“Complete and accurate” sounds so simple, but when it comes to performing an annual HIPAA risk assessment, it can be tricky to meet that standard. Many health care organizations that think they’ve done a complete and accurate HIPAA risk assessment actually haven’t.
Why? Because they’ve done it all themselves without knowing everything that goes into the process.
Most health care providers are aware it's important to complete an annual HIPAA risk assessment because doing so is required by law and the audits are key to helping identify “soft spots” in data-handling policies or procedures that could lead to breaches. Still, performing a complete and accurate HIPAA risk assessment can be a challenge -- particularly for smaller practices.
The problem is HIPAA risk assessments are complicated and require more than simply working your way down a checklist. They must be completed following IAW NIST Guidelines -- a 117-page document. An organization that tries to do its annual HIPAA risk assessment on its own may miss things because its members don't understand everything they need to do.
To count as valid under OCR rules, a HIPAA risk assessment must include these nine elements:
- Scope of the analysis. The analysis must include all electronic protected health information the organization touches in the process creating, receiving, storing or sending health records.
- Data collection practices. This is information about the policies and procedures the organization has in place for creating, receiving, storing or sending ePHI.
- Identify and document potential threats and vulnerabilities. The organization must consider reasonable threats to ePHI, identify and document them.
- Assess current security measures. The organization needs to examine and record any security measures it uses to protect ePHI.
- Determine the likelihood of a threat occurrence. Organizations must calculate the probability of risks threatening the ePHI they handle.
- Determine potential impact of threat occurrence. The organization is required to determine the level of “criticality,” or effect potential risks could have on ePHI.
- Determine level of risk. This involves considering the value assigned to the probability of threat occurrence and the result of the threat occurrence.
- Finalize documentation. The risk assessment must be documented, although no specific format or template is required.
- Periodic review and updates to risk assessment. Even after the assessment is completed, your work isn't over. Risk analysis should be a continuous process so organizations always know when they need to make updates to their policies and procedures for handling ePHI.
Understanding HIPAA regulations can be a burdensome challenge, and the complex requirements for performing a complete and accurate risk analysis can be difficult to understand. It's not surprising that a study by Kroll-HIMSS found 63 percent of organizations use a combination of internal and external resources -- such as a partner or vendor -- to complete their HIPAA risk assessments.
If you're one of the 37 percent who don't seek outside assistance from a professional, you can easily miss problems with your ePHI policies and procedures, and your oversight could be expensive. Consider the widely reported case of the Massachusetts dermatology practice that's paying HHS $150,000 in HIPAA fines for allowing an ePHI breach.
If your medical practice or health care organization needs help with its annual HIPAA risk assessment, or you have other questions about these issues, contact us for more information.
Logan Solutions is the health care technology company with a clinician's perspective. We provide clinical documentation expertise to customers using Dragon Medical with eClinicalWorks and other electronic medical record systems. Contact us to learn how our clinical and technological expertise can help your practice with Dragon Medical software and training, HIPAA compliance tools and EMR consulting.