The Department of Health and Human Services (HHS) has conducted audits and are levying fines against healthcare organizations that are not compliant with the Health Insurance Portability and Accountability Act (HIPAA). Along with a substantial fine, breaches affecting more than 500 individuals must be posted on the HHS ”Wall of Shame” a website that details the name of the organization and the type of breach. Breaches under 500 individuals are also required to be reported and can result in fines.
The HIPAA Risk Assessment is an accurate and thorough analysis of the potential risk and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information held by your organization. This is the first requirement for complying with the HIPAA Security Rule and will satisfy core measure 15 of the Meaningful Use objectives. After identifying the risk to your organization, Orr Systems conducts a thorough analysis of your environment and existing Policies and Procedures that identify the gaps that may exist between your existing environment and the standard to be HIPAA Compliant.
If your Risk Assessment determines that you need updated Policies & Procedures, Orr Systems has the ability to customize your protection according to HIPPA standards, or Orr Systems can customize them for you based on how your practice operates. Orr Systems can also help with technical solutions such as Audit Log monitoring and Disaster-Recovery products to meet the HIPAA Security requirements.
The Security Management Process standard in the Security Rule requires organizations to “[i]mplement policies and procedures to prevent, detect, contain, and correct security violations.” (45 C.F.R. § 164.308(a)(1).) Risk analysis is one of four required implementation specifications that provide instructions to implement the Security Management Process standard. Section 164.308(a)(1)(ii)(A) states: RISK ANALYSIS (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI) held by the [organization].