A HIPAA risk assessment checklist is crucial in conducting a HIPAA risk analysis. Identifying risks that could impact protected health information (PHI) is an essential part of HIPAA compliance. In a time when data breaches are on the rise and threats to security seem to lurk in every dark corner, quickly and efficiently identifying those risks is more important than ever. Thus, the regular use of a HIPAA risk assessment checklist is vital to your operations.
Developing your HIPAA risk assessment checklist
This checklist will help guide your HIPAA risk analysis development for your organization. Consider these areas as a basis for your own assessment so that it’s specific to your needs:
- Overview of PHI. Look at the type of PHI your company has access to, where it is stored within your organization and how it is transmitted.
- Security measures. Examine how PHI that your organization governs or manages is protected. Are the required security measures currently in place? More importantly, do they comply with the HIPAA Security Rule?
- Vulnerabilities. Identify potential gaps in your PHI security and safeguards. Look for areas where you may be weak to note areas where a threat would be likely. Examine where and how you manage and maintain PHI. Is there anything that could impact the integrity and security of that system?
- Level of risk. Assign a risk level to each threat, weakness, and gap in security. Rank each risk from greatest to least, but avoid ignoring “lesser” threats. Do not fail to give them proper attention. After all, even a small threat can balloon into a big one if it’s not addressed correctly. Low risk does not equal no risk.
- Final assessment. Assemble all of your data. It should clearly outline the PHI you manage and maintain. Document security measures, vulnerabilities, and levels of risk. The completed assessment should provide a comprehensive look into how you protect PHI. It should detail a plan for mitigating any breaches or risks that threaten the integrity of PHI.
Addressing all the areas of this HIPAA risk assessment checklist will help keep your organization compliant.
Do you need a HIPAA risk assessment?
Every organization that deals with PHI must complete a HIPAA risk analysis, and not just once! A HIPAA risk assessment or risk analysis addressing the security rule is required. Assessing the privacy and breach rule is also an important part of your Risk Analysis. In fact, the consequences for any PHI breach (even one that is small or seemingly trivial) can carry steep penalties.
Here are 5 often asked questions which The Fox Group has received about the privacy/breach rule-it demonstrates the level of “need to know” is often lacking.
Unfortunately, a violation is a very public affair. Under the law, the organization must comply with HIPAA breach notification requirements. And depending on the nature/size of the breach these may include alerting:
- The individuals impacted.
- The Department of Health and Human Services (HHS).
- The media.
Besides any reputational consequences, the financial penalties for a HIPAA violation can be considerable! There is a four-tier penalty structure for violations. These range from no awareness of the violation while still making every effort to comply with HIPAA rules to willful neglect with no effort made to correct the violation.
Each tier carries a financial penalty. Tier 1 has a minimum fine of $100 and a maximum of $50,000 per violation. Tier 4 has a minimum fine of $50,000 per violation. All tiers are capped at a maximum fine of $1.5 million per year. So as you can see, failing to comply can be costly, even if it’s not intentional.
Setting the parameters for your risk analysis
The Office for Civil Rights (OCR), under the HHS, is the governing body for HIPAA. The OCR doesn’t have a standard risk assessment even though they do require all organizations to conduct a risk audit that is both accurate and thorough.
Different organizations have different needs, vulnerabilities, and processes that affect their security. So, standardizing the process is not practical.
The assessment should be tailored specifically to those areas. When developing your HIPAA risk assessment checklist, you should consider the following:
- Your security protocols.
- Whether your employees are trained in HIPAA security regulations.
- The level of staff awareness of HIPAA requirements.
Your assessment should examine current, future, and potential risks. Highlight gaps in security, and review previous breaches, if any. Examine all these areas closely. To get started you may want to download this free HIPAA compliance checklist.
Create a repeatable process to monitor and maintain
There is no fixed schedule set forth by the Security Rule for how often you should run your risk analysis. Most experts recommend performing one annually. You should also complete one when your organization undergoes significant changes, such as:
- Incoming or exiting employees.
- Organizational move to a new location.
- Addition of satellite offices or branches.
- New hardware.
- New software.
Any of these events can affect how your organization interacts with, manages, and processes PHI. Also, it can increase or decrease your level of risk or even create new areas of vulnerability. In addition, even political, societal, and economical events can affect your risks and weaknesses. Indeed, a lot can happen in a year – in your organization, your community, your industry, and the world. So, being proactive with developing your HIPAA risk assessment/analysis checklist can safeguard your data, protect your reputation, save you money and keep you in compliance.