HIPAA requires you to complete a Risk Assessment, often referred to as a Risk Analysis, regularly and for specific situations. If your organization is audited, you will be required to show a Risk Assessment as a part of your HIPAA Compliance Plan. For example, going through a HIPAA audit without a Risk Assessment is like going to an IRS audit without any tax returns. Therefore, creating and maintaining this document is absolutely necessary!
Health and Human Services Office for Civil Rights (HHS) defines Risk Analysis as “the assessment of the risks and vulnerabilities that could negatively impact the confidentiality, integrity, and availability of the electronic Protected Health Information (ePHI) held by a Covered Entity and the likelihood of occurrence.”1 That’s a pretty broad definition, as there are several intricacies to creating a thorough assessment. So, what risks and vulnerabilities do you need to assess? Also, how do you know what to include? Creating a successful Risk Assessment, much less managing risk, can be daunting. So, we’re here to help make it manageable.
What Information Should a Risk Assessment Include?
First, create a Risk Assessment to evaluate the potential weakness in your security procedures and systems. After that, you can then use the responses to the questions in each area to help you create your Privacy and Security Policies and Procedures. Your Risk Assessment document should be broken down into 3 key areas: Administrative, Technical, and Physical Safeguards, which are each outlined below.
Administrative Safeguards
Privacy and Security Officer(s) and contact information
Policies and Procedures review schedule
Sanction policy for employees that violate your policies
Plan for dealing with breaches
Employee management for training
Business Associate Agreements
Notice of Privacy Practices
Technical Safeguards
Data backup plan
Disaster recovery plan
Emergency mode of operations plan
Website security
Electronic data storage
Remote Access
Email Encryption
Password Requirements
Physical Safeguards
Who has access to your location?
Do you monitor who enters your office after business hours?
How do you protect patient or client files?
How do you control who has access to physical files?
Do you have any type of fire protection/suppression, emergency detection or third-party monitoring systems for disasters?
How often do you Perform a Risk Assessment?
The Risk Assessment is a living document, and the first year you have this in place, you may find certain parts work, and others don’t. This means you need to update the document to reflect any changes you make along the way.
There are several situations that will require you to perform a Risk Assessment.
Initial HIPAA Implementation
Any Major Changes in Software and/or Hardware – You are required to update your Risk Assessment after any major changes. This should be done prior to updating all systems in your practice or company You will want to test and verify that the new software or hardware is going to be acceptable before you launch it full scale. This will keep you from having to enact your “emergency operation” policy.
Have a change in ownership or key management
It’s Been a While – It’s been 2-3 years, you haven’t changed much in your practice or company, it’s probably a good idea to revisit your Risk Assessment. Remember to review your Business Associates and their compliance plans at this point.
Breach – If you have a breach, then you are required to perform a Risk Assessment to find out where things went wrong. This may have been a malware attack, unauthorized access to your premises, or a lost device. Document the reason, and what steps you have taken to mitigate the breach. Also, remember breaches of over 500 individuals’ info requires you to contact HHS and local media. If the information includes anyone from California, you are also required to notify the California State Attorney General’s office.
It Doesn’t Stop After The Risk Assessment
Your Risk Assessment is the first step in your Risk Management Plan. It is a documented way to provide your organization with a detailed understanding of the risks to the confidentiality, integrity, and availability of PHI. The Risk Assessment defines risks and vulnerabilities that can expose PHI to hackers or business associates who are not HIPAA compliant.
Similarly, risk management requires implementing security measures to sufficiently reduce an organization’s risk of losing or compromising its ePHI. Risk management is ongoing and living – it should be a regular part of your daily routine. If you don’t take the time to manage risks by following and updating the Risk Assessment, the assessment itself is for naught. Check out our blog from 2017 on The Ins and Outs of Risk Management.
Completing a Risk Assessment and implementing Risk Management goes beyond just following HIPAA law. A thorough Risk Assessment and Risk Management plan will help make your organization HIPAA compliant and a proper Risk Assessment is the foundation of your company’s security policy; above all, it can save you thousands of dollars in potential fines and protect your reputation.
In conclusion, we know that understanding HIPAA requirements can be overwhelming. Therefore, we’ll walk you through the process of making a Risk Assessment, then provide guidance as you implement your Risk Management Plan. Whether you’re a medical or dental practice, insurance agency, or employer group, Total HIPAA Compliance can help you create a Risk Assessment specific to your organization’s needs. Meanwhile, you can take the first step towards meeting HIPAA requirements and securing your organization – contact us today to get started!
Email authentication is no longer optional—it’s essential. Without properly configured SPF, DKIM, and DMARC records, your emails risk being flagged as spam or blocked entirely. As providers like Microsoft tighten deliverability rules, organizations must act now to secure their domains. This guide walks you through the setup and alignment process to protect your reputation, improve deliverability, and stay compliant with evolving standards.
First Impressions: Spok Mobile emerges as a leading HIPAA-compliant text messaging solution designed specifically for hospitals and healthcare organizations. As part of the Spok Care Connect®...
First Impressions: In today's digital world, secure communication is critical for any organization handling protected health information (PHI). Notifyd emerges as a robust solution, offering a...
Save & Share Cart
Your Shopping Cart will be saved and you'll be given a link. You, or anyone with the link, can use it to retrieve your Cart at any time.
Back
Save & Share Cart
Your Shopping Cart will be saved with Product pictures and information, and Cart Totals. Then send it to yourself, or a friend, with a link to retrieve it at any time.
Your cart email sent successfully :)
We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.Ok