You must complete a HIPAA risk assessment each year, and now is the time to do so. Conducting an annual HIPAA risk assessment is an important part of compliance, as well as being integral to protecting your business against breaches. This is because risk assessments reveal vulnerabilities, threats, and risks to protected health information (PHI), thus uncovering deficiencies in your current security practices.

How Are Vulnerabilities, Threats, and Risks Defined?

The Department of Health and Human Services (HHS) refers to the National Institute of Standards and Technology (NIST) when it comes to cybersecurity. 

NIST Special Publication (SP) 800-30 defines:

  • Vulnerability as “[a] flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system’s security policy.”
  • Threat as “[t]he potential for a person or thing to exercise (accidentally trigger or intentionally exploit) a specific vulnerability.”
  • Risk as “The net mission impact considering (1) the probability that a particular [threat] will exercise (accidentally trigger or intentionally exploit) a particular [vulnerability] and (2) the resulting impact if this should occur . . . [R]isks arise from legal liability or mission loss due to—
    1. Unauthorized (malicious or accidental) disclosure, modification, or destruction of information
    2. Unintentional errors and omissions
    3. IT disruptions due to natural or man- made disasters
    4. Failure to exercise due care and diligence in the implementation and operation of the IT system.”

When Is the Best Time to Conduct Your Annual HIPAA Risk Assessment?

The ideal time to perform an annual HIPAA risk assessment is at the end of the calendar year. The end of the year is when strategic planning takes place for the following year. Strategic planning involves considerations such as new technology adoption, personnel changes, and budgeting, among others – that trigger the obligation to complete a security risk assessment (SRA). By conducting an SRA before the end of the calendar year, an organization will have an excellent idea of what its security posture is before making operational changes that take effect the following year. Also, Medicare and Medicaid require completion of the MIPS Security Risk Assessment by the end of the calendar year. By completing the SRA at the end of the year, you have satisfied both your HIPAA and MACRA/MIPS obligations.

Rated #1 on G2

“Compliancy Group makes a highly complex process easy to understand.”

Easiest To Do Business With 2024

How Do You Prepare for Your Annual HIPAA Risk Assessment?

There are a few steps you can take to help you prepare for your annual HIPAA risk assessment.

  1. Identify the electronic PHI (ePHI) within your organization including ePHI that you create, receive, maintain, or transmit.
  2. Identify external sources of ePHI. These are your business associates that create, receive, maintain, or transmit ePHI on your behalf.
  3. Identify human, natural, and environmental threats to information systems that contain ePHI.

Using a HIPAA Risk Assessment Tool

You can conduct an annual HIPAA risk assessment on your own, but using a risk assessment tool ensures that you don’t miss a step. While the above steps seem pretty straightforward, there are several questions that arise from each of them. For instance, how do you protect your ePHI, how do your business associates protect ePHI, and how do you address threats to ePHI? These questions are just a few of the many that you need to answer in order to conduct an accurate and thorough assessment.

Compliancy Group offers clients a risk assessment tool that is easy to use. Located within our HIPAA compliance software platform, our risk assessment tool consists of a series of yes/no questions that cover every aspect of meeting your risk assessment requirements. You can also assign risk assessment questions to other employees within your organization, or your external IT manager. This way you ensure that all questions are answered accurately and responses can be tracked. 

How to Use the Information Uncovered by Your SRA

The purpose of conducting an SRA is to uncover deficiencies in your current security protections. To be HIPAA compliant, you must take the information you learned from your SRA and apply it to remediation plans to close security gaps.

Remediation plans may include:

  • Designing appropriate personnel screening processes. (45 C.F.R. § 164.308(a)(3)(ii)(B).)
  • Identifying what data to backup and how. (45 C.F.R. § 164.308(a)(7)(ii)(A).)
  • Deciding whether and how to use encryption. (45 C.F.R. §§ 164.312(a)(2)(iv) and (e)(2)(ii).)
  • Addressing what data must be authenticated in particular situations to protect data integrity. (45 C.F.R. § 164.312(c)(2).)
  • Determining the appropriate manner of protecting health information transmissions. (45 C.F.R. § 164.312(e)(1).)

Compliancy Group’s HIPAA compliance software not only provides you with a risk assessment tool, it also designs remediation plans based on your answers. By using our software you can easily meet all of your risk assessment requirements, as well as become fully compliant with HIPAA.

See How It Works