Do Not Create Your Policies without First Doing a Risk Analysis! HIPAA & HITECH Act Blog by Jonathan P. Tomes


Although I love it when people buy my sample policies to adapt to their situation, we sometimes get asked to comment on policies from our purchasers when they have not yet done a Risk Analysis. We could do so, but it would be next to worthless.

As I have written, spoken about, and beaten people about the head and shoulders with, Risk Analysis is the key to HIPAA compliance. For example, the American Health Information Management Association excerpted one quote from my article from all the articles in the publication, “Keeping It Private: Staying Compliant with the HIPAA Privacy and Security Rules,” Journal of AHIMA, March 2012, p. 34, to feature in a box on the contents page. It read: “If you implement a security measure without conducting a risk analysis, you are just guessing.”

So if you, for example, write a policy specifying how workforce members are to protect your protected health information (“PHI”) without first doing a Risk Analysis, it is just guessing and may not be “reasonable and appropriate” so as to be a compliant policy and/or make clinical, financial, or administrative sense. For example, writing a workstation use policy that requires automatic logoff after five minutes of inactivity might be very secure, but would hardly seem appropriate for an emergency department electronic health record when the real risk is lack of access to critical health information in emergency treatment, such as whether the patient’s current meds contraindicate the use of Mannitol to control brain swelling. An equivalent alternate measure, such as manual logoff after the patient has been released to intensive care, may make a lot more sense and still be a reasonable and appropriate security measure. Because automatic logoff after a predetermined period of time is addressable, you must document (as in your written Risk Analysis) why it is not reasonable and appropriate (because you are going to lose patients if you cannot find out what meds they are on in an emergency) and why doing nothing or adopting an equivalent alternate measure is reasonable and appropriate. Massachusetts Eye and Ear Infirmary settled a HIPAA violation for $1.5 million for not documenting why failure to encrypt laptops (encryption is addressable) or implement an equivalent alternate measure, such as password protection, was not reasonable and appropriate (see my blog item posted September 17, 2012, “Another $1.5 Million HIPAA Hit!”).

So don’t waste your time and risk liability by drafting policies that are not based on the assessments that you have made in your written Risk Analysis.

If you have already completed our Gap Analysis Survey Questionnaire and now know the areas of HIPAA compliance that you need to address in your Risk Analysis, go to and purchase our new online Risk Analysis ToolKit package with written report and phone consultation, adapted from our best-selling paper version of the Risk Analysis ToolKit. If you have not yet completed a Gap Analysis to find out where you stand in your HIPAA compliance efforts, you can also purchase our Gap Analysis package with Gap Analysis Survey Questionnaire, written report, and phone consultation to get your organization started on the right path to HIPAA compliance and the proper documentation to prove such compliance.

seo by: k.c. seo