Clarifying misconceptions about healthcare RMPs.Many healthcare entities haven’t yet separated the difference between the HIPAA Security Rule and HIPAA Privacy Rule. Because of this confusion, they leave many security regulations unfulfilled. Most practices I’ve communicated with are trained, strict adherers to the Privacy Rule, but don’t understand that the Security Rule is a completely different ball game. (SEE ALSO: Understanding HIPAA Privacy and Security Rules.) Show
The Risk Management Plan (RMP) is the compliance step that works through issues discovered in the risk analysis and provides a documented instance proving your active acknowledgement (and correction) of PHI risks and HIPAA requirements. There are three vastly different approaches to RMP that vary in cost, time, and work required. To my knowledge, every covered entity engaged with HIPAA is using at least one of these methods. 1) HIPAA audit approachThis approach is the quickest way to become HIPAA compliant…if you have the time and money to devote. A HIPAA auditor visits your location, verifies what safeguards have been implemented, completes a risk analysis, and essentially fills out a risk management plan for you. This process usually takes one to three months. Of all three approaches, this is the quickest to compliance but it will cost you. Depending on your organization and the PHI it handles, an annual HIPAA audit starts around $40,000. 2) Net approach: catch important HIPAA requirementsI gave this method its name because a security expert tries to ‘catch’ all important HIPAA requirements in one RMP. Security experts work with you remotely to prioritize threats found in your risk analysis. If you find a good HIPAA vendor, they guide you through the creation and implementation of a RMP. While the audit approach is the quickest way to become compliant, the net approach gives you the biggest bang for your buck. Cost varies, but I typically see about $2,000 annually. Depending on the time you are willing to invest, this method can take from three months up to two years. 3) DIY approach: risk management plan templateDIY is usually attempted by finding a RMP template via a Google search, then figuring it out yourself. Here’s the problem with DIY. Even if a healthcare professional came up with an acceptable plan, they likely wouldn’t be able to understand all the technical jargon, prioritize it by level of importance, or even complete it. Please don’t be offended by this statement! In the same way I don’t expect to know anything about correctly conducting a medical exam or diagnosing a tumor, you aren’t expected to understand the technical jargon that goes along with HIPAA compliance. In my experience, the net approach is the most effective and practical way for small to mid-sized businesses to reduce the HIPAA risk management cost. What should be included in a HIPAA Risk Management Plan?Although the risk analysis outcome should directly feed into a RMP, plans should also include all HIPAA Security, Privacy, and Breach Notification requirements. For example: identification and documentation of job roles is a HIPAA requirement, but doesn't necessarily come from a risk analysis. As a general rule, including all risks and HIPAA requirements, your plan will likely have 100-200 to do’s. SEE ALSO: Your Security Strategy Should Be Risk Based Although specific items included in a RMP vary, here are a few industry best practices to include.
What are the most recent HIPAA risk management plan trends?Covered entities are either working on compliance, or they’re not. Those who are working on compliance are either succeeding or failing. There are a few core reasons covered entities struggle with risk management plans…
How much time should you devote to a risk management plan?Technically, you could spend 80 hours a week on HIPAA compliance. A ‘realistic’ timetable is different for every situation. I’ve found that prioritization is a great way to maintain sanity and reduce the greatest risk items first. If you only have one hour per week to spend on HIPAA, get those high-risk items done first. Don’t waste time on HIPAA requirements that probably won’t prevent PHI loss, damage, or theft. Not at the beginning, anyway. Perhaps a few scenarios will help you decide how much time per week is right for your practice.
Watch the webinar: A 21-Day HIPAA Compliance Plan
To the people who question if they are the right employee to take charge of HIPAA compliance, my response is always, it doesn’t matter, just start! If you simply start on HIPAA security compliance, you’re doing better than 50% of your peers. Decide which approach you want to implement. Determine how much time you can devote to compliance per week. Then either call an auditor, start researching RMP online, or contact a vendor who can walk you through compliance. Tod Ferran (CISSP, QSA) is a Mensa aficionado, Cancun expert, and Security Analyst for SecurityMetrics with over 25 years of IT security experience. In addition to his many speaking engagements and webinars, he provides security consulting, risk analysis assistance, risk management plan support, and performs security, HIPAA, and PCI compliance audits. Connect with him for recommendations on excellent places to stay, activities, and restaurants in Cancun. What is a HIPAA risk management plan?Basically, it refers to the assessment of risks and vulnerabilities of electronic protected health information, or ePHI. A complete HIPAA risk analysis done properly will include a security risk assessment. IT staff and security experts are essential partners in strong HIPAA compliance.
Does HIPAA require an annual risk assessment?The Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires that covered entities and its business associates conduct a risk assessment of their healthcare organization.
What is the role of the HIPAA security officer?A HIPAA security officer is responsible for the continuous management of information security policies, procedures, and technical systems in order to maintain the confidentiality, integrity, and availability of all organizational information systems.
What is included in a HIPAA risk assessment?Performing a HIPAA security risk assessment is the first step in identifying and implementing these safeguards. A security risk assessment consists of conducting an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.
|