Doctors are to beware thinking there is a ‘safe harbor’, relative to HIPAA compliance, simply because they have completed a Risk Analysis. The Risk Analysis applies to HIPAA security rules, is only one piece of a very large puzzle and cannot be handled with a checklist format (per the law)!
When Dr. Ty Talcott, an attendee of the conference, was asked for comment relative to the importance of a risk analysis, he replied;
“ When you ask a carpenter to build you a new house and only hand him a hammer you have given him a critical tool that he cannot build the house without, however, he still can’t build the house in the absence of all other tools and materials needed. The Risk Analysis is like that hammer. You have to have one to build a HIPAA SECURITY RULES compliance program, but you still must have much more, such as, compliant forms, multiple audits completed, specific policies and procedures written and agreed to by staff [typically takes about 80 pages in a standard chiropractic office], an appointed compliance officer with appropriate documentation, all of the PRIVACY RULES in place- including OMNIBUS rule updates from 2013- with the new Notice of Patient Privacy Policy going to each and every new patient- with a signed acknowledgment from those patients, contingency plans -including emergency mode operations- and the list goes on.”
Due to the recent widespread publicity surrounding audits, requiring doctors to submit their risk analysis to CMS, some doctors have come to believe that once you perform this analysis you are “OK” relative to HIPAA—this is a dangerous thought process.
A concern of conference attendees is the rapid flood of different Risk Analysis documents this has brought to market from a diverse group of equipment manufacturers and other health care vendors, etc…many times these are in a ‘check list format’ and the HIPAA law clearly states that while checklists might be a helpful tool to collect your personal data, they ARE NOT ADEQUATE OR ACCEPTABLE as a risk analysis…at times the implication is that one must have a particular companies’ Risk Analysis to be compliant and one company in Texas has been purported to state, on webinars, that you had to have your staff trained and certified via THEIR training process or you would be fined in the event of a HIPAA audit, relative to state law that supersedes HIPAA. They even implied such at their website by quoting the law and then adding verbiage- not in the law– where it appears you have to have “certified training”. However, there is no official CERTIFYING agency and no such requirement under the law (this was also a topic of discussion at the conference). The practices’ compliance officer has to document (certify) their staff has attended training , but there is no requirement relative to who performs such training. BEWARE.
Interestingly, it was the Office of Civil Rights (OCR) that had top billing (along with NIST) at the Washington D.C. HIPAA conference. OCR is the agency that enforces the HIPAA PRIVACY rules- which are separate from the security rules.
About: For more information on this topic or other HIPAA compliance questions, please contact Dr. Ty Talcott, CHPSE, at HIPAA Compliance Services – a company dedicated to protecting healthcare professionals by producing simplified “how to” step-by-step training materials and procedures to assist doctors and clinic support personnel with establishing, maintaining and updating their HIPAA compliance program.