What is a HIPAA risk assessment?

Home  »  Blog  »  Cyber Security  »  What is...

By Bill Minahan   |   May 4, 2020   |   0 Comments

What is a HIPAA risk assessment?

A HIPAA risk assessment is an evaluation of your healthcare organization that ensures you are compliant with HIPAA’s administrative, physical, and technical requirements.

The HIPAA risk assessment requirement was first introduced in 2003 in the original HIPAA Privacy Rule. Then, was extended to include administrative, physical, and technical safeguards in the HIPAA Security Rule.

In addition, the Final Omnibus Rule further extended the requirement of a risk assessment to Business Associates of health care organizations. For instance, businesses that work with health care organizations and handle, store, or transmit PHI,  are also required to take a security risk assessment.

The objective of the HIPAA risk assessment is to reveal weaknesses in the way you create, store, and handle protected health information (PHI) within your organization.

HIPAA law requires every healthcare organization or covered entity that deals with PHI to complete a HIPAA risk assessment.

How does a HIPAA risk assessment work?

Essentially, a HIPAA risk assessment works by analyzing your policies, processes, systems, and methods in order to identify any weaknesses. As a result, your IT team or a trusted third-party can work to investigate and eliminate any risks to PHI.

Furthermore, the risk assessment tests your organization’s ability to protect the confidentiality, integrity, and availability of PHI.

Specifically, the HIPAA risk assessment enables businesses to achieve the following:

  • Identify where and how PHI is stored, received, maintained or transmitted
  • Identify and document potential threats and vulnerabilities to PHI
  • Evaluate and identify current security measures used to safeguard PHI
  • Assess and evaluate security policies and procedures used to safeguard PHI
  • Determine the likelihood of threats and security incidents
  • Assess the likelihood and impact of a breach of PHI
  • Define and assign risk levels for vulnerability and impact combinations
  • Document assessment and take necessary action

As well as many more deliverables intended to protect PHI. However, a HIPAA risk assessment is not a one-time exercise. HIPAA compliance is a process. It requires periodic assessments and a strong security foundation.

Furthermore, it requires aligning your technology, people, and business leaders to protect PHI.

What happens if you do not complete the HIPAA risk assessment?

HIPAA non-compliance can have costly consequences for health care organizations and the covered entities they work with.

In most cases today, the “Did Not Know” HIPAA violation category is rare. For instance, when businesses suffer from a security incident or PHI breach, ignorance is no longer an excuse. HIPAA expects healthcare organizations to understand and comply with their obligation to protect PHI.

The severity of fines directly correlates with the extent of the PHI breach and the level of negligence involved. As a result, HIPAA violations can range from a slap on the wrist to shutting the doors of your practice indefinitely.

Therefore, HIPAA compliance is important for healthcare organizations and covered entities.

HIPAA Compliance

If your organization is looking for help meeting HIPAA compliance or partaking in a HIPAA risk assessment, aNetworks is here to help. Our compliance experts identify gaps in your compliance and determine, implement, and test security measures and controls to fix them.

With our team of experts, you can become audit-ready in no time.

If you are interested in learning more about our compliance management, then please contact us below.

Contact us

Otherwise, you can call us directly at 855-459-6600.

Furthermore, if you are looking for more information, check out our HIPAA compliance 2020 checklist.

Finally, you can always find us on Twitter, LinkedIn, and Facebook.