This entry is part 34 of 60 in the series HIPAA Security Risk Analysis Tips

How does your organization categorize the risk of not having completed a bona fide HIPAA risk analysis? Summarized, Peter Drucker is to have said: “There is the risk you can afford to take, and there is the risk you cannot afford not to take.”  Here’s today’s big TIP — Carefully Assess Whether You Can Afford NOT to Complete a Bona Fide HIPAA Security Risk Analysis.

harnessing risk starts with a bona fide risk analysis

HIPAA Risk Analysis Tip – Sage Risk Management Advice from Drucker

In his book, “Managing for Results”, Peter Drucker outlined the following four kinds of risk:

  1. The risk one must accept, the risk that is built into the nature of the business
  2. The risk one can afford to take
  3. The risk one cannot afford to take
  4. The risk one cannot afford not to take

How does your organization categorize the risk of not having completed a bona fide HIPAA risk analysis?

We recommend you consider the following. Not having conducted an authentic HIPAA risk analysis is certainly not a risk you must accept. Completing one is quite actionable. Doing it the correct way may take a little thinking and scrutiny. Be leery of the charlatans out there peddling dead-on-arrival PDF reports of network vulnerability scans or pen tests. You need not accept this risk of not doing a bona fide HIPAA risk analysis. Read the Guidance on Risk Analysis Requirements under the HIPAA Security Rule.

It may have been the case in the lackadaisical,  complaint-driven, reactionary days of enforcement of the HIPAA Security Rule by the Centers for Medicare and Medicaid Services (CMS), not doing a real HIPAA risk analysis was a risk you could afford to take. Those days are over, thanks to The HITECH Act and Omnibus Final Rule. To date, every Settlement Agreement/Corrective Action Plan entered into by the Office for Civil Rights (OCR) cites failure to do a real HIPAA risk analysis. Just do it!

Is failure to comply with the HIPAA Security Rule at 45 CFR §164.308(a)(1)(ii)(A) a risk you cannot afford to take? YES! Warren Buffet once said “It takes 20 years to build a great business reputation and 5 minutes to destroy it.” Today, that’s more like 5 nanoseconds. Go ahead … Don’t understand your exposures. Experience a data breach. Appear on the “HHS Wall of Shame”. Get bogged down in a class-action law suit. Be penalized potentially millions under the new Civil Monetary Penalty System.

A risk you cannot afford not to take?? I don’t think so. There’s no upside to this one.

We urge the 700,000+ Covered Entities and the millions of Business Associates out there to get started today. Where do you begin?

Next Actions to Consider / Learn More:

To learn how to complete your Risk Analysis according to HHS/OCR and underlying NIST guidance, view Clearwater HIPAA Risk Analysis Video Overview.

Wanna be even more hip on HIPAA? Learn more…

Please avail yourself of any of these free resources which you may access now by clicking on the links below:

Series Navigation<< HIPAA Risk Analysis Tips – Open Appeal to Risk Thought LeadersHIPAA Risk Analysis Tip – HIPAA Risk Analysis Buyer’s Guide Checklist >>

Bob Chaput

CEO at Clearwater Compliance
Bob Chaput is widely recognized for his extensive and in-depth knowledge of healthcare compliance and cyber risk management, and is one of the industry’s leading authorities in healthcare information security today. As a leading authority safeguarding health data, Chaput has supported hundreds of hospitals and health systems to successfully manage healthcare’s evolving cybersecurity threats and ensure patient safety.