What is a HIPAA Risk Assessment?
In 2003, the original HIPAA Privacy Rule was issued, and the requirement to have a HIPAA Risk Assessment was put in place. However, many entities did not comply. Since the Office of Civil rights is issuing fines and cracking down more than ever before, it’s a great time to learn what a HIPAA Risk Assessment is and how you can create one for your company.
What’s the purpose of a Risk Assessment?
The U.S. Department of Health & Human Services intends a risk assessment to identify potential risks, vulnerabilities, availability and integrity of Patient Health Information that an organization creates, maintains, receives and transmits.
By identifying these potential risks, you can work to mitigate the potential for breaches of PHI and prevent fines for your organization. Developing this assessment is beneficial to help determine just how secure and where improvements need to be made within your organization.
What Happens if I Don’t Have a Risk Assessment?
Like other HIPAA violations, you will be fined for not identifying these potential risks. A breach no longer has to occur for you to be fined; it’s the potential of a breach happening where fines are also being issued. The Office of Civil Rights is auditing all organizations that deal with PHI and if you’re not assessing where these risks are within your organization you can expect a fine.
*What Needs to Be Included in My Risk Assessment?
- Identify where your PHI is stored, transmitted and received.
- Identify and document threats and vulnerabilities.
- Assess your current security measures.
- Determine the likelihood of a threat occurrence.
- Determine the potential impact of a threat occurring.
- Determine the level of risk.
- Identify your security measures and finalize documentation.
- Take action.
While risk assessments can vary from every organization, these can help you get started with your assessment.
How Often Should I Update My Risk Assessment?
The risk analysis process should be ongoing. In order for an entity to update and document its security measures “as needed,” which the Rule requires, it should conduct continuous risk analysis to identify when updates are needed. The Security Rule does not specify how frequently to perform risk analysis as part of a comprehensive risk management process. The frequency of performance will vary among covered entities. Some covered entities may perform these processes annually or as needed, depending on circumstances of their environment. We recommend revisiting your risk assessment at least on an annual basis.
If you’re looking for assistance in creating your HIPAA Risk Assessment, The van Halem Group can help you. Our HIPAA compliance software, HIPAAwise, provides you with everything you need to be compliant with HIPAA regulations. Contact us to learn more.
*For more information on how the OCR defines threats, vulnerabilities and risks, visit their website here.