By Jack Anderson
June 15, 2015
The 2015 Healthcare Information Security Today Survey is fascinating reading and I am sure that I will be mining it for more gems but one chart really jumped out at me. The question was how confident these executives were that their business associates were HIPAA compliant. 8% HIghly Confident, 23% Somewhat Confident, 38% Neutral, 23% Somwhat Low, and 7% Low. Couple this with the fact that the highest current threat was reported to be business associates not being HIPAA compliant and you have a situation that should cause major concern for business associates.
Also mentioned in the report was a solution for worry associated with business associate compliance; asking for a copy of their most recent HIPAA risk assessment. While this is a simple request and one allowed by HHS it will strike fear in the hearts of many business associate who have signed their business associate agreements, filed them and gone their merry way. This is an effective litmus test since you either have done a HIPAA risk assessment in the last twelve months and have a copy of the Gap Analysis or you don’t. We have actually had people ask us if we would backdate a risk assessment but we told them we had decided that this was too risky.
Once you have done the risk assessment then you are required to assign staff to remediate the risks identified and document your progress. Thus when you do your next risk assessment you will be able to show progress. Doing the risk assessment and not doing the remediation qualifies as willful neglect and earns you the top fines from OCR.
If you do a risk assessment or have an outside firm do a risk assessment that meets the NIST standards, develop policies and procedures to fit your organization, and provide training and awareness for your staff you can sleep well at night knowing that if the auditors show up tomorrow you will pass. If you are missing any of these three components get to work or contact me.
Jack@compliancehelper.com