Corporate Compliance

Willful neglect potential for not completing risk assessment

Compliance Monitor, November 9, 2011

Editor’s Note: The following is an excerpt from a HIPAA Update blog post by Frank Ruelas, MBA, privacy officer, director of compliance and Risk Management at Maryvale Hospital in Phoenix, AZ, and the Principal of HIPAA College.

I was recently asked to complete a risk analysis on a priority and expedited basis for a covered entity. During the debrief with several folks I asked legal counsel for the involved covered entity for some reasons for the expedited request.

I was told by an employee the employer was required to comply with state and federal laws, meet accreditation standards which also reference state and federal laws, and that the employer was a covered entity and therefore subject to complying with HIPAA (and he threw in for good measure that he had recently worked with the OCR).

The current employer had policies and procedures that recognized the necessity (as in requirement) for completing the HIPAA Security Rule implementation specifications. Also, Section 164.308 was deficient for various reasons, including the risk assessment had not been done and that this had been communicated to administration for several years.
Long story short…

This was a clear example of a situation that could represent willful neglect on the part of the covered entity in complying with the regulations….etc, etc.

Read more on the HIPAA Update blog.

Most Popular