The Importance of a Risk Assessment

Why is a HIPAA Risk Assessment So Important?

HIPAA requires you to complete a Risk Assessment, often referred to as a Risk Analysis, regularly and for specific situations. If your organization is audited, you will be required to show a Risk Assessment as a part of your HIPAA Compliance Plan. Imagine going to an IRS audit without any tax returns. Your Risk Assessment is like your Schedule C. Let’s just say it’s not going to be a very successful HIPAA audit without a Risk Assessment.

Health and Human Services Office for Civil Rights (HHS) defines Risk Analysis as “the assessment of the risks and vulnerabilities that could negatively impact the confidentiality, integrity, and availability of the electronic Protected Health Information (ePHI) held by a Covered Entity and the likelihood of occurrence.”1 That’s a pretty broad definition, as there are several intricacies to creating a thorough assessment. What risks and vulnerabilities do you need to assess? How do you know what to include? Creating a successful Risk Assessment, much less managing risk, can be daunting. We’re here to help make it manageable.

 

What Information Should a Risk Assessment Include?

Creating a Risk Assessment is the first step in an organization’s Security Rule compliance efforts. Your Risk Assessment document should be broken down into 3 key areas: Administrative, Technical, and Physical Safeguards, which are each outlined below. You can then use the responses to the questions in each area to help you create your Privacy and Security Policies and Procedures.

  1. Administrative Safeguards:
    • Privacy and Security Officer(s) and contact information
    • Policies and Procedures review schedule
    • Sanction policy for employees that violate your policies
    • Plan for dealing with breaches
    • Employee management for training
    • Business Associate Agreements
    • Notice of Privacy Practices
  1. Technical Safeguards:
    • Data backup plan
    • Disaster recovery plan
    • Emergency mode of operations plan
    • Website security
    • Electronic data storage
    • Remote access
    • Email encryption
    • Password requirements
  1. Physical Safeguards:
    • Who has access to your location?
    • Do you monitor who enters your office after business hours?
    • How do you protect patient or client files?
    • How do you control who has access to physical files?
    • Do you have any type of fire protection/suppression, emergency detection or third-party monitoring systems for disasters?

 

How often do you Perform a Risk Assessment?

The Risk Assessment is a living document, and the first year you have this in place, you may find certain parts work, and others don’t. This means you need to update the document to reflect any changes you make along the way.

There are several situations that will require you to perform a Risk Assessment.

  1. Initial HIPAA Implementation
  2. Any Major Changes in Software and/or Hardware – You are required to update your Risk Assessment after any major changes. This should be done prior to updating all systems in your practice or company You will want to test and verify that the new software or hardware is going to be acceptable before you launch it full scale. This will keep you from having to enact your “emergency operation” policy.
  3. Have a change in ownership or key management
  4. It’s Been a While – It’s been 2-3 years, you haven’t changed much in your practice or company, it’s probably a good idea to revisit your Risk Assessment. Remember to review your Business Associates and their compliance plans at this point.
  5. Breach – If you have a breach, then you are required to perform a Risk Assessment to find out where things went wrong. This may have been a malware attack, unauthorized access to your premises, or a lost device. Document the reason, and what steps you have taken to mitigate the breach. Also, remember breaches of over 500 individuals’ info requires you to contact HHS and local media. If the information includes anyone from California, you are also required to notify the California State Attorney General’s office.

 

It Doesn’t Stop After The Risk Assessment

Your Risk Assessment is the first step in your Risk Management Plan. It is a documented way to provide your organization with a detailed understanding of the risks to the confidentiality, integrity, and availability of PHI. The Risk Assessment defines what risks and vulnerabilities you have that can expose PHI to hackers or business associates who are not HIPAA compliant. Risk Management is the actual implementation of security measures to sufficiently reduce an organization’s risk of losing or compromising its ePHI and to meet the general security standards. Risk management is ongoing and living – it should be a regular part of your daily routine. If you don’t take the time to manage risks by following and updating the Risk Assessment, the assessment itself is for naught. Check out our blog from 2017 on The Ins and Outs of Risk Management.

Completing a Risk Assessment and implementing Risk Management goes beyond just following HIPAA law. A thorough Risk Assessment and Risk Management plan will help make your organization HIPAA compliant A proper Risk Assessment is the foundation to your company’s security and can save you thousands of dollars in potential fines and protect your reputation.

We know that understanding HIPAA requirements can be overwhelming. Whether you’re a medical or dental practice, insurance agency, or employer group, Total HIPAA Compliance can help you create a Risk Assessment specific to your organization’s needs. We’ll walk you through the process of a Risk Assessment, then provide guidance as you begin implementation of your Risk Management Plan. Take the first step towards meeting HIPAA requirements and securing your organization – contact us today to get started!

 

Contact Us

    You can choose more than one field.

 

 

  1. https://www.hhs.gov/hipaa/for-professionals/faq/2013/what-is-the-difference-between-risk-analysis-and%20risk-management-in-the-security-rule/index.html