- Though the Department of Health and Human Services (HHS) released its HIPAA security risk assessment tool a few weeks ago, it’s still unclear how healthcare organizations will use the tool as part of their HIPAA Security Rule compliance strategy. Most organizations realize the tool isn’t necessarily a panacea for federal compliance needs. However, according to Alisa Chestler, a shareholder in the Washington, D.C. office of Baker Donelson, the beauty of the tool for small to mid-size providers is that it’s flexible and serves as a good starting point for those who may be lacking in risk analyses.
Chestler, who concentrates her practice in healthcare regulatory compliance; privacy, security and records management issues, discussed the tool’s benefits and uses with HealthITSecurity.com.
What are your general impressions of the HIPAA security risk assessment tool?
First and foremost, with this tool the government is reinforcing how seriously they’re taking this type of analysis is required of the small providers, what they should know and the expectation that the risk analysis be completed. Secondly, as they begin to see what the tool is all about, they will quickly realize how much of a deep dive it is. So even if it’s not as robust as, say, the audit protocol, it shouldn’t be scoffed at because it will make providers think of things that they never would have thought of before.
Is it robust enough and does it help providers get to where they want to be?
I’d be concerned about fatigue on the part of smaller providers once they are looking at the tool. There’s the potential that they don’t think it’s meant for them or they want to give up, but they have to reach that stage of acceptance. What struck me about the Security Risk Assessment Videos included within the tool was they can help prepare the provider for that fatigue. You can’t sit down in a few hours and complete quickly or easily. There’s the expectation that in working through the tool, clinical staff will have to pause or do other things and then come back to it because there’s much more inside the tool than they expected.
Next, the government has provided this tool for smaller providers. But there’s no assurance that it will prevent them from having a breach or fully cover them in the event of a breach. Fundamentally, though, without it they’re at a total loss. So maybe this is a step in the right direction, but it’s a big step.
How will they use the tool?
There’s a variety of ways they can use it; the question will be what the provider is comfortable with. It’s harder for smaller providers to discern who the best partners are and whether this solution is any better than any other solution. All of these products say they’re HIPAA compliant, but what does that really mean? Doctors and small organizations have to be leery of that because they figure if they’re spending X amount of money and they say they’re HIPAA compliant, then they are all set. But so much of this is dependent on having a fundamental understanding of what they’re doing and what the partner may or may not be able to do.
Where does the tool fit into an organization’s HIPAA compliance plans?
The Security Risk Assessment is Step 1 in HIPAA Security compliance. Years ago, everyone may have had off the shelf policies and procedures, but you can’t do that anymore because everyone has such a different way of doing it. In most of the enforcement actions that we’ve seen over the past two years, the first thing that the government points out is a failure of a security risk analysis. Thought leaders and entities such as the American Medical Association (AMA) should realize that this is a starting point. So much is growing in this area and will continue to grow in this area.