA Security Rule, a risk analysis identifies and implements the most effective and appropriate administrative, physical, and technical safeguards to secure electronic protected health information (e- PHI).
“Risk comes from not knowing what you’re doing.”
I’ve added this quote from Warren Buffett because it’s a perfect response to our covered entity friends who think an EMR system makes them HIPAA compliant. Again, this is simply not true and they are putting their patients and their business at great risk by not knowing what the OCR publishes on this topic.
DTS InfoTech Can Help
Many health care providers we have met with are not HIPAA Compliant. If this describes you, we can help you Achieve compliance, Illustrate compliance to auditors and Maintain full compliancy.
For more information: www.dtsinfotech.com/hipaa-compliance-for-small-health-care-practices-2/
Dedicated to your success,
General Manager and Compliance Officer
dts|infotech . . . computer networks that work