RSS Events Feeds

Understanding Risk Analysis Under HIPAA and Meaningful Use

3/5/2014 10:00 AM - 11:00 AM

Overview: The Health Insurance Portability and Accountability Act of 1996 (HIPAA) sets many rules and regulations to help create guidelines for healthcare providers (covered entities) to protect the integrity of personal health information (PHI). The HIPPA Security Rule specifically requires conducting a security risk analysis per 45 CFR 164.308(a)(1). Part of the risk analysis includes implementing updates as necessary and correcting identified vulnerability (or documenting why they did not take action to address the vulnerability).

Recently the healthcare industry has seen a renewed focus on having a risk assessment because the Omnibus Rule expanded the requirements of the Security Rule risk analysis to healthcare vendors that access personal health information (Business Associates). Additionally, many providers have a new interest to have a compliant risk assessment in order to achieve Meaningful Use and receive incentive funds. Many providers and vendors are under a false assumption that they have correctly conducted a risk assessment and are compliant with the regulations but that is not always the case. The industry has seen recent evidence that many organizations are not meeting the risk analysis requirements.

Many organizations conduct their assessment, check it off their list and falsely assume they met the requirements. This is apparent through the recent random compliance audits spearheaded by the Centers for Medicare & Medicaid Services and the Office for Civil Rights (OCR). Furthermore, risk analysis deficiencies are commonly uncovered during security incidents and investigations. Many organizations are not thorough enough, do not have the proper documentation, did not take action to mitigate identified risks, or have not revisited a risk analysis after a significant change to their security program.

In this hour-long session, IT security veteran Mac McMillan, CEO of CynergisTek and Chair of HIMSS Privacy and Security Policy Task Force, will review the risk analysis requirements for healthcare organizations and vendors and clarify some of the misconceptions that are common in the industry. McMillan will review the OCR approved NIST methodology and how it can be applied when conducting a risk assessment. This webinar is ideal for any organization that creates, receives, maintains or transmits PHI, as they are directly liable to meet the HIPAA Security Rule risk analysis requirements. Upon completion of this educational webinar, attendees will be much more knowledgeable on the subject and will be able to identify if their organization's risk assessment is in compliance. It will also provide an industry expert's guidance on conducting an assessment for organizations that need to assess their security program.

Why should you attend: Does your risk assessment meet the requirements under Health Insurance Portability and Accountability Act of 1996 (HIPAA) and Meaningful Use? Many organizations conduct a risk assessment and check it off their list. They assume their assessment was thorough enough and that it met regulatory requirements but that is often not the case. It is evident from the findings from security incidents and investigations, and the Office for Civil Rights (OCR) and the Centers for Medicare & Medicaid Services (CMS) random compliance audits that many organizations have an inefficient risk analysis process.

These discrepancies and inefficiencies can lead to hefty financial penalties from OCR, as well as having to pay back Meaningful Use incentive dollars. Don't be one of the covered entities or business associates that falsely believe that a risk assessment is inapplicable to them. If you have a risk analysis process in place, don't be one of the organizations that is investigated or randomly audited and caught without a proper risk assessment that meets regulatory requirements. Learn how to verify if your process and methodology is sufficient by attending this webinar and better understand the requirements under the HIPAA Security Rule and Meaningful Use attestation requirements.

Areas Covered in the Session:

Risk analysis requirements under the HIPAA Security Rule and Meaningful Use Stage 1 and 2

Who is required to have a risk assessment

The importance of risk analysis

Addressable specifications

Methodology when conducting a risk assessment

The NIST Risk Analysis

Documentation requirements

Who Will Benefit:

Director of IT

IT Manager



Security Officer

Risk Analyst/IT Risk Analyst

Compliance Officers, Compliance Specialists

Mac McMillan is co-founder and CEO of CynergisTek, Inc., a firm specializing in the areas of information security and regulatory compliance in healthcare. He is the current Chair of the HIMSS Privacy & Security Policy Task Force and was recognized in 2012 as a HIMSS Fellow.


Phone No: 800-385-1607

FaX: 302-288-6884

Event Link:

Learn More: Understanding Risk Analysis Under HIPAA and Meaningful Use

Events Map

Email Newsletters

Want to be up-to-date with the latest news and updates from To subscribe, just give us your email address below; you'll choose which e-newsletters you'd like to receive on the next screen.