HIPAA (Health Insurance Portability and Accountability Act) serves as a constant reminder to professionals in the healthcare field that data security is of utmost importance. Every company that works directly with protected health information (PHI), along with their business associates, is required to complete a risk assessment.
What is a Risk Assessment?
HIPAA requires covered entities, which includes health plans, healthcare providers, and healthcare clearinghouses to complete a thorough risk assessment to determine all possible vulnerabilities in terms of data security. A HIPAA risk assessment should determine that your organization is in compliance with all of the privacy, security and breach notification requirements of HIPAA. It is required of both covered entities and business associates. This can be achieved via the risk assessment process, the goal of which is to identify all of the potential areas of vulnerability.
Why is a HIPPA Risk Assessment Mandatory?
HIPPA regulations exist to cover data security. Covered entities are responsible for assessing, identifying, documenting vulnerabilities and taking precautions to eliminate or mitigate the risk of a breach. An organization can be fined for the failure of due diligence to recognize areas where a data breach could occur. For example, the Centers for Medicare and Medicaid Services reported a wireless health service provider violated HIPPA Privacy and Security rules when a laptop with PHI was stolen from an employee’s vehicle. The investigation revealed insufficient risk analysis and the company agreed to pay $2.5 million and implement a corrective action plan. Companies are also subject to a fine fined even if no data has been breached, but they allowed a situation to develop which creates vulnerability.
What Does a HIPPA Risk Assessment Entail?
Due to the unique vulnerabilities of electronically stored and transmitted data, a professional in cybersecurity, data protection, and data backups should handle your risk assessment. Wahaya’s cybersecurity and compliance services can assist your organization with internal compliance and the specific requirements to protect you from legal regulations regarding PHI and HIPAA. Here is a quick summary of what a risk assessment entails: A risk assessment should first determine (a) where PHI resides, moves, or is transmitted, and all of the access points. For example, the individuals in an office that have access to patient data and via what media. Interestingly, the rise of mobile devices has created a new area of concern for data security because medical professionals can access data on their phones and tablets.
Then, the assessment should determine the vulnerabilities along all of these touchpoints. That means identifying the threats to data security, which HHS summarizes in four categories:
- Unauthorized (malicious or accidental) disclosure, modification, or destruction of information
- Unintentional errors and omissions
- IT disruptions due to natural or man-made disasters
- Failure to exercise due care and diligence in the implementation and operation of the IT system.”
Next, a risk assessment will need to identify and evaluate all of the existing security protocols to protect PHI.
The following step is to determine if these tools are sufficient for data protection and whether the protocols and safeguards are being observed.
After that, identify the likelihood of a threat. In other words, not all risks are of equal likelihood. As there are limits to an organization’s capacity to eliminate risk, the focus should be on the ones which have a higher probability of occurrence.
Finally, calculate the likely consequences of a breach of PHI. If a breach occurs along any particular touchpoint, how severe would it be? Would it be the release of a single piece of PHI, or one affecting thousands? Given that so much data is now stored electronically, the risk of a data breach is considerably higher and security is far more complex. It needs to be noted that ignorance of any part HIPAA Guidelines is not an excuse for non-compliance. Failure to do a risk assessment, or to have conducted an adequate risk assessment that failed to identify specific vulnerabilities is, in and of itself, a fineable offense.
Given how quickly the digital landscape changes, it is important to consult an expert with experience in HIPAA related digital security. Wahaya IT Consulting can help protect your business and your patients’ PHI from HIPAA violations with a thorough risk analysis, adding data security measures, and following all security and compliance regulations. Click here to contact our team of IT Professionals!