Health Care Law Blog Banner

Health Care Law Blog

HIPAA Compliance: Conducting a Risk Assessment

hipaa complianceMaybe you have determined you're a Business Associate (or a subcontractor of a Business Associate) or maybe you’re a Covered Entity for purposes of HIPAA and have not gotten around to conducting or updating your risk assessment. Now is the time to do it.

HIPAA requires that Covered Entities, Business Associates, and subcontractors of Business Associates “[i]mplement policies and procedures to prevent, detect, contain, and correct security violations.” (45 CFR § 164.308(a)(1)). In order to fulfill these requirements, all entities subject to HIPAA’s Security Rule must run a risk assessment. A risk assessment is a “thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information.” In the past, some of the largest penalties have been assessed against entities that had failed to conduct a proper risk assessment and subsequently experienced a breach.

Up to this point, there was little guidance on how a risk analysis should be conducted and what type of information it should contain. However, on March 28, 2014, the National Coordinator for Health Information Technology and Office for Civil Rights announced the release of a security risk assessment tool for small–to-mid-sized healthcare organizations. The new risk assessment is available for download and contains a tutorial video on how to use the new tool. The risk assessment tool walks companies through each HIPAA requirement by asking a series of 156 "yes" or "no" questions. Every question explains what, if any, action should be taken. For example, one such action may be drafting a particular policy that addresses a security issue.

Conducting a thorough risk assessment is a very important first step, especially for entities that have not already done so or for entities that have not been routinely updating their assessments. The entities must then take the necessary second step of using the information gathered during the risk assessment to ensure HIPAA compliance. For help completing your risk assessment or drafting policies based on your assessment, contact your Foster Swift attorney

Categories: Compliance, HIPAA

Authors

Categories

Recent Posts

Jump to Page

Foster Swift Collins & Smith PC Cookie Preference Center

Your Privacy

When you visit our website, we use cookies on your browser to collect information. The information collected might relate to you, your preferences, or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. For more information about how we use Cookies, please see our Privacy Policy.

Strictly Necessary Cookies

Always Active

Necessary cookies enable core functionality such as security, network management, and accessibility. These cookies may only be disabled by changing your browser settings, but this may affect how the website functions.

Functional Cookies

Always Active

Some functions of the site require remembering user choices, for example your cookie preference, or keyword search highlighting. These do not store any personal information.

Form Submissions

Always Active

When submitting your data, for example on a contact form or event registration, a cookie might be used to monitor the state of your submission across pages.

Performance Cookies

Performance cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

Powered by Firmseek