HIPAA Regulatory Alert: Free resources help with risk assessments

If consultant is needed, follow these suggestions

New provisions and clarifications in the Health Insurance Portability and Accountability Act (HIPAA) omnibus rule might have some hospitals scrambling to determine their compliance level, but it might not be a situation that requires outside help.

“Organizations should always return to a risk assessment when there are questions about compliance or changes in regulations,” says Judi Hofman, CHP, CHSS, CAP, privacy and security officer at St. Charles Health System in Portland, OR. “A high level assessment can help you quickly identify gaps that you can address in more detail.”

Although some organizations might find it beneficial to hire an outside consultant to help with the assessment, there are free resources that might meet your needs, says Hofman. The American Health Information Management Association (AHIMA) is a national health information management professional association that offers free resources, she says. (Go to http://www.ahima.org and select “resources,” and then choose “Privacy, Security and Confidentiality.”) “And state chapters of AHIMA are also producing best practices to share among members,” she says. A list of AHIMA state chapters can be found at http://www.ahima.org/about/csa.aspx. Another free source of guidance includes the Department of Health and Human Services’ Office of the National Coordinator for Health Information Technology (ONC) at http://www.healthit.gov. (Select “For Providers & Professionals.”)

State hospital associations often have an information technology committee actively working on guidance as well, says Hofman. “There is free guidance if a hospital doesn’t have the financial resources for outside help,” she says.

If the decision is made to hire an outside consultant, Hofman recommends the following:

• Decide what services you need before talking with consultants.

“Do you want a full risk assessment but not a mitigation work plan, or do you want both?” Hofman asks. “It’s important to know exactly what you want before interviewing consultants because you want to determine the scope of the project, not ask the consultant to do so.”

• Use a committee to evaluate consultants.

Invite everyone who will be affected by results of a risk assessment to help evaluate a consultant’s skill, experience, and approach, says Hofman. “Obviously, the privacy and security officers should be included, but also include the information technology managers and other key hospital leaders.” Their involvement at the start of the project will ensure continuity as gaps are identified and mitigation plans developed, she explains.

• Remember consultant’s perspective.

“Don’t be surprised to receive a list of gaps in your compliance plan,” says Hofman. “Consultants are paid to find risks, so they will give you a comprehensive list to justify their fees.” The key is to evaluate the risks identified by the consultant carefully, she says. “Ask yourself if the deficiencies are correctable or if they are not a priority at this time.”

• Ask state associations and other hospitals for recommendations.

“It is best to have recommendations for consultants from people you trust,” says Hofman. By turning to other healthcare organizations in your area, you can be sure to find someone who knows healthcare and has the skill and experience to handle your risk assessment, she adds.

While the potential cost is prohibitive to some organizations, the benefits of an outside consultant include a subjective, third party assessment, Hofman points out. “Consultants usually arrive with a team of people to focus only on the assessment, which frees you up to do your work,” she says. “This is helpful because it is hard to conduct a thorough risk assessment and stay current with day-to-day responsibilities at the same time.”