As we start the new year, it’s a good time to start fresh and clean things up. Many of us have gone to the gym and noticed that all the classes are full with everyone working on their resolutions. For those of us involved in HIPAA, it is the same. We need to check those rules and regulations and make sure we are doing what is required.
HHS has announced it will resume its auditing program in 2014. They will not only be auditing covered entities but business associates as well. They have also said that they will be applying a narrower scope to their audits which is great as they will be less time consuming (in theory). This approach will, however, allow more facilities to be audited.
One item mentioned by HHS was that many facilities are failing to perform a thorough risk analysis, so they will be looking for this specifically as they move forward. HIPAA began requiring a risk analysis in 2005 and meaningful use requires a security risk analysis in its core measures, however there are many facilities that are still not doing a thorough risk analysis according to HHS. Risk analysis should really be part of your ongoing compliance program.
Things change, and we need to redo our analysis to keep up with those changes. A thorough risk analysis can find data in places where you may not realize it exists. It can also help to point out areas of possible breaches and allow you to correct them before anything happens. Have you added a cloud provider? How about sending employees home? All of these changes to our business models show us how important doing that risk analysis is. Quite a bit of information is available to help you with your analysis and specific protocols. Here are few links that you may find helpful.
NIST security tool kit — http://scap.nist.gov/hipaa/NIST_HSR_Toolkit_User_Guide.pdf
No related posts.