HIPAA Risk Assessment: What You Need to Know
So, you are required to be HIPAA compliant, but where should you even start? There seem to be so many rules and regulations, and there are, but this is not a reasonable excuse to not fulfill your obligations as a business owner. As an MSP, we want to make things a little easier for you.
You now have access to everything you need to know about getting a HIPAA risk assessment…and a downloadable HIPAA Compliance Checklist!
Keep reading to get a great head start toward a fully HIPAA-compliant business.
Who Needs a HIPAA Risk Assessment?
In a word – YOU!
Chances are if you’re reading this page, you have questioned whether your organization is required to be HIPAA compliant. Or, on the other hand, you know you have to be, but the task of becoming compliant just seems so confusing and difficult that you are looking for a little assistance from an IT consulting company to make the process easier.
While many may think it is only large medical organizations that are required to be compliant, this is simply not true. No matter what size your organization is, if you handle protected health information (PHI), you and your business associates are required to comply, and the Office for Civil Rights (OCR) will NOT overlook any non-compliance.
As far as the OCR are concerned, one breach of PHI is too many, and they take their auditing responsibilities very seriously. Since 2009, more than 180,000 PHI breaches have been reported to the OCR and less than 1% of these breaches have involved leaks that have affected over 500 patients, meaning that 99% of the time the OCR is investigating breaches that many would consider ‘small’ or ‘insignificant’.
PHI breaches, however, are never small nor insignificant, especially not to the affected patients, so there is no time like the present to do a HIPAA risk assessment on your business.
What Does a HIPAA Risk Assessment Include?
It is important to point out that an effective HIPAA Risk Assessment should be carried out in two parts: a Privacy Risk Assessment and a Security Risk Assessment– each equally important and both highly necessary.
The HIPAA Privacy Risk Assessment includes the appointment of a Privacy Officer who is required to identify organizational workflows to determine the operational impact of the HIPAA Privacy Rule. This gives your organization an overview of any third-party contractors involved in your business at any time who also need to be HIPAA compliant and should also be included in the Security Risk Assessment.
Your Privacy Officer will be responsible for identifying and recording the internal and external flow of PHI to better see where vulnerabilities could occur.
While the US Department of Health & Human Services (HHS) states that a uniform risk analysis methodology doesn’t exist, this doesn’t mean that there are no reasonable guidelines to follow to ensure a comprehensive risk assessment of any business can be carried out. Regardless of the size, complexity, and capabilities of the Covered Entity or Business Associate, the HHS still requires businesses to identify, assess, and analyze their current protocols to ensure the continued protection of PHI.
HHS advises organizations to regularly:
- Determine where PHI is stored (on-prem or in the cloud), obtained, protected, and shared
- Determine and record all potential threats and vulnerabilities to PHI
- Evaluate current security systems and protocols to ensure the security and safety of PHI and whether these measures are used correctly
- Determine the possibility of “reasonably anticipated” threats, i.e., foreseeable threats that could affect HIPAA compliance
- Determine the impact a PHI breach could have
- Define and allocate risk levels for vulnerabilities and associated impacts
- Record the assessment and make changes where necessary
As businesses are constantly changing, regular risk assessments are necessary and should be conducted periodically to ensure continued compliance – particularly with the adoption of new technology or practices. Although there is no clear instruction on how often assessments should be carried out, it is your responsibility as the business owner to make sure your organization is staying up to date with HIPAA compliance requirements.
And, if you already have an internal IT team working on your compliance goals, consider a fresh perspective from a co-managed IT approach.
Finally, it is a necessary part of the HIPAA Privacy Risk Assessment that a HIPAA Privacy Compliance Program is developed and implemented which includes policies that mitigate the risks highlighted in the HIPAA Privacy Risk Assessment.
HIPAA Compliance Checklist
A great way to make sure your business is on track and up to date with the internal audit and assessment requirements to stay HIPAA compliant is with a HIPAA Compliance Checklist. Although the checklist is not a guarantee that your organization is compliant, it can help you to remember and identify all the primary areas which are required to be assessed and analyzed for complete HIPAA compliance.
So don’t forget to download your FREE HIPAA Compliance Checklist now!
Helping You To Keep Your PHI Safe
HIPAA compliance can be confusing for a lot of organizations, but adherence will ultimately protect both your business and your patients as much as possible. Therefore, you need to know what steps you need to take to reach compliance successfully.
If you feel your business could benefit from a HIPAA-verified partner who can help you keep your PHI safe and secure, or have any questions related to HIPAA, talk with an expert or contact us today.
