Quarterly Risk Assessments Might Have Saved St Josephs $10 Million

The story of the breach at St Joseph Hospital (SJH) is a story that could be told with some variations at many healthcare facilities.  Management wanted a new program to manage their files for the meaningful use program.  The IT department hired an outside contractor to install a new server with a file sharing application.  The default settings allowed anyone with Internet access to access the files.  SJH staff failed to evaluate how it was working.  They also didn't conduct a risk assessment despite having made a major change in their systems for managing ePHI.

“Entities must not only conduct a comprehensive risk analysis, but must also evaluate and address potential security risks when implementing enterprise changes impacting ePHI,” OCR Director Jocelyn Samuels said in a statement.

The pace of change in healthcare has increased many of these changes affect ePHI.  A risk assessment would ask the question; Have you made any changes that might affect ePHI?  In a large organization that might be adding or changing things like the aforementioned server.  In a small organization it might be simply, Have we added or lost any employees this quarter? 

We have been talking about the Cycle of Compliance for years but now we need to talk about how to drive the cycle on a quarterly basis.  At the beginning of the process we do a baseline risk assessment.  Then our Jumpstart program assigns monthly HIPAA compliance tasks which include updating policies and training staff.  At the end of each quarter the data is used to update the risk assessment.  This is done automatically for small clients who don't have compliance professionals on staff.  Larger accounts can manage the tools internally which would allow them to do risk assessments at will.  This continuous loop of risk assessment, update policies, and train staff integrates HIPAA compliance into the daily operation of the organizations.

Automation is the key to making this cost effective and efficient.  The risk assessment is built on the industry best practices NIST 800-30 methodology on a software platform developed by ACR2 Solution and in use in a range of healthcare organizations to solo practitioners to enterprise level organizations.  Staff training is based on on-line videos with a quiz and certificates for completion.  Task management and policy updates are managed on the Compliance Helper platform which is linked to the ACR2 Solutions platform.

Yet with all this sophisticated technology underneath, the user interface is simple and logical.  We call this the simplicity on the far side of complexity.  

Let me know if you would like to see a live 15 minute demonstration of the Quarterly HIPAA Cycle of Compliance.  jack@compliancehelper.com


Add Your Comments

(not published)