Doctors are to beware thinking there is a ‘safe harbor’, relative to HIPAA compliance, simply because they have completed a Risk Analysis. The Risk Analysis applies to HIPAA security rules, is only one piece of a very large puzzle and cannot be handled with a checklist format (per the law)!
When Dr. Ty Talcott, an attendee of the conference, was asked for comment relative to the importance of a risk analysis, he replied;
Due to the recent widespread publicity surrounding audits, requiring doctors to submit their risk analysis to CMS, some doctors have come to believe that once you perform this analysis you are “OK” relative to HIPAA—this is a dangerous thought process.
A concern of conference attendees is the rapid flood of different Risk Analysis documents this has brought to market from a diverse group of equipment manufacturers and other health care vendors, etc…many times these are in a ‘check list format’ and the HIPAA law clearly states that while checklists might be a helpful tool to collect your personal data, they ARE NOT ADEQUATE OR ACCEPTABLE as a risk analysis…at times the implication is that one must have a particular companies’ Risk Analysis to be compliant and one company in Texas has been purported to state, on webinars, that you had to have your staff trained and certified via THEIR training process or you would be fined in the event of a HIPAA audit, relative to state law that supersedes HIPAA. They even implied such at their website by quoting the law and then adding verbiage- not in the law– where it appears you have to have “certified training”. However, there is no official CERTIFYING agency and no such requirement under the law (this was also a topic of discussion at the conference). The practices’ compliance officer has to document (certify) their staff has attended training , but there is no requirement relative to who performs such training. BEWARE.
Interestingly, it was the Office of Civil Rights (OCR) that had top billing (along with NIST) at the Washington D.C. HIPAA conference. OCR is the agency that enforces the HIPAA PRIVACY rules- which are separate from the security rules.
About: For more information on this topic or other HIPAA compliance questions, please contact Dr. Ty Talcott, CHPSE, at HIPAA Compliance Services – a company dedicated to protecting healthcare professionals by producing simplified “how to” step-by-step training materials and procedures to assist doctors and clinic support personnel with establishing, maintaining and updating their HIPAA compliance program.