Get Started Today!  732-747-9373   

Fotolia 68929807 M new

DeckerWright Corporation Blog

HIPAA Security Risk Assessment Misinformation

There are a many misconceptions about the requirement for Security Risk Assessments in the Health Insurance Portability and Accountability Act (HIPAA). HIPAA regulations are enforced through the Office of Civil Rights (OCR) of the Department of Health and Human Services (HHS). The regulations require entities that have “Protected Health Information” (PHI) to undergo annual Security Risk Assessments. A Security Risk Assessment by the regulations requires any entity that has PHI to go through an annual security checklist to:

  • Document the security safeguards in place.
  • Identify areas of deficiency.
  • Document risks.
  • Describe what the entity is doing to address the deficiencies.

The regulations are clear in that they allow entities the flexibility to determine how to address deficiencies and to defer addressing deficiencies if the cost for addressing the deficiency is prohibitive. 

From the HIPAA regulation view, PHI may be either electronic or physical. A patient’s folder sitting on a nurse’s desk contains HIPAA protected information, just like the Electronic Health Records system does. HIPAA makes no distinction between physical and electronic data, but does have specific regulations addressing both types. A Security Risk Assessment includes provisions that address both the physical and electronic worlds.

People in our industry have somehow come to believe that by running specialized and expensive software on a client’s network, the software will generate a report that meets HIPAA Security Risk Assessment requirements. Unfortunately, the people in our industry pushing this software have never taken the time to read the HIPAA regulations. Technology risk is one factor in determining risk to a patient’s data, but it is not the only risk included in the statute for review in a Security Risk Assessment. Other risk factors include employee awareness and training, policy documentation, security governance, physical security, and document destruction. In short, the most intensive part of a HIPAA Security Risk Assessment is consulting to do all of the non-technology security reviews, document the findings, assess the risk, and determine options for correcting deficiencies.

A completed Security Risk Assessment addresses all of the required areas in the regulations and outlines areas of compliance and deficiency for protecting PHI. Any area of deficiency must have an action plan stating how the entity is going to address the deficiency. The plan may include steps to eliminate the risk or could provide a business justification for recognizing the risk and continuing to manage PHI with the risk. Part of a risk management program may include insurance that pays the entity if the vulnerability identified in the report is exploited and PHI is improperly accessed. 

DeckerWright Corporation is experienced in conducting Security Risk Assessments for our clients. Contact DeckerWright today for a free consultation on getting a Security Risk Assessment.

Click HERE for more information.

Introducing URL Defense
Social Engineering: "Spoofing"

Mobile? Grab this Article!

Qr Code

Latest Blog

One of the more technical terms we use in our industry is “phishing”. Phishing in security circles refers to criminal activity using email with a message that is bait for the unsuspecting user to click on. Phishing is the number one method used by criminals to distribute ran...

Account Login