Get certified in HIPAA for Leaders for just $49.95.
To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video
So, what is a risk assessment? A risk assessment is a process to identify potential risks and analyze what can happen if a breach or mishandling of PHI happens. There are currently over 100 questions that you must attest to, to become compliant. This list is provided by the Office of Civil Rights. As a covered entity or a business associate you are required by law to have a risk assessment. A risk assessment helps you understand your vulnerabilities and potentials of data breaches and non-compliance with the law. It also helps identify areas where we can secure data and paper charts. A risk assessment is required by the Office of Civil Rights to assess the amount of risk a covered entity or business associate has. You do not know your exposure of PHI and ePHI if you are not assessed. You must also produce a risk report from the risk assessment that details the level of risk and remediation plan to resolve any and all risks to PHI or ePHI. We recommend having annual risk assessments to meet regulations and determine your level of risk year to year and ensure any changes are addressed in your business that may jeopardize the security of PHI or ePHI.
In this lesson, we'll be going over what a risk assessment is, the purpose of risk assessments, and the benefits of having one regularly. At the end of the lesson, we'll provide you with a Word about what a HIPAA risk assessment should consist of.
A risk assessment is a process that helps your business or organization identify any potential risks and analyze what could happen if a breach or mishandling of PHI or ePHI occurs.
Risk assessments are required by the Office for Civil Rights. To become compliant, you must attest to 100 questions that the OCR provides. By conducting a thorough risk assessment, you should have a better idea of the amount of a risk your business or organization has, along with your exposure of all protected health information.
Pro Tip #1: The important thing to remember is that all covered entities and business associates are required by law to conduct a risk assessment.
The goals of doing a risk assessment are understanding your vulnerabilities if any exist and the potential of a data breach. A risk assessment can help identify areas where you can better secure all types of patient health data, from ePHI to paper charts.
Pro Tip #2: All covered entities and business associates must also produce a risk report from the risk assessment. The risk report should detail the level of the risk and a remediation plan to resolve any and all risks to PHI and ePHI.
ProHIPAA recommends that all covered entities and business associates conduct an annual risk assessment to comply with all regulations and determine your level of risk from year to year. This yearly approach to risk assessments will help ensure that any changes in your business or organization haven't affected the security of the protected health information of your patients or customers.
The U.S. Department of Health and Human Services (HHS) acknowledges that there is no specific risk analysis methodology. This may be due to covered entities and business associates varying significantly in size, complexity, and capabilities.
However, HHS does provide an objective of a HIPAA risk assessment – to identify potential risks and vulnerabilities to the confidentiality, availability, and integrity of all PHI that an organization creates, receives, maintains, or transmits.
In order to achieve these objectives, the HHS suggests an organization should:
A HIPAA risk assessment is not a one time or singular exercise. Assessments should be reviewed periodically, and as new work practices are implemented, or new technology is introduced. HHS does not provide guidance on the frequency of reviews other than to suggest they may be conducted annually depending on an organization´s circumstances.
Due to the requirement for business associates to conduct risk assessments being introduced in an amendment to the HIPAA Security Rule, many covered entities and Business Associates overlook the necessity to conduct a HIPAA privacy risk assessment.
A HIPAA privacy risk assessment is equally as important as a security risk assessment but can be a much larger undertaking depending on the size of the organization and the nature of its business.
In order to complete a HIPAA privacy risk assessment, an organization should appoint a privacy officer who can identify organizational workflows and get a big picture view of how the HIPAA Privacy Rule will impact the organization's operations. Thereafter the privacy officer needs to map the flow of PHI both internally and externally in order to conduct a gap analysis to identify where breaches may occur.
The final stage of a HIPAA privacy risk assessment should be the development and implementation of a HIPAA privacy compliance program. The program should include policies to address the risks to PHI identified in the HIPAA privacy risk assessment and should be reviewed as suggested by the HHS as new work practices are implemented or new technology is introduced.