OCR says: Comprehensive HIPAA Risk Assessment Required

OCR Director, Jocelyn Samuels, reinforced the need for an enterprise-wide assessment when she stated, “[a]ll too often we see covered entities with a limited risk analysis that focuses on a specific system such as the electronic medical record or that fails to provide appropriate oversight and accountability for all parts of the enterprise.” She noted, “an effective risk analysis is one that is comprehensive in scope and is conducted across the organization to sufficiently address the risks and vulnerabilities to patient data.”

What is an effective HIPAA risk analysis or HIPAA risk assessment? As usual HHS gives no had and fast rules but they do give a very big hint. To wit: “Although only federal agencies are required to follow federal guidelines like the NIST 800series, non-federal covered entities may find their content valuable when performing compliance activities.”

OK, we get it, following the NIST 800 series protocol would be a good idea, wink, nod. I didn’t read the NIST 800 series protocol but fortunately our partners at ACR2 Solutions have based their entire company on it. They built software that delivers the NIST 800 protocol to users in a manner that does not require an advanced degree in computer science nor a huge IT budget.

This automated system requires you to answer a series of questions about administrative, technical, and physical aspects of your organization. If necessary they can hook up an SCAP scanner to your system to analyze it. Then their software does thousands of calculations to produce a Risk Assessment report which is a simple graphic showing in red, yellow, and green where your vulnerabilities are, backed up by in-depth reports, including a Gap Report.

This gives you a prioritized list of things that need to be fixed, some immediately and some over time. If you have the Compliance Helper software you will then a get a series of monthly task lists. One of the tasks is to do a quarterly risk assessment which will demonstrate the progress you have made.

This safe harbor has protected the clients of Compliance Helper and ACR2 Solutions from penalties. Cumulatively our clients have been through hundreds of audits and not a single one has failed.

Jumpstart can get you HIPAA compliant quickly and together Compliance Helper and ACR2 Solutions can keep you compliant. Take a look at www.compliancehelper.com for more information or email me at Jack@compliancehelper.com