This entry is part 30 of 60 in the series HIPAA Security Risk Analysis Tips

Open Letter to VITO (Very Important Top Official)

Dear VITO,

We get it! At VITO, Inc. you come to work every day with very important business issues on your mind including: growing top-line revenues, serving your customers/patients/members, ensuring your customer-market facing staff are effective and efficient, fixing or reducing costs, etc…. Once in a while, risk management.  Here’s today’s big tip, VITO — Your Revenues, Assets and Reputation Are at Risk; Learn What to Do About It!

HIPAA Security Risk Analysis Tips – Saving Your Assets


Over the last 8 years, we’ve been working with lots of VITOs, like you, across all segments of healthcare…all over the US.  Actually, we have been and are VITOs too!  Following are some of the common strategic questions (after all, as VITO, you must be strategic) we’re hearing VITO ask of his team.

  1. What are we doing about HIPAA-HITECH compliance and cyber security (VITO is hip and knows this sexy term for information security or heard his kids use it.)
  2. How much are we spending today on cyber security?  (See, you can still manage costs, VITO!) Is it too much? too little? how do we know?
  3. How much are your competitors spending? (That’s the strategic VITO we know and love!)
  4. How are we making these spending / risk management (good one Vito; now we talking!) decisions?

VITOs Who Need to Do HIPAA Security Risk Analyses Come In All Sizes! 

Upper right, please meet a very large size VITO — Chief Executive Officer and Associate Vice Chancellor, UCLA Health System, David T. Feinberg, M.D., M.B.A..  He and his team have had more than a couple of HHS/OCR discussions.  Check the HHS/OCR Wall of Shame.  Read the July 2011 University of California Los Angeles Health System Resolution Agreement.  Google UCLA “data breaches”.  I am not picking on Dr. Feinberg.  UCLA got caught.

Immediate left, please meet two small size VITOs – Drs. Fang and Tibi, equal owners of Phoenix Cardiac Surgery, P.C. (“PCS”).  These two VITOs in PCS serve to illustrate that HHS/OCR does really care about ALL Covered Entities including small (5 docs at PCS) medical practices.  In the April 2012 Phoenix Cardiac Surgery P.C. Resolution Agreement Corrective Action Plan, we learned that PCS failed to address some of the basics:  failed to implement adequate policies and procedures to appropriately safeguard patient information; failed to document that it trained any employees on its policies and procedures on the Privacy and Security Rules; failed to identify a security official; failed to conduct a risk analysis; and, failed to obtain business associate agreements with Internet-based email and calendar services where the provision of the service included storage of and access to its ePHI. Geez, PCS VITOs!  When did this HIPAA thing happen again?

Most VITO’s in most Covered Entities and Business Associates are sitting on the same liability and risk powder kegs.

VITO, it’s NOT IF you’re going to have an information security issue (or compliance audit or investigation), IT’S WHEN.

What’s a VITO to Do?  – Risk Analysis – The Right Way

Risk analysis is a fundamental, foundational part of any risk management program, including your cyber security program.  It’s not an evil creation of HIPAA or HITECH statutes or their promulgated rules.  In fact, it’s been around since the beginning of mankind.  In a nutshell, risk analysis is determining your biggest to smallest risks (a.k.a., exposures) and then using this information to make informed decisions about treating them (accept, avoid, mitigate, transfer).

For VITOs at healthcare Covered Entities or their Business Associates, HHS / OCR published its “Guidance on Risk Analysis Requirements under the HIPAA Security Rule which relies on the NIST Security framework and specifically NIST SP800-30 Revision 1 Guide for Conducting Risk Assessments – DRAFT.  According to both documents and NIST SP800-30,

“A Risk Analysis is the process of identifying, prioritizing, and estimating risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, …, resulting from the operation of an information system.  Part of risk management, incorporates threat and vulnerability analyses, and considers mitigations provided by security controls planned or in place. “

CMS Meaningful Use Audits – Heads Up VITO if You Attested Without Doing a Risk Analysis

In a recent post, we covered the potential of being audited by CMS if you participated in the MU EHR Incentive program.  As we wrote, Did you really think the government was going to hand out $30B in Meaningful Use (MU) Incentives without checking on the meaningful use part?  At the 2012 NIST/OCR HIPAA Security Conference, an HHS official announced that 10% of the MU attesters would be audited.  And, in the recent ONC Guide to Privacy and Security of Health Information, you might want specifically read page 27 and the discussion of a potential filing under the False Claims Act.

Bottom Line:  VITO, demand that a formal, by-the-book, HIPAA Security Risk Analysis be completed ASAP and insist are hearing the results and recommended risk treatment actions so that you may answer the questions above.

To learn how to complete your Risk Analysis according to HHS/OCR and underlying NIST guidance, view Clearwater HIPAA Risk Analysis Video Overview.

Contact us for more information or to learn about a tailored Clearwater HIPAA Audit Prep WorkShop™ or the Clearwater HIPAA Audit Prep BootCamp™ series.

Please avail yourself of any of these free resources which you may access now by clicking on the links below:

Series Navigation<< HIPAA Risk Analysis Tips – $50K Penalty vs. Does Size Matter?HIPAA Security Risk Analysis Tips – Take Risk Analysis Quiz >>

Bob Chaput

CEO at Clearwater Compliance
Bob Chaput is widely recognized for his extensive and in-depth knowledge of healthcare compliance and cyber risk management, and is one of the industry’s leading authorities in healthcare information security today. As a leading authority safeguarding health data, Chaput has supported hundreds of hospitals and health systems to successfully manage healthcare’s evolving cybersecurity threats and ensure patient safety.