Acting without Accurate Data Is Just Guessing: HIPAA & HITECH Act Blog by Jonathan P. Tomes with Guest Commentator Alice M. McCart

JonTomesAlice picFor those of you who are still reluctant to perform your first Risk Analysis or to update one from perhaps a few years ago, as required under HIPAA, consider that implementing policies and procedures for your practice or business without an accurate and thorough Risk Analysis upon which to base your decisions is just plain guessing, as Jon Tomes always says. Surely, you would not prescribe drugs or therapy or other treatments without first having obtained the most accurate data that you could get about your patient, such as blood work, other lab work, EKG, Doppler, X-rays, and so forth. So how can you expect to prescribe for your practice or business the best policies and procedures without an accurate, up-to-date, complete, thorough Risk Analysis?

Take, for example, the perhaps seemingly unrelated example of Apollo 13. Many of us enjoy watching the movie again every April. In it, the actor playing NASA Flight Director Gene Kranz says not only, “Failure is not an option,” but also words along the lines of, “Let’s work the problem, people. Let’s not make it worse by just guessing.”

I recently had occasion to have people, besides my demanding researcher daughter Elizabeth McCart with her master’s in biotechnology from Johns Hopkins, ask me for my numbers. I had gone about 10 years without insurance during the past 15 years or so, so I hadn’t had any routine checkups or otherwise had reason to find out my numbers. The most startling lab result last week was that my toe had a toe’s equivalent of strep throat. I was in shock. I thought that I had done everything right since my last surgery, which was in 1978: vegetarian for 31 years, stopped smoking 3 packs a day 30 years ago, vegan for 25 years, no alcohol for 25 years, no wheat for 4 years, and finished 2 Marine Corps Marathons more than 10 years ago after I had turned 54. Yeah, I know. I’m not much fun at parties any more. Some of my alternative healing friends have told me, however, that, if I had not been such a good girl for so long, I would have already lost my entire foot if not also part of my leg, instead of just two-thirds of my toe for having waited so long to go get my numbers.

I apologize for the gory personal story, but think about it in terms of performing an accurate, up-to-date, complete, thorough Risk Analysis. If I had had sense enough to go get my numbers a few weeks ago when I first suspected that my toe might be angry about something, I could have gotten the help that I needed sooner and perhaps avoided outpatient surgery altogether. If you do/update your Risk Analysis soon enough, you won’t have to wait till the Feds investigate or audit you for HIPAA compliance and then slap a six- or seven-figure unwaivable fine on you for willful neglect for not having done/updated the required Risk Analysis and for not having implemented reasonable and appropriate policies and procedures based on that written Risk Analysis. Don’t be smug like me. Don’t guess at those numbers and hope for the best and assume that you’re already doing the best. Be smart. Find out the numbers and facts in your situation in your Risk Analysis. Is it fun to do a written Risk Analysis? No, but it’s a lot less painful than not doing one and getting caught without having done one in a HIPAA breach, complaint, audit, or investigation.

If you have bought our HIPAA Compliance Library by Jonathan P. Tomes, you have the tools that you need to perform/update your Risk Analysis. If you need help, contact us. We’re not necessarily cheap, but we’re good, especially nationally recognized HIPAA expert Jon Tomes. In your Risk Analysis, think about your practice or business and figure out what your workforce does, especially with protected health information (“PHI”), document whether you’ve ever had a problem with what they do, such as a breach, complaint, or investigation, think about and document what could happen, how likely it is to happen, how bad it would be if it did happen, and what to do about it to prevent it and deal with it if it does happen. For example, Jon Tomes has written and we have just now posted on our Premium Member section of our website a new sample mail handling policy. We trust that you will find it helpful, but only after you have documented in your Risk Analysis how you handle incoming mail now, what forms and formats it arrives in, whether you’ve ever had issues with it, whether it likely contains PHI, and what you decide would be a good idea to do about it. Don’t just load the sample policy into your computer and then copy and replace [name of organization] with the name of your practice or business and then adopt it. You must base your policy on real numbers and documented history, not just guessing. You may discover that you need to add something to the sample policy that we hadn’t thought of, for example. If you wonder how to access our Premium Member section, you can buy a one-year subscription online at, or you can get a free one-year subscription with your purchase of Jon’s HIPAA Compliance Library, also available online at

And keep written documentation of your new and updated Risk Analyses in Your Happy HIPAA Book, which is also included in Jon’s HIPAA Compliance Library. HIPAA requires that you keep this written evidence of HIPAA compliance for six years.

That way, you won’t lose your toe. Although Jon Tomes did observe that my pedicures should be cheaper now that I will forever have only 9 toenails. Argh.

seo by: k.c. seo