The Critical Difference: HIPAA Security Compliance Evaluation v HIPAA Security Risk Analysis-Live Webinar

Compliance assessment? Security Evaluation? Risk Assessment? Risk Analysis? Compliance Analysis? Huh?  Just what does the HIPPA Security Final Rule and/or The HITECH Act and/or Meaningful Use Final Rule require?

We end the confusion in this webinar… 

Attend this complimentary webinar on:

Thursday, May 2, 2013  11:00 a.m. – 12:00 p.m. CDT

Register Now

Sign up for email notifications about webinar events.  You can also follow us on Twitter, join us on LinkedIn or Like our Facebook page.


The HITECH Act was a “game changer” when it comes to HIPAA Security Rule Compliance.

1)     Mandatory audits (Subtitle D, Part 1, Section 13411) have begun

2)     HHS non-compliance fines returning to HHS’ coffers will be reinvested in more enforcement

3)     State Attorneys General can now bring civil actions and have already started doing so

4)     Business Associates (BAs) are now statutorily obligated to comply with the law

5)     Subcontractors are minimally contractually obligated and may be designated as BAs

6)     Data Breach Notification requirements are stringent

7)     The OCR recently published its Audit Protocols it is using for both the mandated audits as well as for any investigations related to claims

Numerous experts have advised that the best way to get started with your compliance program is to take stock of where you are today.  Unfortunately, the advice includes many terms used interchangeably to complete a:  Compliance Assessment! Security Evaluation! Risk Assessment! Risk Analysis! Compliance Analysis!

This webinar ends the confusion, identifies the types of evaluations required by the HIPAA Security Final Rule (and Meaningful Use Stage I Requirements) and explains the differences.

Complying with the HIPAA Security Final Rule itself and as amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act, which was enacted as part of the American Recovery and Reinvestment Act (ARRA) of 2009 involves many steps and considerations.  What’s most important is starting on the right foot.

We focus on the two evaluations you must complete, by law. Both are Required by the HIPAA Security Final Rule.

A thorough HIPAA Security Compliance Evaluation broadly covers all aspects of the law including all 22 Standards and 53 Implementation Specifications that comprise the Administrative, Physical and Technical Safeguards (CFR 164.308, 310, 312) in the HIPAA Security Final Rule. Additionally, this evaluation must cover CFR 164.314 and 316 related to Organizational Requirements, Policies and Procedures and Documentation.

As indicated above, completing this HIPAA Security Compliance Evaluation is required by every Covered Entity and Business Associate. The language of the law is:

45 C.F.R. § 164.308(a)(8): Evaluation.

Standard: Evaluation. Perform a periodic technical and non-technical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, which establishes the extent to which an entity’s security policies and procedures meet the requirements of this subpart.

This type of evaluation is a critical step and should be completed whether one is just starting a HIPAA Security Compliance program, rejuvenating an existing program or maintaining an existing program. The output of the evaluation establishes a baseline against which overall progress can be measured by the executive team, compliance or risk officer, audit committee or board. Think FOREST view.

A HIPAA Security Risk Analysis is also required by law to be performed by every Covered Entity and Business Associate. Additionally, completion of the Risk Analysis is a core requirement to meet Meaningful Use objectives. The HIPAA Security Final Rule states:

45 C.F.R. § 164.308(a)(1)(ii)(A) RISK ANALYSIS (Required).

Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the [organization].

Both the HIPAA Security Compliance Evaluation and the HIPAA Security Risk Analysis are required by law and important and necessary steps on your HIPAA HITECH Security compliance journey.

Knowing what evaluation to complete when is a challenging decision even for the largest and most sophisticated organizations.


If your organization creates, receives, maintains or transmits ePHI, you should attend this webinar and learn the difference between these two types of evaluations.

This webinar briefly reviews the HIPAA-HITECH regulatory requirements for both types of evaluations, discusses the essential objectives and requirements of both, explains the differences and provides tangible, actionable approaches to complete each one.

The concepts of the importance of both evaluations to any compliance program, the different types of assessments one can complete, the explicit legal requirements, the penalties of failure to comply with the laws and many other key compliance process steps will be discussed.

Specific tools to complete each type of evaluation will also be discussed and made available to participants in this live event.


The evaluation approaches presented in the webinar have been used by organizations of all sizes and are purposefully designed to be used by the largest CEs and BAs (e.g., hospitals, insurors, care management firms, etc) to the smallest CEs, BAs and subcontractors (e.g., small medical practices, clinics, dental offices, medical billing companies etc.).

No matter where you are in your HIPAA-HITECH compliance journey, you will benefit from learning about:

  • The requirements of the HIPAA Security Final Rule for evaluations
  • The difference between a compliance assessment and a risk analysis
  • The HIPAA Security Final Rule civil and criminal penalties
  • Practical, actionable steps to complete the evaluations required by law
  • Available Software and ToolKits to jump-start your evaluation processes and overall compliance program

Becoming HIPAA-HITECH Security Rule compliant is an important and large project for any organization.  Taking stock of where you are today is a great way to jump-start or revitalize your compliance programs and be prepared for the mandatory audits that are being conducted throughout 2012.  The Office for Civil Rights (OCR) has an audit program underway with KPMG, and 150 audits of Covered Entities are to occur this year.

If you are a “Business Associate” or “Covered Entity” or a “subcontractor” that creates, receives, maintains or transmits ePHI, you will benefit from this webinar.

Attend this complimentary webinar on:

Thursday, May 2, 2013  11:00 a.m. – 12:00 p.m. CDT

Register Now

Sign up for email notifications about webinar events.  You can also follow us on Twitter, join us on LinkedIn or Like our Facebook page.


This session is offered as a 60-minute webinar using the GoToWebinar platform. The open format encourages questions during and after the session. Attendees will receive the presentation materials.

In this live session, attendees will learn about:

  • Two Security Rule Evaluation requirements
  • The difference between a compliance assessment and a risk analysis
  • Proven approaches to completing these evaluations
  • Step-by-Step Instructions for compliance assessments and risk analysis
  • Tools, templates and forms available to help you

This webinar is designed to help CEs and BAs understand and act on the specific periodic evaluation requirements (45 C.F.R. §164.316(a)) included in the HIPAA Security Final Rule, as amended by The HITECH Act.


See our list of upcoming live webinars, or check out our on-demand webinars with resources you may have missed.

No comments yet.

Leave a Reply