Have You Conducted a Security Risk Analysis under 45 CFR 164.308(a)(1) (HIPAA Security Rule)

Posted March 31, 2010 07:45 AM by Jack Anderson CEO Compliance Helper    

With all the hype about "Meaning Use", (every booth at HIMSS seemed to claim some connection),  little has  been said about compliance.  Specifically the issue of risk assessment.  To quote item 23 on the qualifications for meaningful use: "Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) (HIPAA Security Rule) and implement security updates as necessary."

.Under NIST guidelines for HIPAA Security Rule Compliance, Covered Entities “May consider asking the business associate to conduct a risk assessment that addresses administrative, technical, and physical risks, if reasonable and appropriate.” (NIST 800-66, rev 1, p48).   We presume this means a reasonable cost as well as a reasonable process.  Our business partners at ACR2 Solutions can deliver a risk analysis at a reasonable cost with a reaonable process. If the result reveals a need for policies and procedures that meet the standard, we can deliver this reasonably also.

We expect that covered entities will realize that to protect themselves from liability they will have to requre proof of compliance from their business associates.  Just signing a business associate agreement will not suffice.  The  combination of a risk analysis from ACR2 Solutions and going through the Prepare compliance process with Compliance Helper will get the business associate compliant and then the Care maintenance combined with annual risk analysis will keep them compliant.  The Compliance Meter^tm  will allow them to demonstrate their compliance to their business partners.