Federal Laws (HIPAA & HITECH) govern the privacy of patient data. While the HIPAA Final Security Rule specifies safeguards to protect the confidentiality, integrity, and availability of patient data (Protected Health Information or PHI), the HIPAA Privacy Rule specifies safeguards to protect privacy and the HIPAA Breach Notification Rule has provisions for breach notification when the breach includes PHI. HITECH, enacted as part of the American Recovery and Reinvestment Act of 2009 (ARRA, a.k.a. Obama Care) extends HIPAA when the PHI is in electronic form. HITECH also contains several provisions that strength the civil and criminal penalties for violations of HIPAA.
Given the similarities between the various federal laws, we follow a methodology similar to our HIPAA Security Risk Analysis to examine your Patient Privacy & Breach Notification policies and procedures. The result is an assessment of your compliance with these rules.
The National Institute of Standards and Technology (NIST) produced a Guide for Conducting Risk Assessments (Special Publication 800-30 Rev. 1) which is considered a model for best practices in data security. This NIST framework was used, in part, in the development of the HIPAA Privacy and Breach Notification Rules.
The primary tool we use for conducting a HIPAA Privacy & Breach Notification Risk Analysis is from HIPAA One. It helps us conduct a gap analysis so we can analyze the risks and develop an appropriate remediation plan. Essentially the process constitutes a "mock audit" along the lines of a true audit from HHS Office for Civil Rights.
Privacy Risk Analysis Report
The end result of our HIPAA Privacy and Breach Notification Risk Analysis is a 20-30 page final report. It provides written documentation of the analysis, which is important for demonstrating regulatory compliance. The final report also serves as a guide for your risk mitigation efforts and makes the task of updating your risk analysis easier in the future. An outline is shown above.
How We Can Help
We offer three different HIPAA Privacy Risk & Breach Notification Analysis engagement models to match your needs, goals, and budget. For those interested in conducting a self-assessment, we’ll provide the tools and some guidance to get you started. For others, we can conduct a Remote Risk Analysis or come on-site to do it.