Risk Analysis: The First One Is the Worst One: HIPAA & HITECH Act Blog by Jonathan P. Tomes with Guest Commentator Alice M. McCart, J.D.

JonTomesAlice picWe have many new HIPAA consulting clients at EMR Legal and many new HIPAA compliance tools customers at Veterans Press who know that they must complete the written Risk Analysis required under HIPAA but who are feeling overwhelmed and struggling with completing it. If it helps any, completing that first Risk Analysis is always the hardest for several reasons.

First, the first one is the worst one because it is new territory, and the learning curve is steep. As taught by Jon Tomes for the past more than a decade and a half, completing an effective risk analysis involves the following steps:

  • Assemble the Risk Analysis Team.
  • Inventory assets. What protected health information (“PHI”) do you have in all forms that you must protect?
  • Identify the threats/risks to those assets.
  • Quantify the risks/threats: (1) How likely is each risk to occur? And (2) How harmful will it be if it does occur? This second part of this step has to do with determining how long you would have to stay in federal prison and/or how big the fine would be if the PHI were improperly used or disclosed.
  • Select reasonable and appropriate, cost-effective security measures by balancing the cost of the security measures against the harm that would occur if the measures were not in place and a breach resulted.
  • Implement the selected security measures, including training your workforce and writing policies and procedures, consents, authorizations, and the like.
  • Test and revise.

Second, the first one is the worst one because the initial chore of capturing all of the above information in a single written Risk Analysis document, assigning tasks to various members of the team to research, say, how many lost/stolen laptops have had to be replaced in the past five years and how much it cost to replace them, among other things that will crop up as you go along, assigning probability and costs to the risks, and researching and documenting possible reasonable and appropriate, cost-effective solutions can be quite daunting, especially the first time. It will get easier next year and the next year and so forth to update it as required because you will have a solid base to build from—that is, if you take the time and energy and trouble now to do it right this first time. Hint: it helps to keep a little notebook by your bed so that, in the middle of the night when your eyes fly open when you suddenly remember something that you need to add to your first Risk Analysis, you can jot it down and go back to sleep in peace.

Third, the first one is the worst one because you know that there must be help out there but you may not know where to find it or you may know that you have the help in our HIPAA Compliance Library but you don’t know what to dive into first. If you do not yet have our HIPAA Compliance Library by Jonathan P. Tomes, go to our Veterans Press website and order it. If you already have it but have been afraid to open the box for the past year or so, know that you are not alone. Today, open the box, take out all the individual items, such as books, binders, CD, and DVD, and thumb through them. Tomorrow, pop in your HIPAA Documents Resource Center CD, 6th edition, find the Risk Analysis ToolKit, and save it to your computer with tomorrow’s date on it. Read through the steps and then see how many steps you can complete or at least get a good start on. Do not be concerned at how long it is because it was designed for very small practices up to very large hospitals. You may also want to sign up for a webinar that Jon Tomes is presenting through MentorHealth on Thursday, September 17, 2015, at noon-1:30 Central time, on how to do a Risk Analysis. You can sign up for it from our seminars page on our Veterans Press website. While you are on our seminars page, you may also want to sign up for my webinar also through MentorHealth on Tuesday, September 15, 2015, at noon-1:30 Central time, on how to write HIPAA policies and procedures.

Yes, as for your required HIPAA Risk Analysis, the first one is the worst one, but once you have learned to do it correctly with help from others in your organization and with help from outside your organization, such as all of the materials and guidance in our HIPAA Compliance Library, your Risk Analysis updates, both annually and as your circumstances change, will almost magically begin to write themselves. Really. Just as your job is to help people get well and stay well, our job is to provide you effective CYA to help you avoid that free trip to Leavenworth (not lovely Leavenworth, Washington, but the austere maximum security federal prison in Leavenworth, Kansas) and that expensive trip to the bank to get money to pay civil money penalties under HIPAA.

If you want to hire us to help you with your Risk Analysis onsite or offsite or any other HIPAA compliance matters, please contact us at alice@veteranspress.com and jon@veteranspress.com.

seo by: k.c. seo