Conducting Health Insurance Portability and Accountability Act (HIPAA) security risk assessments has been required for years, but many small or independent practitioners haven’t bothered because of the burden. The proliferation of practitioners using one or more devices with clinical populations has required an expedited process to relieve complications and burdens related to HIPAA compliance.
Healthcare IT News reported that HHS’s Office for Civil Rights and the Office of the National Coordinator for Health IT have released a “security risk assessment tool” for small and mid-sized entities. Officials explained, “The tool is designed to help practices conduct and document a risk assessment in a thorough, organized fashion at their own pace by allowing them to assess the information security risks in their organizations under the … HIPAA Security Rule.” The tool is available as a downloadable mobile app. It also can create a report to be shown to auditors.
With HIPAA, all “covered entities” must “regularly review the administrative, physical and technical safeguards they have in place to protect the security of [protected health] information.” As HHS staff noted in their recent news release, “By conducting these risk assessments, health care providers can uncover potential weaknesses in their security policies, processes and systems.” According to National Coordinator for Health Information Technology Karen DeSalvo, the new tool will meet providers’ needs and goals: “Protecting patients’ protected health information is important to all health care providers and the new tool we are releasing today will help them assess the security of their organizations.”
HHS officials noted that “risk analysis tops the list for where health care entities often make their biggest HIPAA misstep.” As Health care data breaches have involved “more than 30 million people [having] their protected health information compromised” and “Organizations have been required to pay $18.6 million in settlement fines. State fines are not included in that estimate. As we have reported here at the TeleMental Health Institute, the most frequently reported target for HIPAA enforcement is private practices. This new tool will simply and expedite the regular risk assessment task of the private or small group practitioner.
HHS and ONC are asking for comments from users.