• Magazine
    • Past Issues
    • Subscribe
    • Change Mailing Address
    • Surveys
    • Guidelines for Authors
    • Editorial Calendar
    • Editorial Deadlines
  • Practice
    • Business Tips
    • Clinical & Technique
    • eBooks
    • eCourses
    • Infographics
    • Quizzes
    • Wellness & Nutrition
    • Personal Growth
  • Resource Centers
  • Products & Services
    • Buyer’s Guide
    • Products Directory
    • Submit a Product
    • Vendor Login
  • Datebook
    • Become an Events Poster
    • Post an Event
    • View Events
  • Jobs
    • Jobs
    • Post a Job
  • Advertise
    • Advertising Information
    • Media Kit
    • Contact Us
    • Upload Advertising

Your Online Chiropractic Community

Chiropractic Economics Your Online Chiropractic Community
Subscribe
  • Home
  • Current Issue
  • News
  • Webinars
  • Chiropractic Research
  • Students
  • Podcast

HIPAA consulting vendors often misinterpret a key compliance requirement

Jeff Brown May 21, 2018

All too often, consultants and software vendors promote a “risk assessment” as part of their services in lieu of a bona fide “risk analysis.” A risk analysis is not only required, it is paramount to your HIPAA compliance requirement efforts, while a risk assessment is merely a “gap analysis” and not a requirement at all

The Office of Civil Rights (OCR), the enforcement arm for HIPAA compliance, clarified a critical distinction between risk-assessment types in its April 2018 Cybersecurity Newsletter, “Risk Analyses vs. Gap Analyses – What is the difference?”

This is important to note because it signals the OCR’s awareness of a glaring disconnect regarding the risk analysis requirement among providers, HIPAA consulting services and throughout the health care industry as a whole.

All too often, consultants and software vendors promote a “risk assessment” as part of their services in lieu of a bona fide “risk analysis.” The two terms sound similar; however, they are entirely different entities. A risk analysis is not only required, it is paramount to your HIPAA compliance efforts, while a risk assessment is merely a “gap analysis” and not a requirement at all. Furthermore, performing a risk assessment alone might create a negative legal ramification in the event you face an audit.

Confusion persists because the term “assessment” is used on many occasions in the context of both a risk assessment and risk analysis throughout HIPAA literature. To make matters worse, HealthIT.gov has a free Security Risk Assessment Tool available for download and people incorrectly assume using the tool constitutes a risk analysis because it was created by a government entity.

In fact, software vendors regularly duplicate the free tool, add bells and whistles to it, and then sell their product as if it includes a risk analysis feature—when the actual feature is a risk assessment.

In an attempt to bring clarity, the OCR’s recent Cybersecurity Newsletter uses the following language to define Risk Analysis and risk assessment.

Risk analysis

A comprehensive evaluation of a covered entity or business associate’s enterprise to identify electronic protected health information (ePHI) and the risks and vulnerabilities to the ePHI. The risk analysis is then used to make appropriate modifications to the ePHI system to reduce these risks to a reasonable and appropriate level.

Risk assessment (aka. gap analysis)

A narrowed examination of a covered entity or business associate’s enterprise to assess whether certain controls or safeguards required by the HIPAA Security Rule are implemented. A gap analysis can also provide a high-level overview of the controls in place that protect ePHI, without engaging in the comprehensive evaluation required by a risk analysis.

The law firm of McDermott Will & Emery published a fantastic Report titled The Continuing Disconnect between the Health Care Industry and OCR on HIPAA’s Risk Analysis Requirement. Within the Report you will find recent OCR audit results, what the OCR considers to be complaint Risk Analysis, and what is clearly not considered to be compliant. The full Report can be found at https://www.jdsupra.com/legalnews/on-the-subject-the-continuing-22726/.

Your next step is to immediately ask your HIPAA consultant or software vendor to provide proof you are compliant with the Risk Analysis requirement. If you discover a risk assessment (gap analysis) is what you have been doing instead, ask for help in completing a bonafide Risk

Analysis or find another vendor who can. It is apparent HIPAA compliance is a buyer beware market. Since you are the buyer and you must be aware.

Jeff Brown, DC, is obsessed with creating time-saving HIPAA compliance software. Brown’s career spans private practice, compliance consulting, and software product management for three healthcare technology companies. He is a co-founder of HIPAAmate—compliance software designed and priced for small practices—and can be contacted at 614-706-2066, hipaamate@gmail.com, or through hipaamate.com.

Related Posts

  • HIPAA Phase Two Audits are coming—are you ready?HIPAA Phase Two Audits are coming—are you ready?
  • The detox divide: Helping your patients’ safely achieve body detoxificationThe detox divide: Helping your patients’ safely achieve body detoxification
  • Are you using tools to monitor social media for your practice?Are you using tools to monitor social media for your practice?
  • 7 deadly sins of chiropractic marketing7 deadly sins of chiropractic marketing
  • Patient retention: keep your patients and improve their healthPatient retention: keep your patients and improve their health
  • What lies beneath: The hidden side of compliance obligationsWhat lies beneath: The hidden side of compliance obligations

Filed Under: Chiropractic Business Tips, Chiropractic Practice Management

Current Issue

820 A1A N Highway W18,

Ponte Vedra Beach, FL 32082

Phone 904.285.6020

Fax 904.395.9118

CONTACT US »

Copyright © 2019, All Rights Reserved

SUBSCRIBE TO THE MAGAZINE

Get Chiropractic Economics magazine
delivered to your home or office. Just
fill out our form to request your FREE
subscription for 20 issues a year,
including two annual Buyers Guides.

SUBSCRIBE NOW »

Latest Chiropractic News

  • Fruits and vegetables may be important for mental as well as physical well-being
  • Newly discovered gene governs need for slumber when sick
  • American Nutriceuticals natural supplement company celebrates its 20th anniversary
Insert Custom HTML
x