Do The HIPAA Risk Assessment: Document the Mitigation
Documentation Critical for HIPAA Risk Assessment and Mitigation
I have harped on this point for a long time but perhaps the best way to get people’s attention is by giving them actual case studies.
A cancer institute was audited as part of random unannounced audits conducted by CMS related to the HITECH Act meaningful use program for electronic health records. The auditors were no doubt pleased that they had conducted a HIPAA risk assessment in 2014 which identified several high risk areas. They then developed a plan for mitigation of these risks. Unfortunately the auditor couldn’t find any documentation that they had actually done the work to mitigate the risks after one year. The cancer institute replied that they had done the work but had not documented it. The result was a failed audit with strong recommendations for improving their privacy and security programs.
Identifying a risk and then not mitigating or remediating that risk and documenting it could be construed as “willful neglect” which could trigger fines as high as $1.5 million dollars.
"We will continue to identify and bring to resolution high impact cases that send strong enforcement messages to the industry about compliance," said Jocelyn Samuels, director of the Department of Health and Human Services' Office for Civil Rights, earlier this year. "These types of cases can include the lack of a comprehensive risk analysis and risk management practices, ignoring identified threats and hazards to systems containing electronic protected health information, and insufficient policies and procedures, and training of workforce members."