The Importance of a Risk Assessment

Why is a HIPAA Risk Assessment So Important?

HIPAA requires you to complete a Risk Assessment, often referred to as a Risk Analysis, regularly and for specific situations. If your organization is audited, you will be required to show a Risk Assessment as a part of your HIPAA Compliance Plan. For example, going through a HIPAA audit without a Risk Assessment is like going to an IRS audit without any tax returns. Therefore, creating and maintaining this document is absolutely necessary!

Health and Human Services Office for Civil Rights (HHS) defines Risk Analysis as “the assessment of the risks and vulnerabilities that could negatively impact the confidentiality, integrity, and availability of the electronic Protected Health Information (ePHI) held by a Covered Entity and the likelihood of occurrence.”¹ That’s a pretty broad definition, as there are several intricacies to creating a thorough assessment. So, what risks and vulnerabilities do you need to assess? Also, how do you know what to include? Creating a successful Risk Assessment, much less managing risk, can be daunting. So, we’re here to help make it manageable.

What Information Should a Risk Assessment Include?

First, create a Risk Assessment to evaluate the potential weakness in your security procedures and systems. After that, you can then use the responses to the questions in each area to help you create your Privacy and Security Policies and Procedures. Your Risk Assessment document should be broken down into 3 key areas: Administrative, Technical, and Physical Safeguards, which are each outlined below.

Administrative Safeguards

1. Privacy and Security Officer(s) and contact information
2. Policies and Procedures review schedule
3. Sanction policy for employees that violate your policies
4. Plan for dealing with breaches
5. Employee management for training
6. Business Associate Agreements
7. Notice of Privacy Practices

Technical Safeguards

1. Data backup plan
2. Disaster recovery plan
3. Emergency mode of operations plan
4. Website security
5. Electronic data storage
6. Remote Access
7. Email Encryption
8. Password Requirements

Physical Safeguards

1. Who has access to your location?
2. Do you monitor who enters your office after business hours?
3. How do you protect patient or client files?
4. How do you control who has access to physical files?
5. Do you have any type of fire protection/suppression, emergency detection or third-party monitoring systems for disasters?

How often do you Perform a Risk Assessment?

The Risk Assessment is a living document, and the first year you have this in place, you may find certain parts work, and others don’t. This means you need to update the document to reflect any changes you make along the way.

There are several situations that will require you to perform a Risk Assessment.

1. Initial HIPAA Implementation
2. Any Major Changes in Software and/or Hardware – You are required to update your Risk Assessment after any major changes. This should be done prior to updating all systems in your practice or company You will want to test and verify that the new software or hardware is going to be acceptable before you launch it full scale. This will keep you from having to enact your “emergency operation” policy.
3. Have a change in ownership or key management
4. It’s Been a While – It’s been 2-3 years, you haven’t changed much in your practice or company, it’s probably a good idea to revisit your Risk Assessment. Remember to review your Business Associates and their compliance plans at this point.
5. Breach – If you have a breach, then you are required to perform a Risk Assessment to find out where things went wrong. This may have been a malware attack, unauthorized access to your premises, or a lost device. Document the reason, and what steps you have taken to mitigate the breach. Also, remember breaches of over 500 individuals’ info requires you to contact HHS and local media. If the information includes anyone from California, you are also required to notify the California State Attorney General’s office.

It Doesn’t Stop After The Risk Assessment

Your Risk Assessment is the first step in your Risk Management Plan. It is a documented way to provide your organization with a detailed understanding of the risks to the confidentiality, integrity, and availability of PHI. The Risk Assessment defines risks and vulnerabilities that can expose PHI to hackers or business associates who are not HIPAA compliant.

Similarly, risk management requires implementing security measures to sufficiently reduce an organization’s risk of losing or compromising its ePHI. Risk management is ongoing and living – it should be a regular part of your daily routine. If you don’t take the time to manage risks by following and updating the Risk Assessment, the assessment itself is for naught. Check out our blog from 2017 on The Ins and Outs of Risk Management.

Completing a Risk Assessment and implementing Risk Management goes beyond just following HIPAA law. A thorough Risk Assessment and Risk Management plan will help make your organization HIPAA compliant and a proper Risk Assessment is the foundation of your company’s security policy; above all, it can save you thousands of dollars in potential fines and protect your reputation.

In conclusion, we know that understanding HIPAA requirements can be overwhelming. Therefore, we’ll walk you through the process of making a Risk Assessment, then provide guidance as you implement your Risk Management Plan. Whether you’re a medical or dental practice, insurance agency, or employer group, Total HIPAA Compliance can help you create a Risk Assessment specific to your organization’s needs. Meanwhile, you can take the first step towards meeting HIPAA requirements and securing your organization – contact us today to get started!

https://www.hhs.gov/hipaa/for-professionals/faq/2013/what-is-the-difference-between-risk-analysis-and%20risk-management-in-the-security-rule/index.html

Sharing is caring!