3 Reasons Why You Need a HIPAA Risk Assessment Right Now

HIPAA is in the news all the time. Whether it is the tragedy that struck Orlando last weekend, the news of the HIPAA Audits coming, or a new healthcare breach being reported, we are constantly bombarded with why HIPAA compliance is critical. As with any organization, protecting and safeguarding the sensitive information that you possess is not only essential, it is your responsibility to the customers that you serve. This sensitive information can be a variety of different types, from personally identifiable information like your name, address, email address, and answers to security questions, to credit/debit card information, to protected health information. What makes Healthcare Organizations, both covered entities and business associates unique, is that they possess all of the information above. A covered entity has a significant amount of data on a patient, not only their PHI but also their PII and payment information (in most cases). When you think about it, that is a significant amount of information for one organization to hold and be responsible for. 

HIPAA only really cares about the PHI or ePHI that a healthcare organization holds in their systems. That doesn't mean that the other information is less important, it simply means that there is a specific federal regulation that mandates healthcare organizations follow certain steps and implement specific controls to protect the PHI and ePHI they process, transmit, and store. Along with the HIPAA Privacy, Security, and Breach rules comes the HIPAA Audit program, which is entering what the Department of Health and Human Services calls Phase 2. One of the most important pieces of HIPAA and the HIPAA Audit program has to do with organizations conducting a thorough, ongoing Risk Assessment. This is not a "one and done" situation as threats change constantly, especially when it comes to the area of IT Security. Outside of being required to do a risk assessment to comply with HIPAA, here are 3 very important reasons why you must conduct a HIPAA Risk Assessment on a regular basis:

• The Value of Health Records - Two to Three years ago, credit card breaches were all the rage and it seemed like a new breach was being reported every day. Fast forward over the past year and that's what has happened with healthcare records. Why? The answer is simple: MONEY. According to the Ponemon Institute, the average cost of a stolen healthcare record is $355 per record. The average cost of any stolen record, outside of healthcare of course, is $158 per record. Healthcare records are essentially twice as valuable as other stolen records. Hackers and organized crime entities steal records for one main reason: To sell them illegally and make money. Medical records are very valuable and therefore are at an increased risk of attack/exposure.
• HIPAA Audit Program - I covered this a little in a blog post from earlier this week but it is worth mentioning again. The HIPAA Audit program is kicking off again and when it comes to the Security Rule, the number one area where organizations failed was a lack of conducting a HIPAA Risk Assessment. In fact, 66% of the organizations that went through phase 1 of the audit program did not have a complete and/or accurate risk assessment. When it comes to Providers (Covered Entities), 79% of the Providers included did not have a thorough or accurate HIPAA Risk Assessment. This will be a very obvious focus of the Phase 2 HIPAA Audit program so you had better be prepared.
• Best Practice - If the first two reasons aren't compelling enough, what about conducting regular risk assessments as a best practice? As an organization, you have a responsibility to your customers to do everything in your power to protect their information. While a HIPAA Risk Assessment isn't a guarantee of security, it demonstrates that you are serious about their sensitive information and doing all that you can to protect said information. 

The healthcare sector is under attack. Couple that with the challenges that are specific to healthcare and this can be a dangerous scenario. As part of our monthly webinar series, Compass IT Compliance is presenting on the challenges that are specific to Healthcare organizations and some strategies that you can implement immediately to mitigate your risk of a breach. See below for more details and to register:

When: Thursday June 23rd @ 1:00 PM EST

Duration: 30 Minutes with Q&A Session

Where: Online, register below