Notes to ponder

laberynthAs I was conducting my afternoon research I was reading an article written by Jonathan Krasner about MACRA.  In this article he wrote: “perform a HIPAA Security Risk Analysis and you are in position to maximize your MIPS CPS and your revenue.  Don’t perform the Risk Analysis, and be prepared to take a hit on your payments.” While this simple sentence brought many thoughts to my mind the thought that predominated was: the number of organizations that are auditing and requiring actions from the standpoint of HIPAA continues to increase. Even worst, each one seems to be bound by a number of governmental regulations and or policies that dictate what security measures should be in place and how they should be audited. At times this looks like a no-win scenario but I’m not the pessimistic kind of person so instead of complaining I decided to prioritize, create a plan of action and implement. First and foremost, it is obvious that a Security Risk Assessment is the baseline for all of these audits so we create a tool to conduct a Security Risk Assessment that covers every point mentioned in the regulation. We also made sure that we and our clients have completed a Security Risk Assessment before the end of the calendar year and have updated the same based on our interactions (audit response actions and industry guidelines). Second, we created a calendar to ensure that throughout the year we cover each item identified in the risk analysis. This calendar has also been incorporated into our plan of action. Third, we make sure that every Security Risk Analysis incorporates a Security Management Plan. Fourth, we created a training schedule that includes the basic annual required training and monthly Security Reminders that reiterates some of the key issues mentioned in the regulation and in our database of audits and legal cases presented. Fifth, we all have blind spots so as we find new guidance we review our policies and procedures and check to see if there is any gap between the information and our systems. For Covered entities and Business Associates I recommend bringing an independent expert to conduct your Security Risk Analysis for the following reasons:

  • Blind spots. Quite often an internal person may not see what an outsider could identify;
  • Internal Pressure. No one wants to look bad so there may be pressure from management or peers to overlook or understate some issues;
  • Perception. Auditing agencies seem to put in better light independent assessments rather than those performed within the organization.
  • Objectivity. Reassurance of the adequacy of the assessment from someone other than a team member

Regardless of which route you take just make sure that you complete a HIPAA Security Risk Assessment before the end of the year!