HIPAA risk assessments are not a one-time requirement, but a regular task necessary to ensure continued compliance. The HIPAA risk assessment and an analysis of its findings helps organizations comply with many other areas on the HIPAA compliance checklist and should be reviewed regularly, when changes to the workforce, work practices or technology occur.
Depending on the size, capability and complexity of a covered entity, compiling a fully comprehensive HIPAA risk assessment can be an extremely complex task.
The objectives of a HIPAA risk assessment include
- Identifying the Protected Health Information (PHI) that your organization creates, receives, stores and transmits, including PHI shared with consultants, vendors and business associates.
- Identifying the human, natural and environmental threats to the integrity of PHI, including those which are both intentional and unintentional.
- Assessing what measures are in place to protect against threats to the integrity of PHI and the likelihood of a “reasonably anticipated” breach occurring.
- Determining the potential impact of a PHI breach and assigning each potential occurrence a risk level based on the average of the assigned likelihood and impact levels.
Documenting the findings and implementing measures, procedures and policies, where necessary, to tick the boxes on the HIPAA compliance checklist and ensure HIPAA compliance.
Note: Records for the HIPAA risk assessment, the rationale for the measures, procedures and policies subsequently implemented, and all policy documents must be kept for a minimum of six years.
The HIPAA Security Rule contains the standards that must be applied to safeguard and protect PHI when it’s at rest and in transit. The rules apply to anybody or any system that has access to confidential patient data. By “access” we mean having the means necessary to read, write, modify or communicate ePHI or personal identifiers which reveal the identity of an individual.
Also note: There are three parts to the HIPAA Security Rule – technical safeguards, physical safeguards and administrative safeguards.