Archive | January, 2012

HIPAA Security Risk Analysis Tips – Make a Plan and Commit

In a recent HIPAA Security Risk Analysis Tip post, we discussed Recommended Documentation to gather and maintain as part of your Risk Analysis process. Our recommendation is based on the final “Guidance on Risk Analysis Requirements under the HIPAA Security Rule”. One of the documentation items we strongly recommend is Planned Risk Analysis Completion Date (Indicate the month and year when that analysis will be completed for a specific information asset. Here’s today’s big tip – Demonstrate good faith effort early and often – make plan and commit to it! Learn the guidance; Here’s how…

Continue Reading

HIPAA Security Reminder – Sanction Policy

Both the HIPAA Security Final Rule and the HIPAA Privacy Final Rule require Covered Associates and Business Associates to have and apply sanctions against members of the workforce who violate the respective regulations. OCR auditors look for these policies and procedures and will consitinue to do so as enforcement amps up. What’s required and where do you stand? Have you reminded your workforce of your policy and sanctions? Learn more…

Continue Reading

Security Incident Management Meets Breach Notification

All healthcare Covered Entities and their Business Associates and subcontractors will experience “operational issues” that may or may not be “security incidents” that may or may not be “breaches”. The HIPAA Security Final Rule and HITECH Breach Notification Interim Final Rule meet and compliment each other to set your requirements. Learn more…

Continue Reading

HIPAA Security Risk Analysis Tips – Recommended Documentation

Nine (9) essential elements of an acceptable Risk Analysis are cited in the final “Guidance on Risk Analysis Requirements under the HIPAA Security Rule”. The first one addresses the scope of the analysis; that is, what information assets should be included in the review. Then the question arises: how should I inventory and document these assets? Here’s today’s big tip – Take advantage of the time investment and document thoroughly. Learn the guidance; Here’s how…

Continue Reading

OCR Deputy Director McAndrew Speaks Out on HIPAA Compliance Audits

On July 15, 2011, Deputy Director Susan McAndrew, Esq., from the HHS Office for Civil Rights went on record in an interview with to comment on the upcoming agency audits.

As McAndrew said, “This is just another opportunity for covered entities to take a moment from their busy, busy days to do a self assessment. We think that this will help them down the road in terms of building their own capacity for a robust compliance program.”

Continue Reading

Risk Analysis DOs and DONTs – HIPAA HITECH Blue Ribbon Panel

Even though many Covered Entities are just now contemplating their first-ever formal HIPAA Security Risk Analysis and even though the Department of Health and Human Services has issued Final Guidance on Risk Analysis Requirements under the HIPAA Security Rule , much confusion exists as to what comprises a Risk Analysis. The Meaningful Use Stage One Objectives have not helped as some interpret them to say that the scope of the Risk Analysis can be restricted to an organization’s EHR application.

Continue Reading