What is a HIPAA Risk Assessment?

In 2003, the original HIPAA Privacy Rule was issued, and the requirement to have a HIPAA Risk Assessment was put in place. However, many entities did not comply. Since the Office of Civil rights is issuing fines and cracking down more than ever before, it’s a great time to learn what a HIPAA Risk Assessment is and how you can create one for your company.

What’s the purpose of a Risk Assessment?

The U.S. Department of Health & Human Services intends a risk assessment to identify potential risks, vulnerabilities, availability and integrity of Patient Health Information that an organization creates, maintains, receives and transmits.

By identifying these potential risks, you can work to mitigate the potential for breaches of PHI and prevent fines for your organization. Developing this assessment is beneficial to help determine just how secure and where improvements need to be made within your organization.

What Happens if I Don’t Have a Risk Assessment?

Like other HIPAA violations, you will be fined for not identifying these potential risks. A breach no longer has to occur for you to be fined; it’s the potential of a breach happening where fines are also being issued. The Office of Civil Rights is auditing all organizations that deal with PHI and if you’re not assessing where these risks are within your organization you can expect a fine.

*What Needs to Be Included in My Risk Assessment?

  1. Identify where your PHI is stored, transmitted and received.
  2. Identify and document threats and vulnerabilities.
  3. Assess your current security measures.
  4. Determine the likelihood of a threat occurrence.
  5. Determine the potential impact of a threat occurring.
  6. Determine the level of risk.
  7. Identify your security measures and finalize documentation.
  8. Take action.

While risk assessments can vary from every organization, these can help you get started with your assessment.

How Often Should I Update My Risk Assessment?

While there’s currently no guidelines on how often these assessments should occur, they should be conducted at the minimum of once a year. As technology evolves, so do the threats to it, so taking the time to assess the threat of the changes can pay off in the long run.

If you’re looking for assistance in creating your HIPAA Risk Assessment, HIPAAwise, – The van Halem Group Solution can help you with becoming compliant. Contact us here to learn more or start your month-long free trial.

*For more information on how the OCR defines threats, vulnerabilities and risks, visit their website here.