So, you are required to be HIPAA compliant, but where should you even start? There seem to be so many rules and regulations, and there are, but this is not a reasonable excuse to not fulfil your obligations as a business owner. To make things a little easier, though, you now have access to everything you need to know about HIPAA risk assessments…and a downloadable HIPAA Compliance Checklist!
So, keep reading to get a great head start towards a fully HIPAA compliant business.
HIPAA Risk Assessments – who needs them?
In a word – YOU!
Chances are if you’re reading this page, you have questioned whether your organization is required to be HIPAA compliant. Or, on the other hand, you know you have to be, but the task of becoming compliant just seems so confusing and difficult that you are looking for a little assistance to make the process easier.
While many may think it is only large medical organizations that are required to be compliant, this is simply not true. No matter what size your organization is, if you handle protected health information (PHI), you and your business associates are required to comply, and the Office for Civil Rights (OCR) will NOT overlook any non-compliance. As far as the OCR are concerned, one breach of PHI is too many, and they take their auditing responsibilities very seriously. Since 2009, more than 180,000 PHI breaches have been reported to the OCR and less than 1% of these breaches have involved leaks that have affected over 500 patients, meaning that 99% of the time the OCR is investigating breaches that many would consider ‘small’ or ‘insignificant’.
PHI breaches, however, are never small nor insignificant, especially not to the affected patients, so there is no time like the present to do a HIPAA risk assessment on your business.
What does a HIPAA Risk Assessment include?
It is important to point out that an effective HIPAA Risk Assessment should be carried out in two parts: a Privacy Risk Assessment and a Security Risk Assessment– each equally important and both highly necessary.
The HIPAA Privacy Risk Assessment includes the appointment of a Privacy Officer who is required to identify organizational workflows to determine the operational impact of the HIPAA Privacy Rule. This gives your organization an overview of any third-party contractors involved in your business at any time who also need to be HIPAA compliant and should also be included in the Security Risk Assessment. Your Privacy Officer will be responsible for identifying and recording the internal and external flow of PHI to better see where vulnerabilities could occur.
While the US Department of Health & Human Services (HHS) states that a uniformed risk analysis methodology doesn’t actually exist, this doesn’t mean that there are not reasonable guidelines to follow to ensure a comprehensive risk assessment of any business can be carried out. Regardless of the size, complexity, and capabilities of the Covered Entity or Business Associate, the HHS still requires businesses to identify, assess, and analyze their current protocols to ensure the continued protection of PHI.
HHS advises organisations to regularly:
- Determine where PHI is stored, obtained, protected, and shared
- Determine and record all potential threats and vulnerabilities to PHI
- Evaluate current security systems and protocols to ensure the security and safety of PHI and whether these measures are used correctly
- Determine the possibility of “reasonably anticipated” threats, i.e., foreseeable threats that could affect HIPAA compliance
- Determine the impact a PHI breach could have
- Define and allocate risk levels for vulnerabilities and associated impacts
- Record the assessment and make changes where necessary
As business and businesses are constantly changing, regular risk assessments are necessary and should be conducted periodically to ensure continued compliance – particularly with the adoption of new technology or practices. Although there is no clear instruction on how often assessments should be carried out, it is your responsibility as the business owner to make sure your organization is staying up to date with HIPAA compliance requirements.
Finally, it is a necessary part of the HIPAA Privacy Risk Assessment that a HIPAA Privacy Compliance Program is developed and implemented which includes policies that mitigate the risks highlighted in the HIPAA Privacy Risk Assessment.
HIPAA Compliance Checklist
A great way to make sure your business is on track and up to date with the internal audit and assessment requirements to stay HIPAA compliant is with a HIPAA Compliance Checklist. Although the checklist is not a guarantee that your organization is compliant, it can help you to remember and identify all the primary areas which are required to be assessed and analyzed for complete HIPAA compliance.
So don’t forget to download your FREE HIPAA Compliance Checklist now!
Helping you to keep your PHI safe
It’s obvious that HIPAA compliance can be confusing for a lot of organizations, but adherence will ultimately protect both your business and your patients as much as possible. Therefore, it’s important for you to know what steps you need to take to reach compliance successfully. If you feel your business could benefit from a HIPAA-verified partner who can help you keep your PHI safe and secure, then contact the team at Merit Technologies today.
Nice breakdown. We’re in the process of having our first HIPAA assessment and it’s scary waiting to see the verdict.
I don’t like leaving anything to chance, just the thought of having just one PHI breach is too much. I’ve worked in the medical field for around three years and the hassle of complying to all the HIPAA guidelines has taken its toll but we just can’t allow personal data to be a liability just because it’s more comfortable to do so.