The HIPAA Countdown continues, with the HIPAA Omnibus Rule compliance date of September 23rd looming in the distance.
Now that everyone is coming back to work, relaxed from the long weekend (we hope), it’s time to get back to work.
As a HIPAA Risk Analysis expert, I have gotten more than 300 calls and emails in the last 5 days (yes, even on Sunday) about
what NEEDS to be done right now. Here’s a sample of the questions,
“Should I do a penetration test before Sept 23rd?”
“Should we update our policies before Sept. 23rd?”
“Should I hurry and get the laptops encrypted by Sept 23rd?”
“We re-wrote our business agreements – what else do I need to do before Sept. 23rd?
To quote Leon Rodriguez, the Director of the Department of Health and Human Services, Office of Civil Rights, which is
the lead federal agency for HIPAA Enforcement, “The Number One Thing you need to do before September 23rd
is to update, or start a new HIPAA Risk Analysis.”
According to the OCR Guideline on Risk Analysis, “Conducting a risk analysis is the first step in identifying and
implementing safeguards that comply with and carry out the standards and implementation specifications in the Security
Rule. Therefore, a risk analysis is foundational, and must be understood in detail before OCR can issue meaningful
guidance that specifically addresses safeguards and technologies that will best protect electronic health information.”
This is why the First Area that OCR will address when they visit is: “Where is your HIPAA Risk Analysis?”
Where is yours? And has it been updated lately?
And did you know that Leon Rodriguez is on Twitter! His twitter handle is @OCRLeon.