Getting your brain around HIPAA and risk management

Published on: January 09th, 2018

continual process

We have been busy trying to improve our risk management process for our clients.  In other words, we are always trying to decrease the risk or probability that their patient data will be breached.  More generically, we have been trying to make sure our clients are more HIPAA complaint.  It is our philosophy that an organization is never fully HIPAA compliant.  They should never rest and strive to increase its culture of compliance.

why HIPAA is vague

After years of doing this, like everyone else, we still struggle with the non-specificity of HIPAA.  Instead of complaining about this, one realizes that the government had to come up with something that is flexible and abstract.   Enough to apply to organizations of all shapes and sizes that deal with patient data. The HIPAA Security Rule is basically a list of cyber-security counter measures to follow.  If a organization follows these, they will decrease the probability of losing patient data.

the difference between risk analysis, assessment, and management

More specifically, we still struggle with the definitions of risk analysis, risk assessment, and risk  management.  Recently, we have settled on that a bunch risk analysis is part of your overall risk assessment process which is part of risk management of patient data.  Honestly, I still struggle with what I just wrote but below is a link that might better explain or diagram

Also, to come to grips with how to implement and execute the HIPAA Security Rule, I like the following in the HHS HIPAA Security series:

As stated in the responses to public comment in the preamble to the Security Rule, the Security Management Process standard and associated implementation specifications “form the foundation upon which an entity’s necessary security activities are built.” The results from the risk analysis and risk management processes will become the baseline for security processes within covered entities.

To attempt to put in my own words:  The risk management of an organization’s patient data is an intersection of the result from the risk assessments (which includes a myriad risk analysis) of their specific IT systems and then using the HIPAA Security Rule as a check list of security counter measures.

Ironically, this has been a fairly generic, non-specific blog.  But check back later for more tips on implementing the HIPAA Security Rule for your small medical practice!


You might also like

With an evolving business comes expanding technological needs. If your business is sending you any of these signs that it’s time to update your technology.