{ Banner Image }

HIPAA Compliance: Conducting a Risk Assessment

hipaa complianceMaybe you have determined you're a Business Associate (or a subcontractor of a Business Associate) or maybe you’re a Covered Entity for purposes of HIPAA and have not gotten around to conducting or updating your risk assessment. Now is the time to do it.

HIPAA requires that Covered Entities, Business Associates, and subcontractors of Business Associates “[i]mplement policies and procedures to prevent, detect, contain, and correct security violations.” (45 CFR § 164.308(a)(1)). In order to fulfill these requirements, all entities subject to HIPAA’s Security Rule must run a risk assessment. A risk assessment is a “thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information.” In the past, some of the largest penalties have been assessed against entities that had failed to conduct a proper risk assessment and subsequently experienced a breach.

Up to this point, there was little guidance on how a risk analysis should be conducted and what type of information it should contain. However, on March 28, 2014, the National Coordinator for Health Information Technology and Office for Civil Rights announced the release of a security risk assessment tool for small–to-mid-sized healthcare organizations. The new risk assessment is available for download and contains a tutorial video on how to use the new tool. The risk assessment tool walks companies through each HIPAA requirement by asking a series of 156 "yes" or "no" questions. Every question explains what, if any, action should be taken. For example, one such action may be drafting a particular policy that addresses a security issue.

Conducting a thorough risk assessment is a very important first step, especially for entities that have not already done so or for entities that have not been routinely updating their assessments. The entities must then take the necessary second step of using the information gathered during the risk assessment to ensure HIPAA compliance. For help completing your risk assessment or drafting policies based on your assessment, contact your Foster Swift attorney

Categories: Compliance, HIPAA


Type the following characters: hotel, hotel, mike, foxtrot

* Indicates a required field.

Subscribe to RSS»
Get Updates By Email:

Best Lawyers® 2021

Congratulations to the attorneys of the Health Care practice group at Foster Swift Collins & Smith, PC for their inclusion in the Best Lawyers in America 2021 edition. Firm-wide, 44 lawyers were listed. Best Lawyers lists are compiled based on an exhaustive peer-review evaluation and as lawyers are not required or allowed to pay a fee to be listed; inclusion in Best Lawyers is considered a singular honor. Health Care practice group members listed in Best Lawyers are as follows:

To see the full list of Foster Swift attorneys listed in Best Lawyers 2021, click here.