Business associates: Are you conducting a risk analysis under the HIPAA Security Rule? More importantly are you doing it right?
11/21/2018 8:30
If you are a covered entity or business associate working under the umbrella of the Health Insurance Portability and Accountability Act, you should be pretty familiar with the expectation to document a risk analysis of your organization. The HIPAA Security Rule has required CEs and BAs to conduct risk analyses since 2003 and 2013, respectively, but confusion about what that means persists, Collector magazine editor Anne Rosso May reports in the November issue.
To wit: Last year, the Office for Civil Rights, which is responsible for issuing guidance on HIPAA Security Rule provisions, audited 41 BAs, a portion of which were debt collectors. In those audits, “OCR found that almost none of the business associates had what OCR evaluated as a competent or acceptable risk analysis policy,” said David Holtzman, vice president of compliance strategies at CynergisTek, a cybersecurity firm.
To be fair, Holtzman, who is a former senior adviser to OCR for health information technology and the HIPAA Security Rule, noted that BAs were not alone—the CEs OCR surveyed also struggled to conduct appropriate risk analyses. (And of course, 41 is obviously not a large sample size considering the tens of thousands of BAs out there.)
But it might not be off-base to speculate that many CEs and BAs still haven’t figured out what a risk analysis is, how it should be performed and what they should do with the findings. And this is a problem, especially if you consider that earlier this year, Fresenius Medical Care North America, a dialysis provider, agreed to pay OCR $3.5 million in part for failing to conduct a comprehensive risk analysis under HIPAA.
Of course, implementing a robust risk analysis will not only help insulate you from an OCR fine, it will also keep your clients and consumers happy—and your company out of the spotlight for a data breach.
The good news is that there’s no single defined way to conduct your risk analysis, so you are free to customize it to your specific organization. The bad news is that there’s no single defined way to conduct your risk analysis, so it’s up to you to figure out what it will entail.
Read more tips for finding the best risk analysis processes for your organization in the November issue of Collector magazine.
If you are interested in sharing articles and analysis on legal cases, industry laws and regulations or other relevant topics for possible publication with ACA International, email our Communications Department at [email protected].
Subscriptions to the Collector magazine digital edition and email notifications for each new issue are available for ACA International members by logging in to ACA International’s website here. Members and nonmembers can also purchase a print subscription. Nonmembers can create a guest profile on ACA’s website to subscribe to available publications.