Risk management is a process and not a one-time event. Performing a Risk Analysis is a critical component of managing risk and a specific requirement for both HIPAA and Meaningful Use compliance. You have the option to use internal or external resources to comply with these regulations.
However, in the recently released ONC Privacy and Security Guide it says, “to receive a thorough and professional risk analysis that will stand up to a compliance review, it requires expert knowledge obtained through services of an experienced outside professional.”
So, how do you find the right “experienced outside professional?”
As a provider of Risk Analysis services for over 10 years, we advise each new client to speak with our current customers and ask for feedback. This is best practice for any healthcare organization choosing a new vendor or consultant.
While many consultants may have industry expertise, here are five additional questions we recommend our prospective clients ask our current customers to make sure there’s a good fit with their needs:
1. Did the consultant show up on time?
2. Was he/she respectful of your staff’s time?
3. Did the consultant try and “nickel dime” you beyond the scope of the proposal?
4. Was the consultant respectful to your staff?
5. Did he/she talk down to your staff?
So, if you find yourself with a need to have a Risk Analysis or Audit performed (never had one done, need to update the one you have, a HIPAA violation and/or breach has occurred) and you begin the search for a Risk Analysis consultant…I hope you use the questions above.
Your staff will be more receptive to the intrusion and allow the consultant to uncover all the risks that need mitigation. Your patient’s privacy and security depends on it.