The Health Insurance Portability and Accountability Act of 1996 (HIPAA) sets many rules and regulations to help create guidelines for healthcare providers (covered entities) to protect the integrity of personal health information (PHI). The HIPPA Security Rule specifically requires conducting a security risk analysis per 45 CFR 164.308(a)(1). Part of the risk analysis includes implementing updates as necessary and correcting identified vulnerability (or documenting why they did not take action to address the vulnerability).
Recently the healthcare industry has seen a renewed focus on having a risk assessment because the Omnibus Rule expanded the requirements of the Security Rule risk analysis to healthcare vendors that access personal health information (Business Associates). Additionally, many providers have a new interest to have a compliant risk assessment in order to achieve Meaningful Use and receive incentive funds. Many providers and vendors are under a false assumption that they have correctly conducted a risk assessment and are compliant with the regulations but that is not always the case.
The industry has seen recent evidence that many organizations are not meeting the risk analysis requirements.
Many organizations conduct their assessment, check it off their list and falsely assume they met the requirements. This is apparent through the recent random compliance audits spearheaded by the Centers for Medicare & Medicaid Services and the Office for Civil Rights (OCR). Furthermore, risk analysis deficiencies are commonly uncovered during security incidents and investigations. Many organizations are not thorough enough, do not have the proper documentation, did not take action to mitigate identified risks, or have not revisited a risk analysis after a significant change to their security program.
In this hour-long session, IT security veteran Mac McMillan, CEO of CynergisTek and Chair of HIMSS Privacy and Security Policy Task Force, will review the risk analysis requirements for healthcare organizations and vendors and clarify some of the misconceptions that are common in the industry. McMillan will review the OCR approved NIST methodology and how it can be applied when conducting a risk assessment. This webinar is ideal for any organization that creates, receives, maintains or transmits PHI, as they are directly liable to meet the HIPAA Security Rule risk analysis requirements. Upon completion of this educational webinar, attendees will be much more knowledgeable on the subject and will be able to identify if their organization's risk assessment is in compliance. It will also provide an industry expert's guidance on conducting an assessment for organizations that need to assess their security program.
Why should you attend:
Does your risk assessment meet the requirements under Health Insurance Portability and Accountability Act of 1996 (HIPAA) and Meaningful Use? Many organizations conduct a risk assessment and check it off their list. They assume their assessment was thorough enough and that it met regulatory requirements but that is often not the case. It is evident from the findings from security incidents and investigations, and the Office for Civil Rights (OCR) and the Centers for Medicare & Medicaid Services (CMS) random compliance audits that many organizations have an inefficient risk analysis process.
These discrepancies and inefficiencies can lead to hefty financial penalties from OCR, as well as having to pay back Meaningful Use incentive dollars.
Don't be one of the covered entities or business associates that falsely believe that a risk assessment is inapplicable to them. If you have a risk analysis process in place, don't be one of the organizations that is investigated or randomly audited and caught without a proper risk assessment that meets regulatory requirements. Learn how to verify if your process and methodology is sufficient by attending this webinar and better understand the requirements under the HIPAA Security Rule and Meaningful Use attestation requirements.
Areas Covered in the Session:
Who Will Benefit:
- Risk analysis requirements under the HIPAA Security Rule and Meaningful Use Stage 1 and 2
- Who is required to have a risk assessment
- The importance of risk analysis
- Addressable specifications
- Methodology when conducting a risk assessment
- The NIST Risk Analysis
- Documentation requirements
- Director of IT
- IT Manager
- Security Officer
- Risk Analyst/IT Risk Analyst
- Compliance Officers, Compliance Specialists