Medical equipment suppliers often have a hard time breaking down the important task of internal analysis into manageable, bite-sized pieces. Let's explore
by Neil Caesar
Saturday, April 1, 2006

Medical equipment suppliers often have a hard time breaking down the important task of internal analysis into manageable, bite-sized pieces. Let's explore a successful approach to assessing and analyzing problems and then solving them effectively. We'll utilize the HIPAA security rules for our examples.

  1. Learn the difference between assessing risk and analyzing risk. Risk assessment is when you apply the “rules” (here, the HIPAA security rules) to identify specific vulnerable areas in your company. Perhaps your password protections are nominal, or monitors display sensitive information to walk-in customers.

    Risk analysis, on the other hand, identifies specific threats to the security of your protected health information. Perhaps someone has gained unauthorized access to your system. Perhaps you have identified a number of improper fax transmissions, or you have found several unlocked doors or cabinets. In other words, risk analysis finds threats that exploit the vulnerabilities identified during the risk assessment. Risk analysis also helps to particularize the level of risk the vulnerabilities present.

  2. … BUT, do both. You cannot assess your areas of vulnerability without evaluating specific problems that have arisen. You cannot respond effectively to errors or systemic problems without assessing whether they are aberrations or reflect continuing vulnerability. Each gives clues to the other.

  3. Quantify your threats. Once you have assessed your company's vulnerabilities, assign each weakness a level of risk. It is usually sufficient to choose from “high,” “medium” and “low.” Use your HIPAA team to assist with this process — your privacy/security officer, IT professionals and department heads.

    It is appropriate to assess your risk level with reference to the simplicity and expense associated with solving the problem. A high priority problem that is quite expensive or difficult to fix will likely be bumped down in prioritization until you have had a chance to fix the comparably important but far easier or cheaper problems. There is nothing wrong with getting the most bang for your buck.

  4. … BUT, don't forget about the moderate and low-risk threats. There is a tendency to procrastinate with problems that are complicated, expensive or irritating. While prioritization is fine, known risks should not be put on the back burner indefinitely. Eventually, even the slowest simmering pot will boil over. So, if you get caught by the feds ignoring a known problem, you had better be able to show that you had an intelligent prioritization plan that you followed appropriately.

  5. Risk assessment and risk analysis are team efforts. You will need aid and input from a variety of people within the company to assess and analyze risks effectively. While many of the HIPAA security issues relate to IT systems and personnel, it is a mistake to limit your analysis to your IT team. Many security concerns arise from external threats or from the social and political structures within your company. It is therefore important to enlist support beyond your IT team from key department representatives in assessing and analyzing dangers.

  6. … BUT, put one person in charge. Someone needs to be responsible for all of your HIPAA risk assessment and analysis activities. This should be an individual capable of communicating to the rest of the team what needs to be evaluated and identified; to coordinate and prioritize data; to identify appropriate corrective action and to implement necessary changes; and to monitor results.

Sometimes this will be the same person responsible for risk assessment and analysis in other areas, such as compliance, financial operations, or whatever. Regardless, the same skill set applies to any individual responsible for these sorts of duties.

If you embrace the importance of regular risk analysis and risk assessment and apply these six rules to your efforts, you will be rewarded with a safer and more profitable business.

Neil Caesar is president of the Health Law Center (Neil B. Caesar Law Associates, PA), a national health law practice in Greenville, S.C. He also is a principal with Caesar Cohen Ltd., which offers compliance training, outsourcing and consulting and the author of the Home Care Compliance Answer Book. He can be reached by e-mail at ncaesar@healthlawcenter.com or by telephone at 864/676-9075.

Materials in this article have been prepared by the Health Law Center for general informational purposes only. This information does not constitute legal advice. You should not act, or refrain from acting, based upon any information in this presentation. Neither our presentation of such information nor your receipt of it creates nor will create an attorney-client relationship.