On May 7, 2010, the Office of Civil Rights (OCR) issued guidance on the risk analysis requirement of the HIPAA Security Rule. Many providers have not paid close attention to the actual requirements of the HIPAA Security Rule. In addition to covered entity providers that must comply with the security regulations, business associates that have not implemented the requirements of the HIPAA Security Rule must also do so, thanks to the HITECH Act. The newest OCR guidance should be reviewed as well as past guidance documents. This guidance focuses on the first step in identifying and implementing safeguards consistent with the HIPAA Security Rule. According to OCR, “the guidance is not intended to provide a one-size-fits-all blueprint for compliance with the risk analysis requirement. Rather, it clarifies the expectations of the Department for organizations working to meet these requirements.” The OCR guidance does draw from recommendations from the National Institute of Standards and Technology (NIST) even though only federal agencies are actually required to follow guidelines set by NIST. We encourage providers and business associates to review the guidance as the HIPAA Security Rule emphasizes that the risk analysis process is a key element in achieving compliance with the regulatory requirements and it is an ongoing evolving process.
We have extensive experience with RAC audits and appeals, working directly with healthcare entities subject to RAC audits.