HIPAA Risk Analysis - Techniques to Find and Manage Security Risks

Duration: 90 Minutes
Instructor: Jim Sheldon Dean
Webinar Id: 800283


One Attendee


The session will present how to use risk analysis techniques to help make good compliance decisions that are defensible and sensible. For many compliance questions, careful consideration of the likelihood of the issue being a problem, and the potential impact if it is a problem, can help provide understanding of how to prioritize and compare risk issues and make day-to-day decisions.

This session will cover the requirements for risk analysis and assessment in the HIPAA rules and provide a framework for analysis of risks for compliance with HIPAA Security Rule requirements (in §164.308(a)(1)) and the new breach determination requirements in the updated HIPAA Breach Notification Rule, and show how the two are related in a good compliance program. We will show how to go about assessing your risks and organizing your compliance plan, and show how having that information makes it easier to assess risks in the event of a breach.

For the Security Rule, we will explain what is called for in the rule and show a way to approach the work in an organized way that saves effort and produces meaningful results, with examples of how to conduct the risk analysis, and sample documents and templates provided. For the updated Breach Notification Rule, we will explain how the new process differs from the old "harm standard" that has been removed from the rule. If none of the defined exceptions for notification apply, the breach is reportable unless you can show, by a risk analysis, that there is a "low probability of compromise." The risk analysis must include at least four factors: 1) what the data is, how well identified is it, and how sensitive it is, 2) to whom the data was improperly disclosed, 3) whether or not the information was actually viewed or accessed, and 4) how the breach was mitigated. Issues with any one of the four factors can require reporting the breach. We will explain how to consider these factors.

The session will also include information on HIPAA Audits and how to be prepared to show that you have the right policies and procedures in place and are using them. To withstand random audits and investigations of non-compliance that may result from a breach report or complaint, thorough documentation of compliance-related activity is required. We will explain how to document your compliance using the HIPAA Audit Protocol as a guide, so you can be sure to avoid trouble if HHS ask questions about your compliance.

Areas Covered in the Session:

  • Identification of requirements for Risk Analysis in HIPAA Privacy, Security, and Breach Notification, and Meaningful Use Rules
  • Presentation of methods for identifying and evaluating risks
  • Techniques for organizing issues and prioritizing risk mitigation
  • How a thorough Risk Analysis satisfies many requirements in HIPAA at once
  • The difference between a HIPAA Risk Analysis and a Meaningful Use Risk Analysis
  • The Four Factors to consider in a Risk Assessment for determining whether or not to report a breach
  • Evaluating and comparing risks and risk mitigation methods
  • Policy versus Technology - both can bring compliance, but both must be audited by you

Who Will Benefit:
  • Compliance Director
  • CEO
  • CFO
  • Privacy Officer
  • Security Officer
  • Information Systems Manager
  • HIPAA Officer
  • Chief Information Officer
  • Health Information Manager
  • Healthcare Counsel/lawyer
  • Office Manager

Educational Objectives(S)
Upon completion of this activity, participants will be able to:
  • Present how to use risk analysis techniques to help make good compliance decisions that are defensible and sensible.

CME Credit Statement
This activity has been planned and implemented in accordance with the Essential Areas and Policies of the Accreditation Council for Continuing Medical Education (ACCME) through the joint sponsorship of CFMC and MentorHealth. CFMC is accredited by the ACCME to provide continuing medical education for physicians.

CFMC designates this educational activity for a maximum of 1.5 AMA PRA Category 1 Credits™. Physicians should only claim credit commensurate with the extent of their participation in the activity.

Other Healthcare Professionals Credit Statement
This educational activity has been planned and implemented following the administrative and educational design criteria required for certification of health care professions continuing education credits. Registrants attending this activity may submit their certificate along with a copy of the course content to their professional organizations or state licensing agencies for recognition for 1.5 hours.

Disclosure Statement
It is the policy of CFMC and MentorHealth that the faculty discloses real or apparent conflicts of interest relating to the topics of the educational activity. All members of the faculty and planning team have nothing to disclose nor do they have any vested interests or affiliations

Obtaining Certificate of Credit

Colorado Foundation for Medical Care (CFMC) hosts an online activity evaluation system, certificate and outcomes measurement process. Following the activity, you must link to CFMC's online site (link below) to complete the evaluation form in order to receive your certificate of credit. Once the evaluation form is complete and submitted, you will be automatically sent a copy of your certificate via email. Please note, participants must attend the entire activity to receive all types of credit. Continuing Education evaluation and request for certificates will be accepted up to 60 days post activity date. CFMC will keep a record of attendance on file for 6 years.

Speaker Profile
Jim Sheldon-Dean is the founder and director of compliance services at Lewis Creek Systems, LLC, a Vermont-based consulting firm founded in 1982, providing information privacy and security regulatory compliance services to a wide variety of health care entities.

Sheldon-Dean serves on the HIMSS Information Systems Security Workgroup, has co-chaired the Workgroup for Electronic Data Interchange Privacy and Security Workgroup, and is a recipient of the WEDI 2011 Award of Merit. He is a frequent speaker regarding HIPAA and information privacy and security compliance issues at seminars and conferences, including speaking engagements at numerous regional and national healthcare association conferences and conventions and the annual NIST/OCR HIPAA Security Conference in Washington, D.C.

Sheldon-Dean has more than 30 years of experience in policy analysis and implementation, business process analysis, information systems and software development. His experience includes leading the development of health care related Web sites; award-winning, best-selling commercial utility software; and mission-critical, fault-tolerant communications satellite control systems. In addition, he has eight years of experience doing hands-on medical work as a Vermont certified volunteer emergency medical technician. Sheldon-Dean received his B.S. degree, summa cum laude, from the University of Vermont and his master's degree from the Massachusetts Institute of Technology.

You Recently Viewed