Plan for the Worst, Hope for the Best: Why You Must Have a HIPAA (Health Insurance Portability and Accountability Act) Risk Assessment
“The single biggest and most common compliance weakness is the lack of a timely and thorough risk analysis.”
-Leon Rodriguez, head of the U.S. Health and Human Services Office for Civil Rights
When the Office for Civil Rights (“OCR”) auditor drops by your health facility to ensure that you are complying with HIPAA, one thing is for certain: he will be asking to see your Risk Assessment. Do you have one? Is it completed? Has it been used to develop and implement appropriate policies and procedures?
Audit Risks Are Real
The OCR is cracking down on covered entities’ and business associates’ compliance with HIPAA. Audits are becoming commonplace and resulting in more and more providers being hit with fines and sanctions. You may think that even if you are subject to an audit, then penalty will be a slap on the wrist. Think again. The maximum penalty for a HIPAA violation is now $1.5 million. Maybe you are too small of a provider to be the target of an audit? Think again, again. In January of 2013, Hospice of North Idaho agreed to pay the Department of Health and Human Services (“HHS”) $50,000 to settle potential HIPAA violations stemming from a 2010 incident involving a stolen, unencrypted laptop. It was the first HIPAA breach settlement involving less than 500 people. The hospice did not have a risk assessment in place.
Risk Assessments Are Not Optional
A HIPAA risk assessment is a thorough investigation and analysis of areas where there is potential risk of violating HIPAA laws. A risk assessment is not optional and it is not just a checklist. Covered entities, and now business associates, are required to have an assessment done. Specifically, entities must:
Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.
These assessments are critical to compliance with the HIPAA Security Rule. An assessment should include questions addressing administrative, physical, and technical safeguards, and the Breach Notification Rule. Many assessments are created in the form of a table and not only analyze the level of the risk, but also whether there is a policy in place and who should be responsible for ensuring each provision is implemented.
Risk Assessments Are Just the First Step
Once your facility’s risk assessment is complete, then it and any relevant accompanying documents should be kept in your HIPAA security files. Assessing risks is only a first step. You must use the results of your risk assessment to develop and implement appropriate policies and procedures. The use of a privacy officer is highly recommended. Consider offering training to employees where a sign-in sheet is required and certifications are provided once training is complete. This kind of documentation will be very beneficial when the OCR auditor is at your door.
New Trademark Headaches, But Help is On the Way Re: Internet Corporation for Assigned Names and Numbers’ (ICANN) Expansion of Generic Top-Level Domains (gTLDs)
For brand owners that have often struggled to keep up with all the infringement and cybersquatting issues in the 22 existing generic top-level domain name registries, or “gTLDs”, like .com, .org, and .net, life is about to become even more challenging. The Internet Corporation for Assigned Names and Numbers’ (ICANN) planned expansion of gTLDs to potentially almost 2,000 in total has the potential to create major trademark enforcement headaches. In order to address some of those concerns and burdens, ICANN has created the Trademark Clearinghouse, which allows brand owners to submit information regarding their registered trademarks into a single database across all the new gTLDs for an annual fee of approximately $150 per trademark per year.
Registration in the Trademark Clearinghouse provides two primary benefits:
- First, it allows brand owners priority access for registering their trademarks as domain names in any new gTLD that is available to the general public as it launches.1 For example, if Acme Car Sales owns a trademark registration covering the term ACME in any jurisdiction worldwide, as the anticipated .cars registry launches, Acme Car Sales would be able to register acme.cars before others have that opportunity.
- Second, Clearinghouse registrants will receive notice if anyone tries to register domain names that match their marks. Thus, to take the prior example, if Acme Car Sales decides not to register acme.cars, but a third party proceeds to do so, Acme Car Sales will receive notice of the registration and then can contest it if appropriate.
Although this sounds promising, be aware that the Clearinghouse is not perfect—if Acme Car Sales’ only trademark registration is for “ACME,” the Clearinghouse does not provide any benefits pertaining to domain name registrations that differ even slightly from the trademark registration, such as acmesales.cars, or acmechicago.cars. Additionally, individual registries are permitted to determine on their own how to handle situations where multiple entities own trademark registrations for the same mark.
Despite these shortcomings, the Trademark Clearinghouse presents a good first step toward brand protection in the new gTLD space, and most brand owners will benefit from registration. Registration is now open, and will remain open as long as new gTLDs are being released.