The requirement to complete a HIPAA Risk Assessment has been in place since the original HIPAA Privacy Rule was issued years ago. However, very few healthcare organizations have completed such an assessment. And while enforcement of these requirements may have been slow to take shape, the Office of Civil Rights (OCR) is now aggressively pursuing HIPAA violations ... and penalties are steep.
Expert HIPAA Risk Assessment
The Fox Group can assist your organization with performing a HIPAA Risk Assessment. Many organizations perform these audits internally, but an outside review can be more thorough, and the advice you receive on compliance will not be predetermined by the approach the organization has previously taken to such compliance. Don’t leave your organization subject to fines and negative publicity associated with a privacy breach, or other missteps in today's elevated focus on HIPAA at OCR.
The Fox Group has decades of experience and is well versed in addressing the details needed to help your organization comply with current HIPAA regulations. We can help to design and set up systems that will benefit you for years to come. The following will help you to further understand your organization's responsibility and the scope of services that we provide when engaged to complete a HIPAA risk assessment.
HIPAA Risk Analyses as It Relates to the HITECH Act and Meaningful Use
The HITECH Act updated the HIPAA law by introducing several additional requirements and privacy safeguards, and the Meaningful Use criteria for certified EHR technology includes a specific requirement to perform a HIPAA Risk Assessment in order to qualify for the HITECH Act incentives for adopting EHR technology. This means there are two imperatives for performing a HIPAA Risk Assessment:
- The original requirement in the HIPAA Privacy Rule, and
- For healthcare organizations applying for HITECH Act EHR Meaningful Use incentives, the requirement to complete a HIPAA Risk Assessment as part of certifying the organization’s use of certified EHR technology.
Proper completion of your HIPAA risk assessment must include both Privacy and Security Rules
The HIPAA Privacy Rule refers to those standards that protect individuals’ medical records and other personal health information (PHI). They require appropriate safeguards intended to protect the privacy of PHI, and give patients rights over their health information.
Sample areas included in our HIPAA privacy rule assessment include:
- Privacy & Confidentiality
- Notice of Privacy Practices
- Marketing/Fundraising/Sale of PHI
- Minimum necessary Rule
- Research Authorizations
- Employee Training
- Access to PHI
- HIPAA Compliance in Front and Back Office, and by Providers
- Business Associate contracting activities and BA Agreements in use
The HIPAA Security Rule refers to standards intended to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate (1) administrative, (2) physical, and (3) technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.
Sample areas included in our HIPAA security rule assessment include:
- Security Management
- Worker Sanctions
- Security Responsibilities
- Workforce Clearance/Termination Procedures
- Authorization and Supervision of Access to ePHI
- Isolation Health Clearinghouse Functions
- Log-in Monitoring
- Password Management
- Security Incidents
- Protection from Mal-ware
- Security Awareness Training/security Reminders
- Risk Analysis/Vulnerability Assessment
- Contingency Planning
- Data Backup Plan
- Disaster Recovery Plan
- Emergency Mode Operation Plan
- Testing and Revision Procedures
- Applications and Data Critical Analysis
- Facility Access Controls; recommend changes/updates
- Facility Security Plan, including access controls and maintenance/repairs
- Workstation Use/Security Policies and practices
- Policies and Procedures for Device and Media Controls (Disposal/Reuse/Accountability)
- Technical (administrative) policies to manage PHI access (User ID, Emergency Access, Auto Log-off, Encryption)
- Audit Controls, Integrity, Authentication (PHI and Person)
- Transmission Security (Integrity and Encryption)
- Breach Notification Plan/Procedures