The Importance of a HIPAA Risk Analysis

HIPAA and MedicineEverything is changing in the healthcare industry and some of these changes are not necessarily for the best.  Take for example some of the new laws regarding HIPAA such as HITECH, Omnibus Rule and even the Affordable Act and Meaningful Use and their impact in the industry.  Prior to the HITECH Act, the maximum penalty per year per provision violated was $25,000 and a proven case of willful neglect. Now willful neglect doesn’t need to be proven and the maximum penalty per year per provision is $1.5 million.  The Department of Health and Human Services and the Office of Civil Rights also has made it clear via the current Meaningful Use Audits that failure to conduct a Risk Assessment results in the Covered Entity not meeting the requirements of Meaningful Use.  In addition to this particular a recent $750,000 settlement between Cancer Care Group, P.C. and the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) us also bringing this particular issue to the forefront.  As a matter of fact, OCR Director Jocelyn Samuels recently stated: “Organizations must complete a comprehensive risk analysis and establish strong policies and procedures to protect patients’ health information.” It is important to also mention that the OCR is preparing to conduct a second phase of audits that will focus in part on compliance with the Security Rule.   However this is not the only organization looking into additional efforts and compliance issues.  In a recent speech by the Department of Justice (DOJ) Assistant Attorney General Leslie R. Caldwell, she stated that a new position has been created to assess if compliance programs are “thoughtfully designed and sufficiently resourced” or simply serve as “window dressing.”  She also stated that: “the Criminal Division will continue to review companies’ compliance programs as one of the many factors to be considered when deciding whether to criminally charge a company or how to resolve criminal charges.” In summary, you still have time to meet the HIPAA Risk Assessment requirement for this year.  So don’t delay and contact us if you have questions or need further assistance.