Education, HIPAA / HITECH Enforcement, News Events, OCR HIPAA Audits, Tip of the Week

RISC Can Assist With Meeting the New OCR / KPMG HIPAA Audit Protocol

RISC Management has developed offerings in the areas of:

  1. OCR/KPMG HIPAA Audit Preparation
  2. OCR/KPMG HIPAA Audit Response Kit
  3. OCR/KPMG Audit Assistance (If you have received notification that your organization has been selected)

RISC has developed service offerings related to Audit Prep and development of an Audit Response Kit based upon the just-released Audit Protocol.

Contact RISC today for assistance in understanding and preparing for a HIPAA Audit by OCR, or KPMG on their behalf, based upon the Audit Protocol.


Education, Meaningful Use, Tip of the Week

Clinical Decision Support Systems and Evidence-Based Practice

     Clinical Decision Support System (CDSS)

What is a CDSS?

A CDSS is an interactive decision support system software that can assist clinicians in decision making processes when ascertaining diagnosis on patient data. CDSS products have the ability to connect health observations with a knowledge information network to control alternative treatments to enhance medical practice and judgment. Some products are capable of reviewing and filtering preliminary diagnoses and deducing links between patients with their medical history and forecast events.

A question we have been asked here at RISC is: The Meaningful Use (MU) incentive rule requires that we implement one CDS rule. What is the meaningful use CDS rule requirement for Stage 1 meaningful use?

Answer: The requirement is, “Implement one clinical decision support rule relevant to specialty or high clinical priority along with the ability to track compliance to that rule.” [1. See References below]

Physicians, nurses and other health care professionals use a CDSS to prepare a diagnosis and to review the diagnosis as a means of improving the final result. Data mining may be conducted to examine the patient’s medical history in conjunction with relevant clinical research. Such analysis can help predict potential events, which can range from drug interactions to disease symptoms.

What is Data Mining?

Data mining is sorting through data to identify patterns and establish relationships.

Data mining parameters include:

  • Association – looking for patterns where one event is connected to another event
  • Sequence or path analysis – looking for patterns where one event leads to another later event
  • Classification – looking for new patterns (May result in a change in the way the data is organized but that’s ok)
  • Clustering – finding and visually documenting groups of facts not previously known
  • Forecasting – discovering patterns in data that can lead to reasonable predictions about the future

What is Evidence-Based Practice (EBP)?

EBP is the practice of applying research to promote quality care and enhanced clinical practice based upon the best evidence from the most recent systematic reviews and meta analyses of randomized controlled trials (RCTs) for clinical information on a stated problem.

Meta-analyses are reviews of literature related to a particular intervention, culminating in the calculation of the effect size of an intervention. Systematic reviews of research (SRRs) are either summaries of the research on an intervention or summaries of what is known about a phenomenon. A rigorous process is used to identify appropriate studies, based on criteria developed by the researcher. The results of studies are synthesized, but no statistics are calculated. Meta-syntheses are systematic reviews of qualitative studies, often resulting in theoretical propositions that can later be tested in practice.

Meta-analyses, SRRs, RCTs, and even meta-syntheses are used to develop clinical practice guidelines (CPGs). Clinical practice guidelines are translated into care protocols, care maps, procedure manuals, and algorithms that are then implemented within institutions. The developers of CPGs consider all of the studies related to a clinical problem.

These evidence-based CDSS facilitate care before, during, and post diagnoses on patients. In addition, CDSS products have capabilities such as monitoring medication orders, preventing duplications, and providing analysis/diagnosis/treatment plan processes, with condition-specific clinical guidelines promoting best practices to improve patient outcomes.

The Health Information Technology for Economic and Clinical Health (HITECH) Act  (Meaningful Use) stipulates that healthcare providers must demonstrate MU by 2015 or face reduced Medicare reimbursement in 2016. In addition, Providers are now in the final months to qualify for Stage 1 funds. Eligible Providers (EPs) that have not yet attested have only a brief period left to do so, in order to capture the full amount of incentive funding.


1.  and

2. Melnyk, B. M., & Fineout-Overholt, E. (2011). Evidence-based practice in nursing and healthcare: A guide to best practice (2nd ed.). Philadelphia, PA: Wolters Kluwer/Lippincott Williams & Wilkins.

3. Centers for Medicare & Medicaid Services. (2012). Electronic Health Records Incentive Programs. Retrieved from

Sponsored by RISC Management & Consulting 630.270.9336

Education, News Events, OCR HIPAA Audits

OCR HIPAA Audit Program Update

Covered Entities and many Business Associates are keenly aware of the initiation of the latest round of HIPAA Audits being performed by KPMG, on behalf of the Office for Civil Rights. Powered by $9.2 million in tax payer funding, KPMG was selected to perform the audits in two phases. The Covered Entity and Business Associate identification and catalog was based upon the selection criteria established in a previous phase in a public contract awarded to the firm of Booz Allen Hamilton.

So what’s happening right now? Where’s our promised Audit Protocol so that we can prepare?

These are the first two questions we hear almost every day.

Linda Sanches, OCR Senior Advisor, Health Information Privacy Lead, HIPAA Compliance Audits recently presented at the NIST / OCR Conference, Safeguarding Health Information: Building Assurance Through HIPAA Security. Linda presented some key information, but did not deliver or present the Audit Protocol we have all been waiting for. Based upon results from the first 20 pilot audits, here are some of the key takeaways. The top Security issues included findings across Covered Entities related to:

  1. User Activity Monitoring (Logging)
  2. Contingency Planning (Disaster Recovery, Business Continuity, Business Impact Analysis (BIA))
  3. User & System Authentication & Data Integrity
  4. Media Reuse and Destruction (Think USB drives, Hard Drives, Optical Media, etc.)
  5. Lack of conducting a Proactive Risk Analysis
  6. Granting, Modifying, and Removing User Access
  7. Incident Response Planning, Mitigation, Remediation of Core Issues
  8. Encryption (Data at Rest)
  9. Physical Access Controls (Access to Data Centers, Workstations, Mobile Devices)
95 additional Covered Entities are in the process of receiving their selection letters as the next phase in the current audit contract. The total number of audited Covered Entities will be 115 by December of 2012. What is extremely important to note is that OCR and KPMG will be very carefully reviewing the trends that were evident from the initial 20 Audits, and the balance of 95, to determine the focus of future Audits. What that really means: Organizations and areas that are struggling today, and that have become evident areas of concern from the current Audit Program will receive vastly increased scrutiny in subsequent phases.
Linda recommended the following next steps:
  1. Conduct a robust Risk Analysis.
  2. Find all of your PHI, not just the obvious PHI (Consider unstructured data, archived data, etc.)
  3. Map the data flow of PHI in to, throughout, and out of your organization. Without this knowledge, it is impossible to achieve compliance.
  4. Determine all of the lines of business affected by HIPAA.
  5. Create, if needed, update always, and train workforce members on your HIPAA and Security Policies, supporting Procedures, and Practices.


1. Department of Health and Human Services, Office for Civil Rights, Audit Program Home Page,


Please contact RISC Management & Consulting to schedule a webinar on this topic, or for assistance developing your OCR / KPMG HIPAA Audit Response Kit at

Data Breach, Education, Tip of the Week

Organizations Must Address Data Breaches Before They Occur

Any organization that creates, collects, stores, processes, transmits, archives, or deletes sensitive information about an individual, must prepare for a Data Breach before it occurs. To address Data Breach response planning after the breach occurs is costly and potentially a game-ender for some companies.

Data Breaches occur all the time, the public just does not understand the breadth and impact of the problem. Just taking a quick view of the State of California Department of Justice website published by the State Attorney General at gives you an immediate feel for the size of the problem. Especially when one considers how few of the events listed here, just in 2012, have made it into the news!

All of these organizations had to comply with California’s far more strict data breach reporting and notification requirements under California State Law such as SB24. Sections of California State Law state:

California law requires a business or state agency to notify any California resident whose unencrypted personal information, as defined, was acquired, or reasonably believed to have been acquired, by an unauthorized person. (California Civil Code s. 1798.29(a) and California Civ. Code s. 1798.82(a))

Any person or business that is required to issue a security breach notification to more than 500 California residents as a result of a single breach of the security system shall electronically submit a single sample copy of that security breach notification, excluding any personally identifiable information, to the Attorney General. (California Civil Code s. 1798.29(e)and California Civ. Code s. 1798.82(f)). If you happen to be included in this category and are required to submit a notice, you can do so here .

However, this is only California, and most states, other than Texas, do not have Data Breach reporting requirements anywhere near as stiff as these. As the public begins to hear about only small portions of the overall problem, from the news, by receiving a notification letter, from their affected family members or their neighbors, the attention paid to these events, and the real and significant penalties will only grow exponentially.

All organizations that interact with sensitive information about an individual in the ways we listed above, must:

  1. Identify the sensitive data in their possession
  2. Identify the location of that data throughout its entire lifecycle from creation or import, through to secure and permanent deletion
  3. Document the data flow, and tie access controls, auditing, and security techniques such as encryption, to every branch of that flow
  4. Review the data with Risk Management and In-house or external Counsel (See the Law.Com Blog entry below)
  5. Determine the best combination of Risk Management techniques (Eliminate, Transfer, Reduce, Accept)
  6. Develop a Data Breach Policy
  7. Develop a Data Breach Procedure (Steps and Personnel to support the Policy)
  8. Run a mock Data Breach event drill
  9. Improve your processes based upon the results of the drill
  10. Update all of the information collected in steps one through seven, above

Law.Com Blog entry:  

RISC Management assists organizations in creating and implementing Data Breach prevention, detection, investigation, response, and improvement projects.

Written by Chris Heuman Chris @