There are a many misconceptions about the requirement for Security Risk Assessments in the Health Insurance Portability and Accountability Act (HIPAA). HIPAA regulations are enforced through the Office of Civil Rights (OCR) of the Department of Health and Human Services (HHS). The regulations require entities that have “Protected Health Information” (PHI) to undergo annual Security Risk Assessments. A Security Risk Assessment by the regulations requires any entity that has PHI to go through an annual security checklist to:
The regulations are clear in that they allow entities the flexibility to determine how to address deficiencies and to defer addressing deficiencies if the cost for addressing the deficiency is prohibitive.
From the HIPAA regulation view, PHI may be either electronic or physical. A patient’s folder sitting on a nurse’s desk contains HIPAA protected information, just like the Electronic Health Records system does. HIPAA makes no distinction between physical and electronic data, but does have specific regulations addressing both types. A Security Risk Assessment includes provisions that address both the physical and electronic worlds.
People in our industry have somehow come to believe that by running specialized and expensive software on a client’s network, the software will generate a report that meets HIPAA Security Risk Assessment requirements. Unfortunately, the people in our industry pushing this software have never taken the time to read the HIPAA regulations. Technology risk is one factor in determining risk to a patient’s data, but it is not the only risk included in the statute for review in a Security Risk Assessment. Other risk factors include employee awareness and training, policy documentation, security governance, physical security, and document destruction. In short, the most intensive part of a HIPAA Security Risk Assessment is consulting to do all of the non-technology security reviews, document the findings, assess the risk, and determine options for correcting deficiencies.
A completed Security Risk Assessment addresses all of the required areas in the regulations and outlines areas of compliance and deficiency for protecting PHI. Any area of deficiency must have an action plan stating how the entity is going to address the deficiency. The plan may include steps to eliminate the risk or could provide a business justification for recognizing the risk and continuing to manage PHI with the risk. Part of a risk management program may include insurance that pays the entity if the vulnerability identified in the report is exploited and PHI is improperly accessed.
DeckerWright Corporation is experienced in conducting Security Risk Assessments for our clients. Contact DeckerWright today for a free consultation on getting a Security Risk Assessment.
Click HERE for more information.