How to do HIPAA Risk Analysis & Risk Management Step-by-Step

Duration: 60 Minutes
Instructor: Paul R. Hales
Webinar Id: 803464


One Attendee
Unlimited Attendees ?


The HIPAA Rules require Covered Entities and Business Associates to do Risk Analysis and Risk Management (RA-RM) but do not explain how to do them. OCR consistently calls Risk Analysis the foundation of every HIPAA Compliance program.

This webinar clearly explains how to follow OCR’s advice to use Risk Analysis - Risk Management procedures developed by the National Institute of Standards and Technology (NIST). We lay out each step of the NIST RA-RM process and show how they fall neatly into three parts concluding with an easy-to-follow demonstration. You will receive a handout illustrating all the steps. HIPAA RA-RM is easy to do step-by-step - when you know the steps.

Organizations must identify and understand the unique Risks to the privacy and security of protected health information (PHI) they hold. Then - and only then - can they craft and implement policies, procedures, and training to manage specific risks that endanger their PHI and the organization’s financial well-being and reputation.

OCR regularly publishes Resolution Agreements following investigations of HIPAA violations by organizations due to Risks that should have been identified and could have been managed by a proper Risk Analysis.

RA-RM failures by large and small organizations have caused the private health information of hundreds of millions of Americans to be stolen.

On December 17, 2020, OCR published shocking results of its Phase 2 HIPAA Compliance Audits. OCR found:

  • 86% of covered entities and 83% of business associates failed the Risk Analysis Audit and
  • 94% of covered entities and 88% of business associates failed the Risk Management Audit

Each covered entity and business associate knew they were short-listed to be audited. OCR provided the exact questions they would be asked and the documents they would be required to show well in advance of the audit.

Why should you Attend:
Failure to do HIPAA RA-RM puts your organization in grave danger. This webinar will show you how to do a complete HIPAA RA-RM step-by-step and how easy it is to follow those steps when they are explained. You should attend this webinar to learn why you must worry about not doing a HIPAA RA-RM properly - and how you can stop worrying by simply doing a HIPAA RA-RM as required every year.

Areas Covered in the Session:
  • OCR Guidance - Risk Analysis and Integrated Risk Management Process
    • OCR Reliance on NIST Procedures -  the standard for best practices
    • NIST Sources - HIPAA RA-RM and NIST Risk Management Framework
  • OCR Audit - National Crisis - Widespread Failure to do RA-RM
    • Inexcusable, Unnecessary, and Dangerous  
  • OCR/NIST HIPAA RA-RM Process explained simply - It’s just a 3-Act Play
    • Act 1 - Setup - Risk Analysis
    • Assemble Information - Identity, Document, and Assess the Level of Risks
    • Act 2 - Confrontation - Risk Management - Documented Actions to Manage Risks
    • Act 3 - Resolution - Risk Management Program - Focused on your Organization's Risks - Documented and Active 
  • How to do OCR/NIST RA-RM demonstrated Step-by-Step

Who Will Benefit:
All Health Care Covered Entities:
  • Practice Managers - Covered Entities
  • HIPAA Compliance Officials - Privacy and Security Officers
  • Patient Engagement Officials
  • Health Information Technology Supervisors
  • Risk Managers - Covered Entities
  • Health Care Providers  practicing as individuals or in small groups
  • Group Health Plan Administrators
  • Third-Party Group Health Plan Administrators
  • Covered Entity Senior Management and Owners
  • Attorneys for Covered Entities - In-house and Outside Counsel
  • Compliance Committee - Covered Entity Board of Trustees
  • C-Suite Executives - all Covered Entities
  • Chief Compliance Officer - all Covered Entities

All Business Associates including:
  • Billing and Coding companies
  • Practice Management Companies and IT Vendors
  • Data Storage firms (electronic and paper)
  • Secure and unsecured providers of PHI Email and Text Message services
  • Vendors of patient satisfaction surveys
  • Law Firms representing Health Care Providers & Business Associates

Speaker Profile
Paul R. Hales, J.D. is widely recognized for his expert knowledge and ability to explain the HIPAA Rules clearly in plain language. Paul is an attorney licensed to practice before the Supreme Court of the United States and a graduate of Columbia University Law School with an international practice in HIPAA privacy and security. He is the author of all content in The HIPAA E-Tool®, an Internet-based, complete HIPAA compliance solution with separate editions for Covered Entities, Business Associates, Health Plans and Third Party Administrators.

You Recently Viewed