WEBINAR REPLAY: Strengthening Your Risk Management Program: Lessons Learned from the OCR’s Phase 2 Audits
The HHS Office for Civil Rights (OCR) recently presented some findings from its Phase 2 HIPAA Audit program, providing a snapshot summary of current data security and privacy practices in the healthcare industry. The results reveal that many organizations lack sufficient documentation of risk management activities to satisfy OCR’s expectations. Examples of what was found lacking was documentation of:
comprehensive risk analysis processes to identify risks throughout an organization’s environment;
methods used to calculate risk based on impact and likelihood to the organization; and
risk management activities and controls implemented to mitigate security risks and drive down the likelihood of future security breaches.
The OCR Phase 2 Audit Results underscore the importance of an effective Risk Management Program. Establishing a risk management program that meets the OCR’s expectations is critical for all healthcare organizations who, at some point, may be the subject of an OCR audit or investigation.
Based on OCR's feedback and their collective experience, Adam and Cliff will provide guidance and template examples for performing and documenting a risk assessment and risk management programs. Participants will learn about the key elements required in a Risk Assessment, tips for performing an assessment, and useful reference resources.
Partner, Davis Wright Tremaine LLP.
Adam Greene, a nationally-recognized authority on HIPAA and the HITECH Act, primarily counsels health care systems and technology companies on compliance with the HIPAA privacy, security, and breach notification requirements. Adam is a former regulator at the U.S. Department of Health and Human Services (HHS), where he played a key role in administering and enforcing the HIPAA rules. At HHS, Adam was responsible for determining how HIPAA rules apply to new and emerging health information technologies and he was instrumental in the development of the current enforcement process.
Adam’s work at HHS during the evolution of HIPAA and related regulations has given him a keen understanding of agency interactions with the health care community. Adam has written numerous articles on the HIPAA rules and is a frequent speaker on the subject. Adam also serves as the chair of the HIMSS Cloud Security Workgroup.
Adam is a regular contributor to Davis Wright Tremaine's Privacy and Security Law Blog, PrivSecBlog.com. He is also a member of DWT’s Breach Response Team (dwt.com/IncidentResponse). Adam has been recognized as one of the "Top 10 Influencers in Health Information Security" for 2015 by HealthcareInfoSecurity.com and one of the "50 Top Healthcare IT Experts" in 2015 by Health Data Management.
Managing Partner, Meditology Services
Cliff Baker is an industry leader in healthcare information technology, privacy and security, and has over 20 years of industry experience. In his dedication to the industry and passion to tackle many of its most challenging risks, Cliff has created solutions that are leveraged and used by organizations across the nation. He is the founder and CEO of two successful companies that provide information protection services to healthcare organizations including many of the nation's leading provider, payer and business associate organizations. Cliff also led the creation of the HITRUST framework, which is the most broadly adopted healthcare security and privacy framework in the industry. Cliff started his career with PricewaterhouseCoopers where he established and lead the firm's first dedicated healthcare care security practice. He is a published author on database security and various whitepapers and is a frequent speaker at compliance related conferences.