HIPAA Compliance: Conducting a Risk Assessment
Maybe you have determined you're a Business Associate (or a subcontractor of a Business Associate) or maybe you’re a Covered Entity for purposes of HIPAA and have not gotten around to conducting or updating your risk assessment. Now is the time to do it.
HIPAA requires that Covered Entities, Business Associates, and subcontractors of Business Associates “[i]mplement policies and procedures to prevent, detect, contain, and correct security violations.” (45 CFR § 164.308(a)(1)). In order to fulfill these requirements, all entities subject to HIPAA’s Security Rule must run a risk assessment. A risk assessment is a “thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information.” In the past, some of the largest penalties have been assessed against entities that had failed to conduct a proper risk assessment and subsequently experienced a breach.
Up to this point, there was little guidance on how a risk analysis should be conducted and what type of information it should contain. However, on March 28, 2014, the National Coordinator for Health Information Technology and Office for Civil Rights announced the release of a security risk assessment tool for small–to-mid-sized healthcare organizations. The new risk assessment is available for download and contains a tutorial video on how to use the new tool. The risk assessment tool walks companies through each HIPAA requirement by asking a series of 156 "yes" or "no" questions. Every question explains what, if any, action should be taken. For example, one such action may be drafting a particular policy that addresses a security issue.
Conducting a thorough risk assessment is a very important first step, especially for entities that have not already done so or for entities that have not been routinely updating their assessments. The entities must then take the necessary second step of using the information gathered during the risk assessment to ensure HIPAA compliance. For help completing your risk assessment or drafting policies based on your assessment, please contact Nicole Stratton at firstname.lastname@example.org or (517)-371-8140.
- Did you Know?
- Legislative Updates
- Medicaid Planning
- COVID-19 and Workers' Compensation
- Fraud & Abuse
- Labor Relations
- Digital Assets
- Long-Term Care
- 6th Circuit Court of Appeals
- Health Care Reform
- Affordable Care Act
- HITECH Act
- Electronic Health Records
- Employee Benefits
- Department of Labor
- Accountable Care Organizations
- News & Events
- Workers' Compensation
- Health Insurance Exchange
Best Lawyers® 2020
Congratulations to the attorneys of the Health Care practice group at Foster Swift Collins & Smith, PC for their inclusion in the Best Lawyers in America 2020 edition. Firm-wide, 42 lawyers were listed. Best Lawyers lists are compiled based on an exhaustive peer-review evaluation and as lawyers are not required or allowed to pay a fee to be listed; inclusion in Best Lawyers is considered a singular honor. Health Care practice group members listed in Best Lawyers are as follows:
- Gilbert M. Frimet, Southfield
- Richard C. Kraus, Lansing
- Gary J. McRay, Lansing
- Jack A. Siebers, Grand Rapids/Holland
- Jennifer B. Van Regenmorter, Holland
To see the full list of Foster Swift attorneys listed in Best Lawyers 2020, click here.