The HIPAA Risk Assessment - Who Needs One and When?

4 min read
March 9, 2016 at 10:30 AM

Healthcare breaches are nothing new, in fact they have become quite common in the news on a weekly basis. As an example of this, a Central Florida Oncology provider recently announced that it suffered a data breach at the hands of a hacker, resulting in the compromise of the personal information of 2.2 million individuals. In fact, if you want additional proof around the seriousness of Healthcare IT Security and subsequent data breaches, take a journey over to the Department of Health and Human Services Wall of Shame where you can see all the information related to all Healthcare breaches involving over 500 individuals.

When we discuss a HIPAA Risk Assessment, there are some items that we need to clarify as HIPAA Compliance can be very confusing. There are multiple components of HIPAA Compliance, the Privacy Rule and the Security Rule. For the purposes of this blog post and the services that Compass provides around HIPAA Compliance, we evaluate both the Privacy and Security Rules to give an organization a thorough overview of their risk. For more details, check out this link (which might confuse you more since it is a government site.)

This begs the questions: Who needs a HIPAA Risk Assessment and when do they need to get one? Let's deal with the first question and break this down into two different categories of organizations:

  • Covered Entities - This one should be pretty self explanatory but still is worth mentioning. A covered entity is defined as an organization that falls into 1 of 3 buckets: Health Plans (Insurers), Health Care Providers (ALL), and Health Care Clearinghouses that electronically transmit any health information.
  • Business Associates - This one is a little more complex, however, a Business Associate is identified as an organization or person that creates, receives, maintains, or transmits Protected Health Information (PHI) . 

Contact Us

Now that we have the "who" identified, let's discuss the "when" for a HIPAA Risk Assessment. Before we do that, I am going to give you a disclaimer that you can do Google searches until you are blue in the face and you will never find an exact timeline, outside of attesting for Meaningful Use, of when to perform a HIPAA Risk Assessment. For Business Associates, the "when" requirements are even less clear and more confusing. So what I am going to do is provide you with the vagueness of the "when" wrapped with some best practices. Since the HIPAA Audit program is back in action, this is important and it is better to be safe than sorry, especially when significant fines are on the line. Anyway, on to the "when":

  • Direct from the HHS website: "HIPAA requires organizations that handle protected health information to regularly review the administrative, physical and technical safeguards they have in place to protect the security of the information." Problem number 1 is the word that I bolded in that quote: Regularly. What does regularly mean? Does it mean yearly? Every 3 years? Quarterly? Daily? I have no idea and you probably don't either since the word regularly is very subjective and open to interpretation. To further this point, here is another quote from the HHS website that complicates the "when" even further: "The Security Rule does not specify how frequently to perform risk analysis as part of a comprehensive risk management process. The frequency of performance will vary among covered entities." Great!
  • Here is the Compass suggestion: At a minimum annually and whenever you experience significant changes in your environment. A lot can happen in a year, let alone two or three years. How do you think the Office of Civil Rights would feel if they came in to audit you, you were found out of compliance, and hadn't conducted a HIPAA Risk Assessment in 2-3 years? My guess is not good, not good at all, and if they don't feel good, you probably won't feel good either once you receive a penalty or fine
  • Let's talk about significant changes in your environment as that is a vague term like regularly. Some examples of significant changes in your environment might include new hardware, new software, new billing system, new EMR provider, etc. All of these can have an impact on how you process and transmit protected health information and ultimately your exposure level.
  • What about Business Associates? Well, I am glad that you asked. In the most recent Final Omnibus Ruling, the Department of Health and Human Services placed the same requirements on Business Associates as Covered Entities. Regularly. For Business Associates, I would follow the best practice list above, at least annually and more frequently when there are significant changes in your environment.

The HIPAA Risk Assessment process can be confusing, no doubt about it. One of the more confusing parts can be determining if you are a Business Associate or not. Covered Entities are easier to determine but Business Associates can be a little less clear. For that reason, we have created a little infographic list that provides some examples of Business Associates below. 

CE_or_BA_Infographic.png

 

Contact Us

Get Email Notifications

No Comments Yet

Let us know what you think