If you’re audited, the first piece of documentation the OCR auditor will ask for is your risk assessment. The second thing they’ll require is your risk mitigation action plan. Will you be able to produce these documents in any meaningful form?
At a recent NIST (National Institute of Standards and Technology) and OCR (Office of Civil Rights) conference, OCR Director, Jocelyn Samuels, reviewed key requirements for CE (Covered Entities) and BA (Business Associates). OCR will “want to see … policies and processes for risk analysis and mitigation plans required by the Security Rule. … OCR will also be looking for how the organization documents and responds to gaps identified through the risk assessment.”
Too many healthcare providers don’t realize that HIPAA security is about establishing a security management practice. A practice is an ongoing, continuous improvement framework that, over time, acts to lower risk by managed, ongoing focus. HIPAA security is NOT an endpoint, but a journey.
And that journey must start with a risk assessment.
To read the referenced article published by HealthITSecurity, go here: http://tinyurl.com/mtyu3en