Part B News: To Avoid Penalties, Go Beyond HHS’ HIPAA Security Risk Analysis Tool

April 21 2014:

Roy Edroso, editor of Part B News, quotes Tatiana Melnik in his story on the HHS's HIPAA Risk Analysis Tool, that was built in collaboration with the Office of the National Coordinator.

As the author notes, "Practices are likely to re-invest their attention on HIPAA compliance -- with 65% of respondents listing it as "a key initiative" in Part B News’ recent survey of almost 1,100 respondents -- after Congress delayed ICD-10 for at least a year.  Right on time for that shift in attention, HHS released its tool that was designed by the Office of the National Coordinator for Health Information Technology (ONC) and Office for Civil Rights (OCR). The tool will guide practices with 10 or fewer physicians in conducting risk assessments of their organizations."

But, the Risk Analysis tool may not be appropriate for every organization. "What if you missed something because the tool doesn’t understand your business?" agrees Tatiana Melnik, health care and technology attorney at Melnik Legal in Tampa, Fla. "When I work with organizations, for example, I say, ‘You have mobile devices here, fine, what are your policies and procedures on using those technologies? If you get texts from patients, is that information being added into their medical records?’ This tool is not going into that level of detail."

Additionally, an analysis only the first step. "Your policy may be your organization audits the EHR logs monthly to confirm appropriate access," says Melnik. "But the logs demonstrate that the organization actually audits access every two months or, worse yet, maybe the organization has never undertaken an audit. The mismatch between the policy and actual practice is problematic -- especially if you have an incident and it turns out complying with your own plan could have avoided it."

Organizations that use the HHS tool should consider the following steps:
  • Remedy any deficiencies the tool turns up. "Start with the biggest red flags," says Melnik.
  • Educate yourself, but also remember that your time is valuable. "A lot of practice managers or owners will think, ‘Is it cost effective for me to be doing this?’ and get a third party to walk them through the process," says Melnik.
  • Have a consultant review your work. "I love when clients do that," says Melnik. "I see that they’re engaged in the process and at least thinking about what to do. It can be significantly more expensive to implement a compliance program from ground zero."

PartBNews is a newsletter publication geared toward providers in the Medicare Part B space - Read the full article here: To Avoid Penalties, Go Beyond HHS’ HIPAA Security Risk Analysis Tool (PDF)

Has your practice received an audit request from the Office of Civil Rights or the Meaningful Use auditor? Do you need assistance with a Risk Analysis? Drafting a BYOD policy? Reviewing your PHR agreement?

We can help either on a project by project basis or as outside healthcare counsel.

Please contact us!

Stay up to date with industry and legal developments. Sign up now to receive our updates!

View our Privacy Policy.

Subscribe by entering your e-mail below: