Conduct Your Risk Analysis to avoid consequences

After reading an article put out by one of the top HIPAA enforcers, Jocelyn Samuels, it was clear that keeping your head buried in the sand when it comes to securing electronic patient health information (ePHI) is basically like playing russian roulette.  When the head of OCR who enforces the HIPAA rules and regulations sits down and gives you a clear explanation of what you should be doing, she is basically sending a last friendly warning before federal regulators ramp up their enforcement activities and compliance audits.

They are saying very clearly "You must conduct a comprehensive and timely risk assessment - or face the consequences."

Taking the time to hire a 3rd party to come in and meet and educate you on what entails a proper risk analysis is not a time consuming matter.  Going through that assesment step-by-step and realizing what threats and vulnerbilities need to be addressed, again, not a time consuming matter.  However, failing to plug those gaps and fix those areas of weakness and then having an audit or fine is not only time consuming but will cost you.

Jocelyn Samuels, director of the Department of Health and Human Services Office for Civil Rights - gave specific hightlights at the 2014 annual HIPAA conference sponsored by OCR and the National Institute of Standards and Technology.

"We continue to see a lack of comprehensive and enterprisewide risk analysis and risk management that leads to major breaches and other compliance problems," Samuels said. "That is why enforcement is a critical part of our arsenal of tools to ensure compliance. Resolution agreements that include a monetary settlement are only a small fraction of complaint and compliance reviews we undertake. These enforcements send out an important message about compliance issues and the need for covered entities and business associates to take their obligations seriously."

When the OCR investigates a breach, Samuels said, "we not only look at what was done to correct and remedy a breach but what led to the incident to determine if noncompliance played a part. Comprehensive enterprise risk analysis followed by ... timely risk management practices is the cornerstone of any good compliance program."

Samuels also emphasized the importance of training the workforce to identify and respond appropriately to security incidents. That, she said, helps to "ensure that entities take the necessary steps to address and prevent future incidents and to mitigate harm to affected individuals."

From a secure messaging standpoint if you have conducted your analysis and found that you have gaps in staff using their smartphones to communicate via text message with other staff and/or medical professionals with patient health information and your stance is 'we have a do not text policy' you will most likely get nailed.

You need to have first located and identified mobile devices as a vulnerability in your analysis and then you need to find a system that allows your staff to communicate while remaining compliant.  You need to train your staff.

Keep in mind, you need to do this across the board for your organization because if you are hit with a random audit they will look in all sorts of areas and you cannot be certain what investigators will find when they begin to dig.

Being proactive and showing you did your full analysis, you identified areas that could lead to a potential breach and you offered ways to fix these will shine a positive light on your organization when those investigators begin to dig.  If you simply crossed your arms and said we are good enough, our policy of don't do it will be suffficient can open you up to a world of gray area to defend.

Here is a key point:

"And it's not necessarily the breach itself that will bring a potential financial penalty from OCR - it's what investigators find when they dig into the incident, she pointed out. "Did you have systems and a plan and tools in place to reduce risk? Did you do an assessment to mitigate risks?"

In response to an audience question about how frequently organizations should perform a comprehensive risk analysis, Sanches said assessments should be conducted "when there are changes in the environment ... new records management, new devices."

This should speak volumes to your organization and when it comes to securing your text messaging - the time is now not later to put Mediprocity to work for your organization's communication needs.

Send Us An Email
DO NOT add any patient health information here. We will follow up with you to discuss any PHI or security credentials. DO NOT share any PHI or any credentials in this help desk ticket. Thank you!

Send Us An Email