The federal regulators from the U.S. Department of Health and Human Services are from the Office of Civil Rights. They think that breaches in patient information protection is a violation of the patient’s civil right! Regulators commonly assess fees for non-compliance and some are as high as $4 milion dollars.
Because the OCR just came out with new Audit Guidelines this summer (email me and I’ll send you a copy), we all can see that the visits to healthcare organizations are still speeding up, and even more rules are coming this fall as they reconcile the HIPAA Security Rule with the HIPAA Privacy Rule with the Breach Notification Rule. I call this: MEGA HIPAA!
Because the current HIPAA rules have been in place for over ten years, and because the new Rules may be much more complex, it makes sense to finish your 2012 HIPAA Risk Analysis for either Security or Privacy, or both, before December 31, 2012.
My experience with federal regulators and auditors leads me to believe that a HIPAA Security Risk Analysis that is finished before the end of this calendar year will go a long way in reassuring regulators that there is, at least, a formal process in place to assess the risks to patient medical information.
A new software program is based on my original free Data Collection Guide,and can be used to complete these important security rules at a fraction of the cost of older, out-of-date risk analysis programs. Or do it on a spreadsheet.
Remember, you can also use it in your Meaningful Use Risk Assessment. A two-for-one.
My advice: Take the easy way out. Finish the Risk Analysis!