Missing the HIPAA Target – Part 4

In my first blog of this series, I stated that the intent of HIPAA was not to make you an expert on regulations, but to guide you to be risk management proficient, which is the ability to recognize threats and risks to your practice and manage them to eliminate or minimize their impact.  The next installment was accountability; taking ownership and delivering verifiable results.  This was followed by the importance of training.  What is the next?

Well, you need to know how to identify risks and threats, and that is the job of a Risk Assessment.  I’m sure you are wondering, "Are annual risk assessments really needed?".  Yes, definitely!  A Risk Assessment is required for Meaningful Use Attestation and it's the number one requirement for MACRA, which is how practices will be paid in the future.

I also reviewed the recently enacted New York state Cybersecurity Requirements for Financial Services Companies, 23 NYCRR 500.  Section 02 of the law requires the risk assessment.  The U.S. insurance industry is also implementing similar regulations, based on the same standards on which HIPAA was developed, again requiring the risk assessment.  These huge industries which maintain our highly sensitive personal and financial information are adopting HIPAA type regulations to better protect our data.

Why?  Because cyberthreats are accelerating and the risk assessment is an established and reliable approach to identifying vulnerabilities and risks.  A well performed risk assessment will identify what needs to be corrected, and result in strong defenses.  So, perform the risk assessment annually, and sooner if there is a major change in your organization.  Changes always introduce new vulnerabilities that need to be addressed.

Being risk management proficient, being accountable and verifiable, providing workforce training, and knowing how to build strong defenses, will reduce your liabilities and personal stress.  You will be in better control of your practice and your destiny.

Contact us at info@thirdrock.com if you have questions about protecting your business, or compliance requirements for Meaningful Use Attestation and/or MACRA.  Third Rock reduces the burden of HIPAA.  You'll find our Worry-Free Compliance™ solution to be Complete, Easy, and Affordable.

Ed Jones, PMP, CHSP
About the Author

Over 30 years of customer facing experience managing projects in healthcare, IT, process automation in a variety of tech industries, Ed has worked for start-ups to Fortune 100 companies. He has performed numerous complex and extensive risk assessments, and developed and managed the corresponding risk management strategies.

%d bloggers like this: