HIPAA Security Risk Assessments … Accurate, Up-To-Date and Documented?

 click here to learn more...
During 2014, two different audit programs conducted by the U.S. Department of Health and Human Services (“HHS”) will continue to focus on HIPAA security risk assessments. 

The first audit program, currently being conducted by HHS’ Centers for Medicare and Medicaid Services (“CMS”), concerns eligible hospitals and professionals who seek incentive payments for “meaningful use” of electronic health records under the EHR Incentive Program for Program Year 2013.  One of the “meaningful use” audit criteria for this Program Year requires documentary evidence that a security risk assessment or analysis was conducted to ensure the privacy and security of patients’ protected health information. 

The second audit program, to be conducted by HHS’ Office of Civil Rights (“OCR”), will concern both HIPAA Covered Entities and Business Associates and their compliance with HIPAA privacy and security requirements.  Evidence of security risk assessments will be critical to the OCR’s 2014 audit criteria.  

As a result of a collaborative effort by the OCR and HHS’ Office of the National Coordinator for Health Information Technology (“ONC”), a new security risk assessment tool has been published online at www.HealthIT.gov/security-risk-assessment.  Additional video and tutorial resources are also available.  These tools are available to assist HIPAA covered entities and business associates, and those covered entities seeking “meaningful use” incentive payments, to comply with the related HIPAA and Program Year 2013 requirements. 

Questions regarding these audit procedures or the conduct of a security risk assessment process should be directed to Susan Ziel at sziel@kdlegal.com or Meghan McNab at mmcnab@kdlegal.com.