HIPAA Risk Management Plan – Is it the Foundation of Your Compliance Program?

by ih-coc admin

by Jay Hodes, President - Colington Consulting

Simply put, a HIPAA Risk Management Plan is a compilation of an organization’s compliance policies, procedures, forms, logs and reports. A plan serves as a way to demonstrate your HIPAA compliance efforts in writing. This is critical because if a HIPAA breach or an audit occurs, rest assured the HHS Office of Civil Rights (OCR) will want to see specific written policies and procedures that your organization has in place. 

The overall goal of a HIPAA Risk Management Plan is to address risk. A risk is an event or condition that, if it occurs, could have a positive or negative effect on an organization. Risk management is the process of identifying, assessing, responding to, monitoring, controlling and reporting risks. A good plan will outline how risk management activities will be performed, recorded and monitored to comply with the HIPAA Security Rule. 

In guidance provided by OCR, HIPAA Covered Entities and Business Associates must adopt reasonable and appropriate policies and procedures to comply with the provisions of the Security Rule. A plan must be maintained until six years after the date of their creation or last effective date (whichever is later), with written security policies and procedures and written records of required actions, activities and assessments.

Covered Entities and Business Associates must periodically review and update their documentation in response to environmental or organizational changes that affect the security of electronic protected health information (e-PHI).  Reviewing and amending policies and procedures should occur on an as-needed basis. 

A comprehensive risk plan must cover all the HIPAA Security Rule Standards and Implementation Specifications. Under this Rule, the implementation of standards is required. The implementation specifications are defined as either “required” or “addressable.”  A required specification must be implemented with no exceptions.  An addressable specification allows additional flexibility with respect to compliance for the standard, but it is not optional.

Let’s look at little deeper at addressable implementation specifications. These specifications were developed to provide an organization additional flexibility with respect to compliance with some of the security standards. However, one of the following must be done for each addressable specification:

  1. Implement the addressable implementation specifications;
  2. Implement one or more alternative security measures to accomplish the same purpose; 
  3. Not implement either an addressable implementation specification or an alternative. This choice must be documented. (I always advise to try and met the specification. Remember a clearly written justification as to why it is not being met is required.)  

You can apply the reasonable and appropriate standard to addressable implementation specifications.  This standard will depend on a variety of factors such as the risk assessment, risk mitigation strategy, what security measures are already in place and the cost of implementation. HIPAA Risk Management Plans should be created with the understanding that every member of the workforce must be able to access the plan. Organizations must require workforce members’ attestation to receiving the plan and knowing they are accountable for the contents.