How does your organization categorize the risk of not having completed a bona fide HIPAA risk analysis? Summarized, Peter Drucker is to have said: “There is the risk you can afford to take, and there is the risk you cannot afford not to take.” Here’s today’s big TIP — Carefully Assess Whether You Can Afford NOT to Complete a Bona Fide HIPAA Security Risk Analysis.
HIPAA Risk Analysis Tip – Sage Risk Management Advice from Drucker
In his book, “Managing for Results”, Peter Drucker outlined the following four kinds of risk:
- The risk one must accept, the risk that is built into the nature of the business
- The risk one can afford to take
- The risk one cannot afford to take
- The risk one cannot afford not to take
How does your organization categorize the risk of not having completed a bona fide HIPAA risk analysis?
We recommend you consider the following. Not having conducted an authentic HIPAA risk analysis is certainly not a risk you must accept. Completing one is quite actionable. Doing it the correct way may take a little thinking and scrutiny. Be leery of the charlatans out there peddling dead-on-arrival PDF reports of network vulnerability scans or pen tests. You need not accept this risk of not doing a bona fide HIPAA risk analysis. Read the Guidance on Risk Analysis Requirements under the HIPAA Security Rule.
It may have been the case in the lackadaisical, complaint-driven, reactionary days of enforcement of the HIPAA Security Rule by the Centers for Medicare and Medicaid Services (CMS), not doing a real HIPAA risk analysis was a risk you could afford to take. Those days are over, thanks to The HITECH Act and Omnibus Final Rule. To date, every Settlement Agreement/Corrective Action Plan entered into by the Office for Civil Rights (OCR) cites failure to do a real HIPAA risk analysis. Just do it!
Is failure to comply with the HIPAA Security Rule at 45 CFR §164.308(a)(1)(ii)(A) a risk you cannot afford to take? YES! Warren Buffet once said “It takes 20 years to build a great business reputation and 5 minutes to destroy it.” Today, that’s more like 5 nanoseconds. Go ahead … Don’t understand your exposures. Experience a data breach. Appear on the “HHS Wall of Shame”. Get bogged down in a class-action law suit. Be penalized potentially millions under the new Civil Monetary Penalty System.
A risk you cannot afford not to take?? I don’t think so. There’s no upside to this one.
We urge the 700,000+ Covered Entities and the millions of Business Associates out there to get started today. Where do you begin?
Next Actions to Consider / Learn More:
- How To Conduct a Bona Fide HIPAA Security Risk Analysis
- The Critical Difference: HIPAA Security Evaluation v HIPAA Security Risk Analysis
- Guided Tour of the Clearwater HIPAA Risk Analysis™ Software
To learn how to complete your Risk Analysis according to HHS/OCR and underlying NIST guidance, view Clearwater HIPAA Risk Analysis Video Overview.
Wanna be even more hip on HIPAA? Learn more…
Please avail yourself of any of these free resources which you may access now by clicking on the links below:
- Risk Analysis Buyer’s Guide
- Expert 2nd Opinion on Your HIPAA Risk Analysis
- Clearwater Compliance White Paper: Risky Business: How to Conduct a Bona Fide HIPAA Security Risk Analysis
- Clearwater Recorded Webinar event entitled How to Conduct a Bona Fide HIPAA Security Risk Analysis
- IRM|Analysis™- Clearwater’s Risk Analysis and Risk Management software DataSheet
- IRM|Analysis™- Clearwater’s Risk Analysis and Risk Management software Free Trial for qualified organizations
- More Risk Analysis Resources
Latest posts by Bob Chaput (see all)
- Making the case for comprehensive cyber-risk strategies: 10 startling facts that will spur C-suite action - August 8, 2016
- Building Capability and Capacity to Take on Healthcare’s Evolving Security Threats - August 5, 2016
- HIPAA Risk Analysis Tip – The Biggest Risk Management Surprises in the 2016 OCR Audit Protocol - April 11, 2016