Call Us! (800)704-3394 / Contact Us /


How To Conduct a Bona Fide HIPAA Security Risk Analysis

With the effective of the HIPAA Omnibus Final Rule in March of 2013, Covered Entities and Business Associates—the definition of which now extends to their subcontractors—effectively any entity that creates, receives, manages or transmits electronic Protected Health Information—became statutorily obligated to comply with the HIPAA Security Rule requirement to complete a formal HIPAA Security Risk Analysis in accordance with specific guidelines.  Results from 2012 OCR Audits and ongoing OCR Investigations demonstrate that there are huge inadequacies in how risk assessments are being performed.  CMS is conducting both pre-payment and post-payment audits related to Meaningful Use Attestation.  Does your organization know how to complete a bona fide risk analysis? Learn the fundamentals of completing a bona fide risk analysis in this complimentary webinar.

Attend this complimentary webinar on: 

Friday, April 25, 2014   11:00 a.m. – 12:00 p.m. CDT

Register Now

Thursday, May 22, 2014   11:00 a.m. – 12:00 p.m. CDT

Register Now

Thursday, June 19, 2014  11:00 a.m. – 12:15 p.m. CST

Register Now

Sign up for email notifications about webinar events.  Follow us on Twitter, join us on LinkedIn or Like our Facebook page.

Receive the Clearwater blog along with your other blog subscriptions click here to subscribe via RSS feeder or click this link if you prefer to receive the blog posts via email!

The Challenge

The deadline for HIPAA Security Rule compliance for Covered Entities (CEs) was April 2005!  For Business Associates (BAs), the date was February 2010… when they became statutorily obligated to comply with the law as a result of Health Information Technology for Economic and Clinical Health (HITECH) Act, which was enacted as part of the American Recovery and Reinvestment Act (ARRA) of 2009.  Now, with the publication of the HIPAA Omnibus Final Rule on January 25, 2013, the definition of Business Associates has been extended to their subcontractors, and all are obligated to comply by September 23, 2013.

Additionally, the federal government unveiled its criteria for the Meaningful Use of electronic health records (EHRs) on July 13, 2011. The criteria must be met for an eligible hospital (EH), eligible provider (EP) or critical access hospital (CAH) to qualify for reimbursement of the cost of EHR software under the American Recovery and Reinvestment Act of 2009 (ARRA).  The meaningful use criteria have been divided into two groups — the core set, which is mandatory, and the menu set, from which hospitals and EPs may choose five of the 10 criteria. The mandatory core set includes a specific privacy / security requirement to “Protect electronic health information created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities.”  For EHs, EPs and CAHs, one certification criterion is:

“Conduct or review a security risk analysis and implement security updates as necessary.”

Whether for overall HIPAA-HITECH compliance or for meeting Meaningful Use requirements, completing a formal HIPAA Security Risk Analysis is both a foundational compliance step and a requirement of the law:

(1)(i) Standard: Security management process. Implement policies and procedures to prevent, detect, contain, and correct security violations.

 (ii) Implementation specifications:

(A) Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.

The Results

This Risk Analysis process and methodology presented in the session have been used by organizations of all sizes and the content of this webinar has been purposefully designed to be able to be able to be used by the largest CEs and BAs (e.g., hospitals, insurers, care management firms, etc.) to the smallest CEs and BAs (e.g., small medical practices, clinics, dental offices, medical billing companies etc.).

No matter where you are in your HIPAA-HITECH compliance journey, you will benefit from learning about:

  • The Risk Analysis implementation specification
  • HHS/OCR Final Guidance on Risk Analysis
  • How to actually perform a bona fide risk analysis that meets both the requirements of the HIPAA security rule and the meaningful use criteria

Many CEs have ignored the HIPAA Security Rule for the last five years.  A majority of BAs and now subcontractors are not even aware of their obligations under the law.  The Health Information Technology for Economic and Clinical Health (HITECH) Act has been called a “game changer” because it significantly strengthened many aspects of the HIPAA Security Rule (and Privacy Rule), including the penalties that the U.S. Department of Health and Human Services (HHS) could impose for violations of the HIPAA rules as well as enforcement. As a visible demonstration of seriousness, HHS has begun posting Data Breach Notifications/Violations, required by law, on its web site.

If you are a “Business Associate” or “Covered Entity” or a “subcontractor” that creates, receives, maintains or transmits ePHI, you will benefit from attending this session.

Who Should Attend?

Business leaders and managers with responsibility for Risk Management, Corporate Compliance, and HIPAA-HITECH Privacy and Security compliance should attend.  CEOs, COOs, CFOs, Chief Compliance Officers, Chief Risk Officers, Chief Privacy Officers, Chief Security Officers, Chief Information Officers.

Attend this complimentary webinar on: 

Friday, April 25, 2014   11:00 a.m. – 12:00 p.m. CDT

Register Now

Thursday, May 22, 2014   11:00 a.m. – 12:00 p.m. CDT

Register Now

Thursday, June 19, 2014  11:00 a.m. – 12:15 p.m. CST

Register Now

Sign up for email notifications about webinar events.  Follow us on Twitter, join us on LinkedIn or Like our Facebook page.

Receive the Clearwater blog along with your other blog subscriptions click here to subscribe via RSS feeder or click this link if you prefer to receive the blog posts via email!

Agenda

This session is offered as a 60-minute webinar using the GoToWebinar platform. The open format encourages questions during and after the session. Attendees will receive the presentation materials the day after the event.

In this live session, attendees will learn about:

  •  Bona Fide Risk Analysis essentials
  •  Specific requirements outlined in HHS/OCR Final Guidance
  •  A Practical Risk Analysis Methodology
  •  Step-by-Step Instructions for completing a HIPAA Risk Analysis
  • Tools, templates and forms available to help

This webinar is designed to help CEs and BAs understand and act on the specific Risk Analysis requirements included in the HIPAA Security Final Rule, as amended by The HITECH Act.

Presented by: Bob Chaput, CISSP, CIPP/US | CEO – Clearwater Compliance LLC

References:

Attend this complimentary webinar on:

Friday, April 25, 2014   11:00 a.m. – 12:00 p.m. CDT

Register Now

Thursday, May 22, 2014   11:00 a.m. – 12:00 p.m. CDT

Register Now

Thursday, June 19, 2014  11:00 a.m. – 12:15 p.m. CST

Register Now

Sign up for email notifications about webinar events.  Follow us on Twitter, join us on LinkedIn or Like our Facebook page.

Receive the Clearwater blog along with your other blog subscriptions click here to subscribe via RSS feeder or click this link if you prefer to receive the blog posts via email!