OCR-NIST–HIPAA Risk Analysis and Risk Management Explained Step-by-Step

Description

The HIPAA Rules require Covered Entities and Business Associates to do Risk Analysis and Risk Management (RA-RM) but do not explain how to do them. OCR addressed this problem by issuing guidance advising Covered Entities and Business Associates to use the Risk Analysis – Risk Management process developed by the National Institute of Standards and Technology (NIST). 

This webinar lays out each step of the NIST RA-RM process, arranged for clarity in three segments. And it concludes with a demonstration of how to do an RA-RM. HIPAA RA-RM is easy to do step-by-step – when you know the steps.

OCR consistently calls Risk Analysis the foundation of every HIPAA Compliance program. Organizations must first identify the unique Risks to the privacy and security of protected health information (PHI) they hold. Then – and only then – can they craft and implement tailored policies, procedures and training to manage specific risks that endanger their PHI and the organization’s financial well-being and reputation.

OCR investigations and enforcement activities reveal the importance of RA-RM. They describe devastating health information breaches caused by risks that could have been identified and managed. RA-RM failures by large and small organizations have caused the private health information of hundreds of millions of Americans to be stolen.

On December 17, 2020 OCR published shocking results of its Phase 2 HIPAA Compliance Audits. OCR found:

• 86% of covered entities and 83% of business associates failed the Risk Analysis Audit and
• 94% of covered entities and 88% of business associates failed the Risk Management Audit.

These organizations failed despite the fact that they had been provided with all the audit questions and a list of the documents they would be required to provide well in advance and knew they were short-listed to be audited!  

Area Covered In The Webinar

OCR Guidance – Risk Analysis and integrated Risk Management process

• OCR Reliance on NIST Procedures –  the standard for best practices
• NIST Sources – HIPAA RA-RM and NIST Risk Management Framework

OCR Audit – National Crisis – Widespread Failure to do RA-RM

• Inexcusable, Unnecessary and Dangerous  

OCR/NIST HIPAA RA-RM Process explained simply – It’s just a 3 Act Play

• Act 1 – Setup – Risk Analysis Assemble Information – Identify, Document and Assess level of Risks
• Act 2 – Confrontation – Risk Management – Documented Actions to Manage Risks
• Act 3 – Resolution – Risk Management Program – Focused on your Organization’s Risks – Documented and Active 

How to do OCR/NIST RA-RM demonstrated Step-by-Step

Who Will Benefit?

All Health Care Covered Entities

• Practice Managers – Covered Entities
• HIPAA Compliance Officials – Privacy and Security Officers
• Patient Engagement Officials
• Health Information Technology Supervisors
• Risk Managers – Covered Entities
• Health Care Providers  practicing as individuals or in small groups
• Group Health Plan Administrators
• Third Party Group Health Plan Administrators
• Covered Entity Senior Management and Owners
• Attorneys for Covered Entities – In-house and Outside Counsel
• Compliance Committee – Covered Entity Board of Trustees
• C-Suite Executives – all Covered Entities
• Chief Compliance Officer – all Covered Entities

All Business Associates including:

• Billing and Coding companies
• Practice Management Companies and IT Vendors
• Data Storage firms (electronic and paper)
• Secure and unsecure providers of PHI Email and Text Message services
• Vendors of patient satisfaction surveys
• Law Firms representing Health Care Providers & Business Associates