Understanding Your HIPAA Risk Assessment Requirements
Health care professionals of every size and scope need to complete a HIPAA risk assessment. HIPAA risk assessments are one of the foundational steps you can take to address HIPAA security requirements within your practice.
HIPAA risk assessments must be performed by all HIPAA-beholden entities annually to ensure that protected health information (PHI) is being properly safeguarded. PHI is any demographic information that can be used to identify a patient. Common examples of PHI include names, addresses, emails, phone numbers, any part of a patient’s medical record, Social Security numbers, insurance ID numbers, and full facial photos, to name a few.
As per the HIPAA Security Rule, HIPAA risk assessments must be executed every year. In addition, health care professionals must fully document their HIPAA risk assessments in order to demonstrate that they have completed their requirements. In the event of a HIPAA audit, health care providers must be able to provide documentation of their compliance program, which is why having an effective tracking mechanism, portal, or app can provide such peace of mind.
The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) provides an online tool that HIPAA-beholden entities can use to perform their risk assessments.
Note that this tool only provides the skeleton for performing the assessment itself. Another key component of HIPAA regulation states that all deficiencies uncovered by your HIPAA risk assessment must then be remediated and fixed. Any efforts you take toward remediating these gaps must be documented in formalized remediation plans.
Remediation plans must identify each and every gap uncovered by your risk assessments. Each one must also name an individual within your organization responsible for fixing the gap, how the gap will be fixed, and a timeline for completion of your remediation efforts.
HIPAA Risk Assessments Alone Are Not Enough…
As important as HIPAA risk assessments are, they are only a fraction of what’s required to be fully compliant with the federal regulation.
In addition to risk assessments, behavioral health practitioners must also address:
- Audits to assess their level of compliance with the regulation (this includes your HIPAA risk assessments)
- Documented remediation plans, as discussed above
- Policies and Procedures addressing each of the HIPAA standards
- Employee training, conducted annually for each employee, along with documented attestation
- Documentation of your entire compliance program, stored in one centralized format
- Business associate management to keep track of health care vendors
- Incident management to mitigate the impacts of HIPAA violations and data breaches
If you need assistance with HIPAA compliance, consider working with our TBHI affiliate, the HIPAA Compliancy Group. (When you purchase services from them, TBHI will be paid a small commission.) They can help you support your HIPAA compliance with The Guard®. The Guard is a web-based HIPAA compliance solution, built by former auditors to help simplify compliance. The Guard is built to address the HIPAA regulations, including guided walkthroughs of HIPAA Risk Assessments. With The Guard, you can focus on running your practice while keeping your patients’ data protected and secure.Compliancy Group’s team of expert Compliance Coaches® can also field questions and guide you through the implementation process, taking the stress out of managing compliance. Find out more about how Compliancy Group and the HIPAA Seal of Compliance® can help simplify your HIPAA compliance today!