Risk Analysis: How to Do it Right under HIPAA and HITECH

Duration: 60 Minutes
Instructor: Mac McMillan
Webinar Id: 800262


One Attendee


The Health Insurance Portability and Accountability Act of 1996 (HIPAA) sets many rules and regulations to help create guidelines for healthcare providers (covered entities) to protect the integrity of personal health information (PHI). The HIPPA Security Rule specifically requires conducting a security risk analysis per 45 CFR 164.308(a)(1). Part of the risk analysis includes implementing updates as necessary and correcting identified vulnerability (or documenting why they did not take action to address the vulnerability).

Recently the healthcare industry has seen a renewed focus on having a risk assessment because the Omnibus Rule expanded the requirements of the Security Rule risk analysis to healthcare vendors that access personal health information (Business Associates). Additionally, many providers have a new interest to have a compliant risk assessment in order to achieve Meaningful Use and receive incentive funds. Many providers and vendors are under a false assumption that they have correctly conducted a risk assessment and are compliant with the regulations but that is not always the case. The industry has seen recent evidence that many organizations are not meeting the risk analysis requirements.

Many organizations conduct their assessment, check it off their list and falsely assume they met the requirements. This is apparent through the recent random compliance audits spearheaded by the Centers for Medicare & Medicaid Services and the Office for Civil Rights (OCR). Furthermore, risk analysis deficiencies are commonly uncovered during security incidents and investigations.  Many organizations are not thorough enough, do not have the proper documentation, did not take action to mitigate identified risks, or have not revisited a risk analysis after a significant change to their security program.

In this hour-long session, IT security veteran Mac McMillan, CEO of CynergisTek and Chair of HIMSS Privacy and Security Policy Task Force, will review the risk analysis requirements for healthcare organizations and vendors and clarify some of the misconceptions that are common in the industry.  McMillan will review the OCR approved NIST methodology and how it can be applied when conducting a risk assessment.  This webinar is ideal for any organization that creates, receives, maintains or transmits PHI, as they are directly liable to meet the HIPAA Security Rule risk analysis requirements.  Upon completion of this educational webinar, attendees will be much more knowledgeable on the subject and will be able to identify if their organization's risk assessment is in compliance. It will also provide an industry expert's guidance on conducting an assessment for organizations that need to assess their security program.

Why should you attend: Does your risk assessment meet the requirements under Health Insurance Portability and Accountability Act of 1996 (HIPAA) and Meaningful Use? Many organizations conduct a risk assessment and check it off their list. They assume their assessment was thorough enough and that it met regulatory requirements but that is often not the case. It is evident from the findings from security incidents and investigations, and the Office for Civil Rights (OCR) and the Centers for Medicare & Medicaid Services (CMS) random compliance audits that many organizations have an inefficient risk analysis process.

These discrepancies and inefficiencies can lead to hefty financial penalties from OCR, as well as having to pay back Meaningful Use incentive dollars. Don't be one of the covered entities or business associates that falsely believe that a risk assessment is inapplicable to them. If you have a risk analysis process in place, don't be one of the organizations that is investigated or randomly audited and caught without a proper risk assessment that meets regulatory requirements. Learn how to verify if your process and methodology is sufficient by attending this webinar and better understand the requirements under the HIPAA Security Rule and Meaningful Use attestation requirements.

Areas Covered in the Session:

  • Risk analysis requirements under the HIPAA Security Rule and Meaningful Use Stage 1 and 2
  • Who is required to have a risk assessment
  • The importance of risk analysis
  • Addressable specifications
  • Methodology when conducting a risk assessment
  • The NIST Risk Analysis
  • Documentation requirements

Who Will Benefit:
  • Director of IT
  • IT Manager
  • CIO
  • CISO
  • Security Officer
  • Risk Analyst/IT Risk Analyst
  • Compliance Officers, Compliance Specialists

Speaker Profile
Mac McMillan is co-founder and CEO of CynergisTek, Inc., a firm specializing in the areas of information security and regulatory compliance in healthcare. He is the current Chair of the HIMSS Privacy & Security Policy Task Force and was recognized in 2012 as a HIMSS Fellow.

He brings over 30 years of combined intelligence, security countermeasures and consulting experience to his position from both Government and private sector positions. He has worked in the Healthcare industry since his retirement from the federal government in 2000 and has contributed regularly to organizations such as HIMSS, HCCA, AHIA, AHIMA, AAHSA, HFMA and AHLA and contributes regularly to the thought leadership around data security in healthcare.

He served as Director of Security for two separate Defense Agencies, and sat on numerous interagency intelligence and security countermeasures committees while serving in the US Government. McMillan is the former Chair, HIMSS Information Systems Security Working Group, and the HIMSS Privacy & Security Committee. He sits on the HIT Exchange and HCPro Editorial Advisory Boards, as well as the HealthTech Industry Advisory Board. He has contributed to more than 300 articles and postings in Healthcare IT magazines, healthcare IT blogs and other healthcare newsletters, etc.

He presents regularly at conferences and other events, and was a contributing author to the HIMSS book, Information Security in Healthcare: Managing Risk. Mr. McMillan holds a Master of Arts degree in National Security and Strategic Studies from the U.S. Naval War College and a Bachelor of Science degree in Education from Texas A&M University. He is a graduate of the of the Senior Officials in National Security program at the JF Kennedy School of Government at Harvard University and a 1993/4 Excellence in Government Fellow. He is retired from the U.S. Marine Corps.

You Recently Viewed