Steve Spearman
Share:
Risk analysis is the cornerstone of any HIPAA Security compliance program. It's the very first security safeguard (within the security management process standard) and is also required for the Meaningful Use program. For Meaningful Use, Modified Stage 2, it's the very first requirement for both providers and hospitals. Failure to comply has serious consequences.
Providers that fail to do a risk analysis, or an adequate risk analysis, may be denied Meaningful Use funds if they are audited. Or if they're the target of a post-payment audit, they may have to return funds. Based on data from late 2014, approximately 24% of providers failed their meaningful use audits and the primary reason cited was "failure to conduct a risk analysis."
Risk analysis is important and given prominence because it's the rule that requires covered entities to proactively discover and document the “risks and threats to the confidentiality, integrity and availability of ePHI.” It's the rule that holds covered entities accountable for ignorance. Covered entities are not allowed to use ignorance as an excuse to inadequately protect ePHI.
A risk analysis informs providers of the policies and procedures that need to be adopted, what security controls need to be implemented, and the type of training employees should receive. A risk analysis gives you a basis for decisions related to addressable safeguards, what kinds of resources should be made available for security, and the budgets needed to support those resources.
And for all of these reasons, and many more, risk analysis is unquestionably crucial to the financial success of your organization.
If you'd like to learn more about risk analysis, you can watch our free webinar on-demand, Risk Analysis Essentials, Simplified, where we discuss the risk analysis requirement of the HIPAA Security rules:
Questions or Comments?