Physician Law Blog

HIPAA requires that covered entities conduct a risk assessment of their healthcare organization. A risk assessment helps these organizations ensure compliance with HIPAA’s administrative, physical and technical safeguards. A risk assessment also helps reveal areas where an organization’s protected health information (PHI) could be at risk. The Office for Civil Rights released tools to assist covered entities. The Security Risk Assessment (SRA) Tool application lets a covered entity take a self-directed tour of HIPAA standards and helps conduct a risk assessment at the covered entity’s own pace. The tool shows each HIPAA standard that must be addressed and provides space to document how the covered entity will meet or plan to meet the current standard.

The Department of Health and Human Services' Office for Civil Rights, the division responsible for investigating HIPAA breaches, has said repeatedly encryption is one of the most basic things providers and business associates can implement to protect patient information. "Pay attention to encryption," said Susan McAndrew, deputy director for health information privacy at OCR, speaking at HIMSS14 this past month, particularly for any devices that can leave the office. "We're interested in protecting the data. You may be interested in protecting the property. We want to turn this into property losses as opposed to data losses."

Susan McAndrew, Office of Civil Rights deputy director for health information privacy spoke at the HIMSS Conference on 2/24/14. As the OCR already made known, it plans to resume its HIPAA compliance audit program this year following the Pilot HIPAA Audit program in 2012. Now, more information is available on the progress towards the start of those audits. Ms. McAndrew addressed the topic, noting that “hopefully in the coming months you’ll see actual activity that will start the audit process.”