This entry is part 58 of 60 in the series HIPAA Security Risk Analysis Tips

HIPAA Risk Analysis Tip – Part 4 – Questions & Answers from May 3rd Conversation with Former OCR Director Leon Rodriguez

We received almost 100 questions in our May 3rd web event entitled “WHAT OCR EXPECTS IN YOUR HIPAA RISK ANALYSIS: A Conversation with Former OCR Director, Leon Rodriguez”.  We are breaking up the questions and providing the answers in this blog post series “HIPAA Risk Analysis Tips”.  Enjoy Part 4 as we work our way through them all!

  1. When is your next virtual class?

Answer: For more information & a complete list of upcoming web events please visit: http://bit.ly/clearwaterlivewebevents. For specific information about our next OCR-Quality Risk Analysis Working Lab™, please visit: http://bit.ly/WorkingLab

  1. Will a transcript of the webinar be available?

Answer: A transcript will not be made available. The recorded version of the live web event and the presentation materials may be found here: http://bit.ly/ClearwaterRodriguezOnDemand. Please feel free to share with colleagues and friends.

  1. Regarding the handout, I see not all links are hotlinks. Might another document be shared where all links are clickable?  Also, the slide toward the end with RISK in red scrabble format was not listed.  May that be included as well?

Answer: Thank you. If it has not yet been posted as of this writing, we will correct all links and provide the very latest materials.  If you have any other questions or troubles with the links please email us at webinars@clearwatercompliance.com.

  1. Will you send an email starting attendance and invites to upcoming seminars?

Answer: For more information & a complete list of upcoming web events please visit: http://bit.ly/clearwaterlivewebevents. Please sign up for our monthly newsletter here: https://clearwatercompliance.com/resources/newsletters/

  1. How do I reach OCR?

Answer: The URL for OCR is: https://www.hhs.gov/ocr/. And this is the direct link to Regional Offices for OCR:  https://www.hhs.gov/ocr/about-us/contact-us/index.html

  1. Does the OCR provide a detailed audit list that an organization could use a check list? e. internal audit using this OCR check list.    

Answer: The best source of this information may be found under the 2016 OCR Audit Protocol. You may also wish to conduct a mock audit as part of your preparation.  Please contact us if we may assist you.  We’ve performed 100s of these audits.

  1. Please include OCR contact information in final slides.

Answer: The URL for OCR is: https://www.hhs.gov/ocr/. And this is the direct link to Regional Offices for OCR:  https://www.hhs.gov/ocr/about-us/contact-us/index.html

 

  1. Is there an expectation that the NIST Cybersecurity Framework will become “required” by OCR for CE’s and BA’s at some point in the future?

Answer: We do not believe that adopting the NIST Cybersecurity Framework will become required any time soon. However, given the Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure and given that the order calls for the heads of appropriate sector-specific agencies (think: HHS) to use their “authorities and capabilities to support the cybersecurity risk management efforts of the owners and operators of the Nation’s critical infrastructure”, we believe it will become a de facto standard and legal standard of care in breach cases.  We recommend adoption of the NIST Cybersecurity Framework.  HHS has recently launched a Task Group focusing on the Cybersecurity Information Sharing Act of 2015 (CISA) Section 405(d) “Aligning Health Care Industry Security Approaches”.  We expect adoption of the NIST Cybersecurity Framework will be one of the recommendations. We will keep you apprised of developments with this Task Group.

  1. If President Trump cuts back on HHS funding, will this affect the number of audits (desk and onsite) that will be performed?

Answer: We discussed this briefly during the May 3rd live event. Short answer: we do not think so.  The OCR budget is small (~$43MM) and OCR has an alternative source of funding: The HITECH Act at SEC. 13410. IMPROVED ENFORCEMENT (c) DISTRIBUTION OF CERTAIN CIVIL MONETARY PENALTIES COLLECTED provides for OCR to use any monies collected for additional enforcement. “(1) IN GENERAL.—Subject to the regulation promulgated pursuant to paragraph (3), any civil monetary penalty or monetary settlement collected with respect to an offense punishable under this subtitle or section 1176 of the Social Security Act (42 U.S.C. 1320d–5) insofar as such section relates to privacy or security shall be transferred to the Office for Civil Rights of the Department of Health and Human Services to be used for purposes of enforcing the provisions of this subtitle and subparts C and E of part 164 of title 45, Code of Federal Regulations, as such provisions are in effect as of the date of enactment of this Act.”

  1. What is the likelihood that solo practitioners or small group healthcare providers (MD, DO, DDS, DMD, DC) will be audited?

Answer: The likelihood of any of the 700,000+ Covered Entities and 10,000,000+ Business Associates being audited is very small. Another way of saying it: the likelihood that solo practitioners or small group healthcare providers is equally as small as any organization being audited, until or unless we hear of a major audit program expansion being announced by OCR.  Healthcare organizations have little / not control over the likelihood of an audit.  Therefore, we recommend that organizations focus on reducing the likelihood other events that would trigger a visit from OCR!  For instance, lower the likelihood of a breach of PHI or lower the likelihood of a complaint being filed against the organization.  Both are within the control of the organization.

Stay tuned for Part 5 of the Questions and Answers from the May 3rd web event entitled “WHAT OCR EXPECTS IN YOUR HIPAA RISK ANALYSIS: A Conversation with Former OCR Director, Leon Rodriguez”

Now what?

  1. Download the OCR-issued “Guidance on Risk Analysis Requirements under the HIPAA Security Rule”.
  2. Learn the definition of an information asset.
  3. View a recorded demo of our award-winning software for conducting OCR-quality risk analysis and risk management work products.
  4. Learn how Clearwater may complete a Confidential, Complimentary Review of your current risk analysis, under the direction of outside counsel, and advise you of important actions to take to conduct an OCR-Quality HIPAA Risk Analysis.
  5. Read the OCR Resolution Agreements / Corrective Action Plans, especially the 39 involving ePHI where 35 organizations had adverse findings for incomplete and/or inaccurate HIPAA Risk Analysis and HIPAA Risk Management work.
Series Navigation<< HIPAA Risk Analysis Tip – Part 2 – Questions & Answers from May 3rd Conversation with Former OCR Director Leon RodriguezHIPAA Risk Analysis Tip – #WannaStopCrying >>

Bob Chaput

CEO at Clearwater Compliance
Bob Chaput is widely recognized for his extensive and in-depth knowledge of healthcare compliance and cyber risk management, and is one of the industry’s leading authorities in healthcare information security today. As a leading authority safeguarding health data, Chaput has supported hundreds of hospitals and health systems to successfully manage healthcare’s evolving cybersecurity threats and ensure patient safety.