Conducting a Risk Analysis to Comply with Meaningful Use, HIPAA and HITECH

Why Should You Attend:

Risk analysis and risk management plans are the foundation of a HIPAA compliance program and should be complete and provide the documentation that an examiner may ask for. Risk assessments are a key part of effective risk management and facilitate decision making at all three tiers in the risk management hierarchy including the organization level, network level, and information system level. Completing a risk analysis will guide an organization to make cost effective, risk based decisions and provide an enhanced security environment to protect data and reduce the risk of a reportable security breach.

This webinar will guide the user on the principles of risk analysis and risk management to prioritize risks. It will rely heavily on the NIST 800-30 which is mentioned in the preamble of the original rule and the OCR issued guidance on risk analysis (as revised and finalized on 09/18/2012.)

This session will:

• Focus on the key factors in determining and documenting the controls to be implemented regardless of the size of the organization.
• Explore the processes and methods that can assist organizations prioritize IT security projects by addressing the highest risks to the organization.
• Review the regulatory requirements for security risk analysis and management.
• Provide an overview of the types of risk analysis that can be performed.
• Offer a practical approach on how to comply with regulatory requirements for security risk analysis.
• Provide information about how to determine where the risks to the organization exist and point organizations to where to look for this information.

Areas Covered in the Webinar:

• Requirements of the HIPAA risk analysis security rule
• Meaningful use requirements and application certification criteria.
• How risk analysis helps a business make risk based decisions to prioritize security controls and make decisions.
• How to conduct a HIPAA security risk analysis using NIST 800-30 as a guide
• How to locate and document the location of protected data
• How to conduct a risk analysis and how to accomplish the requirement
1. Risk Analysis Steps
1. Identify the scope of the specific analysis;
2. Gather data;
3. Identify and document potential threats and vulnerabilities;
4. Assess and document current security measures;
5. Determine the likelihood of threat occurrence;
6. Determine the potential impact of threat occurrence;
7. Determine the level of risk;
8. Identify potential security measures and finalize documentation.
2. Risk Management Steps
1. Develop and implement a risk management plan;
2. Implement security measures; and
3. Evaluate (monitor) and maintain security measures.
3. Risk Mitigation or Acceptance Options
• Define Reasonable by Using the HIPAA Regulation as a Guide:
• Size, complexity, and capabilities of the covered entity
• The covered entity's technical infrastructure, hardware, and software security capabilities
• Costs of security measures
• Probability and criticality of potential risks to EPHI

Who Will Benefit:

This webinar will provide valuable assistance to all personnel in medical offices, practice groups, hospitals, academic medical centers, insurers, business associates (shredding, data storage, systems vendors, billing services, etc). The titles are:

• Compliance Officer
• Chief Information Officer
• CEO, CFO
• Privacy Officer
• Security Officer
• Information Systems Managers (Network and Applications)
• HIPAA Officer
• Health Information Manager
• Healthcare Counsel/lawyer
• Office Manager

Instructor Profile:

William Miaoulis, CISA, CISM, is a senior healthcare information system (IS) professional with more than 20 years of healthcare Information Security experience. Mr. Miaoulis is the founder and primary consultant for HSP Associates. Prior to starting HSP Associates in January of 2013, Bill was the Chief Information Security Officer (CISO) and led the HIPAA security and privacy consulting efforts for Phoenix Health Systems for over 11 years and also was the HIPAA Consulting Manager for SAIC for 18 months. For seven years, he was the University of Alabama Birmingham (UAB) Medical Center’s Information Security Officer, where he instituted the first security and privacy programs at UAB starting in October 1992.

Mr. Miaoulis contributes to the industry by frequently speaking at conferences on security matters, including recent sessions on Risk Analysis/Risk Management, Creating and Implementing Effective Security Policies, Understanding the HIPAA Security Rule, and Creating Effective Security Incident Response Procedures. He has been interviewed and quoted by numerous publications including: SC Magazine, Health Data Management, Briefings on Healthcare Security, Computerworld; and Health Information Compliance Insider. He has worked with AHIMA to produce the book “Preparing for a HIPAA Security Compliance Assessment” and also has worked on updating the AHIMA Security Practice Briefs.

Topic Background:

The HIPAA security rule requires the risk analysis be completed to determine security risks to the confidentiality, integrity and availability of protected health information. It also requires implementing measures “to sufficiently reduce those risks and vulnerabilities to a reasonable and appropriate level.”

Organizations have been fined or agreed to pay millions of dollars and agree to compliance action plans when the OCR auditors have found them to be HIPAA non-compliant. In addition, the lack of sufficient controls has led to many organizations having to report breaches to HHS, the patient and the media. The EMR Meaningful Use Post-Pay audits will request an entities risk analysis(s) and supporting implementation plans and completion dates such as:
“Protect Electronic Health Information: Provide proof that a security risk analysis of the Certified EHR Technology was performed prior to the end of the reporting period (i.e. report which documents the procedures performed during the analysis and the results of the analysis). If deficiencies are identified in this analysis, please supply the implementation plan; this plan should include the completion dates.”

It is not the vendor’s responsibility to conduct an application risk analysis; it is the covered entities responsibility. The Meaningful Use guidance has also shown that your risk analysis cannot be limited to just the Certified Electronic Medical Record.

Follow us :