Start Your FREE Membership NOW
 Discover Proven Ways to Be a Better Medical Office Manager
 Get Our Daily eNewsletter, MOMAlert, and MUCH MORE
 Absolutely NO Risk or Obligation on Your Part -- It's FREE!

Upgrade to Premium Membership NOW for Just $90!
Get 3 Months of Full Premium Membership Access
Includes Our Monthly Newsletter, Office Toolbox, Policy Center, and Archives
Plus, You Get FREE Webinars, and MUCH MORE!

The 3 keys to better HIPAA compliance: risk assessment, training, revised notice

Three HIPAA items need every manager’s immediate attention. They are:

• Risk Analysis;
• documentation of HIPAA training; and
• a revised Notice of Privacy.

HIPAA’s enforcer is the Office for Civil Rights (OCR), and it’s taking the job seriously, says Nathan A. Kottkamp, a health care attorney with McGuireWoods in Richmond, VA.

When the OCR comes to call, it will ask to see the office’s policies and procedures for privacy and security. And then it will home in on risk assessment, training, and the revised privacy notice.

Here are the requirements for each item.

First, the Risk Analysis

The Risk Analysis is a HIPAA survival necessity, Kottkamp says. Yet it’s something most offices have put on the back burner simply for lack of time to draw one up.

Don’t overlook it. “It’s part of HIPAA compliance.” It’s a requirement of the Security Rule.

In the analysis, the office identifies the potential dangers to patients’ electronic protected health information (PHI) and also tells what it is doing to prevent those dangers from becoming reality.

Making it daunting to many managers is the fact that there are no requirements on what the analysis has to look like or how long it has to be or what it has to say. That’s up to the office.

But on the positive side, the risk analysis doesn’t have to be technical or extensive to the point that the office has to bring in a consultant or attorney to draw it up.

Any office should be able to do the job on its own, he says. “It’s not that complicated.”

Some cautionary items

Kottkamp does, however, point to four items managers need to be careful of in setting up their risk assessments. They are common failings.

One is to be thorough. It’s not enough to look at a risk area and say “oh, we’re OK on that” and document no more than “yes, we comply.” Explain what the office is doing and tell why it puts the office in compliance.

Another is to make sure all the security documentation can be found.

If the Risk Analysis cites an office policy or procedure, document where it is located. For example, if the analysis says the office has a procedure on when encryption is used, describe it briefly and then tell where to find the complete procedure.

The third word of caution is to be “open and honest.” Identify all the weak spots in the data protection and tell what is being done about them. Give a truthful picture of the office, warts and all.

And the final caution is to keep the Risk Analysis updated. The OCR has many times said that it has to be kept current. Believe it.

If a HIPAA auditor appears at the door and all the office can produce is an analysis that hasn’t been updated since 2009, expect a problem.

Updating is a necessity because technology changes quickly. And whenever there’s a system update or a move to a new system, the procedure invariably gets a little tweaked.

Every tweak has to be explained in the Risk Analysis.

Second, staff training

The second item is staff training. And the rule there, Kottkamp says, is that “it needs to be more than HIPAA 101.”

To be in compliance, the office has to provide education on the main topics of HIPAA, and then, he says, it has to focus “on the practical stuff.”

Those are the things staff encounter every day in their jobs such as what to do if somebody suspects a breach or what needs to be encrypted or the procedure for releasing record copies or whom to call if there’s a question on what.

And, as suspected, all that has to be documented.

Keep a log of when the training takes place and what is covered at each session.

Keep copies of the training materials.

And make sure there’s written proof that everybody has had adequate training. The easiest way to do that is to have staff sign in at each session and keep the sign-in sheet.

Along with that, give copies of the materials to the people who do not attend the sessions and have them sign off on having received and read them. Also make the training part of the orientation for new staff – and document it for each person.

As to how often to do the training, again there is no specific requirement, Kottkamp says. However, a safe approach is to have a formal training session once a year and then have refreshers on privacy and security throughout the year, maybe during staff meetings.

Document even the shortest and simplest training that the office provides. Note the date and what was covered, he says, “and get credit for it.”

Being able to show a series of little refreshers shows good training compliance.

No, there’s no HIPAA certification

A frequent question managers ask is what type of HIPAA certification is available.

And the answer is that there’s no such thing, Kottkamp says.

There’s no official certifying body and neither is there any official stamp of approval to be had.

All the OCR requires is that the office shows an ongoing effort at HIPAA training and be able to produce good documentation of what has been done.

Third, the revised privacy notice

The third item is the revised Notice of Privacy, and the office has to have that in place by September 23.

The revised notice has to include four new items about patients’ rights regarding their protected health information.

That requirement comes from HIPAA’s new mega-rule, which are the final regulations that came out in January.

Once again, there’s no form to follow. In fact, the government says the notice should be written so as to suit the practice. The only specific point the government makes is that the notice must be written clearly so all patients can understand it.

In other words, no legalese.

The revised notice has to explain these four points to the patients:

Release authorizations. Certain disclosures and uses of protected information require the patient’s authorization. They include

Where does the Risk Analysis requirement come from?

HIPAA has two main parts.

One is the Privacy Rule, which requires that offices take steps to ensure their patients’ protected health information is kept confidential.

The other is the Security Rule. It carries the confidentiality concept further and tells what offices have to do to ensure that their electronic data is not lost or corrupted or accessed inappropriately.

The Security Rule lays out standards that offices have to meet. Some are required and some are addressable.

But addressable doesn’t mean the standard can be skipped or ignored. It only means that if the standard doesn’t apply to the office or if the office is taking other steps to achieve the same result, it doesn’t have to be met exactly. And when that’s the case, the office has to document why it’s taking some other route.

Encryption is an example. It’s an addressable standard. The office is not required to encrypt its data, but if it doesn’t, it has to explain why, perhaps that it doesn’t e-mail information.

The required standards, on the other hand, have to be met exactly. And a Risk Analysis is one of them.

Everybody has to have an analysis.

– Psychotherapy notes. (The notes of a mental health professional that are separate from the record.)

– Any information the office will use for marketing.

– Any sale of the office’s patient information.

Fundraising. Patients can opt out of getting fundraising materials from the office.

Restricting information releases. A patient who pays for a service in full and out of pocket can request that the office not disclose any information about that service to an insurance company.

The patient has to put the request in writing, and the request has to spell out what information the patient wants to restrict and what insurance company is not to receive it.

Breach notification. The office will notify patients in writing when a breach in their protected information occurs.

Be careful here, Kottkamp says.

Any loss or inappropriate disclosure of data is presumed to be a breach unless the office can show there’s only minimal probability the data will be used improperly.

Thus, even the most minor breach has to be reported to the patient and also outlined in the office’s year end HIPAA report.

Along with those four elements, there has to be a note that patients can get electronic copies of the notice if they request them.

A whole new signing process

All patients have to sign off on the revised notice just as they did for the first notice.

What’s more, a copy of the notice has to be posted in the office.

More still, the notice has to be available for patients to take out in paper and electronic format.

Most specialty societies have sample forms available. However, Kottkamp points out that for safety, it’s a good idea to have the office’s attorney review the revised document.

It’s also a good idea to have all the providers in the office review the revised notice to make sure it’s readable and logical – and not outdated.

Things change over time, he says, “and you never know what you might find.”

$1.5 million: nothing to sneeze at

Managers need to recognize that HIPAA means business.

Until recently, the government focused its HIPAA enforcement attention on the largest organizations such as hospitals and very large practices. But now it says outright that it is going after small offices with the same vigor.

And the fines are significant, going as high as $1.5 million.

Even so, there is some comfort to be had, Kottkamp says.

HIPAA is not unreasonable.

While egregious mistakes and total disregard for the requirements will certainly bring about stiff sanctions, honest mistakes that have not caused serious harm will likely not result in severe repercussions.

All along, the OCR has said that its goal is not to punish people but to help them get compliant with the law.

And more, the OCR has made it clear that it does not expect perfection.

Here’s what has to be covered in the Risk Analysis

The Risk Analysis is one of the required standards of HIPAA’s Security Rule.
Its purpose is to identify the potential dangers to the office’s HIPAA-protected data. And the dangers fall into the categories of confidentiality, integrity, and availability.
The government doesn’t set out any format for the analysis. Instead, it says that what the analysis contains and what it looks like are entirely up to the office and should suit the office’s individual situation.
It does, however, give these guidelines on what the office’s analysis should cover.


The analysis has to identify the weak spots and potential risks to all the PHI the office creates, receives, maintains, and sends out.
And it has to cover all forms of data, starting with the paper files and going on to hard drives, CDs, DVDs, storage devices such as smart cards, and personal digital assistants. Along with that, it has to cover all forms of electronic media the office uses, from individual workstations to networks between multiple locations.
Thus, the analysis has to evaluate all data no matter where it’s created, received, kept, or located.


Tell where the PHI is stored, received, maintained, and transmitted and also tell what that data includes.


Tell what vulnerabilities and potential threats exist to the safety of that data.
Those are the things that could result in wrongful access or disclosure.


Explain the security measures the office has in place to protect the data and reduce the safety risks.
Tell if each of those measures is required by HIPAA and if each is being used properly.
The safety measures will to a great extent depend

on the office’s size. An office with a small staff and somewhat uncomplicated information system will obviously have different measures than a very large organization will have.


Look at the vulnerabilities and threats just identified and determine the probability or likelihood that each one could happen. Determine too the probability of several threats occurring at the same time.
In doing so, identify the ones that are “reasonably anticipated.”


Determine the “criticality” or severity of impact that each risk element could create and tell how it would affect the confidentiality, integrity, and availability of the PHI.
The office can explain the severity either qualitatively or quantitatively or with a combination of the two. Qualitative means a verbal evaluation of the potential impact; quantitative means a numerical or statistical evaluation.


Assign a risk level for each threat and each combination of threats.
Also tell what corrective actions the office is taking or will take to eliminate or mitigate those risks.


The Risk Analysis has to be evaluated continuously and updated “as needed.”
There’s no requirement on how often that has to be done. The government says it could be anything from every six months to every three years depending on the office’s situation.
However, there does need to be an update every time the office brings in new technology or changes its business operations. An update is also in order if there is a security incident or if the office changes ownership or if key staff leave or if new threats or weak spots are identified.









Try Premium Membership