A HIPAA risk assessment is an essential component of HIPAA compliance. HIPAA risk and security assessments give your business a strong foundation when it comes to protecting your patients’ data. Without performing this assessment, how will you know where you are deficient? More importantly, what will you know to fix? When an organization does not implement proper security measures, a data breach can occur and the results can be devastating due to HIPAA violations and fines.
A recent example of this was seen with Medical Informatics Engineering (MIE). MIE experienced a data breach which impacted 3.5 million patients. As a result, MIE is responsible for paying the Office for Civil Rights a monetary penalty of $100,000, along with implementing a corrective action plan.
Indiana-based MIE is a software and electronic medical record vendor to the healthcare industry. On May 26, 2015, the organization discovered suspicious activity on one of it’s servers, declaring it a cyberattack.
After investigation, it was determined that hackers used a compromised user ID and password to gain access to the electronic protected health information (ePHI) of 3.5 million patients. This sensitive data included Social Security numbers, clinical data, health information, dates of birth, AND EVEN email addresses.
It was reported that MIE failed to conduct a comprehensive risk assessment, leaving them unaware of potential risks to ePHI prior to the breach’s occurrence.
OCR Director, Roger Severino, comments on MIE’s data breach — one of the largest breaches in recent healthcare history, “Entities entrusted with medical records must be on guard against hackers. The failure to identify potential risks and vulnerabilities to ePHI opens the door to breaches and violates HIPAA.”
Creating a HIPAA Risk Assessment Template for Your Business
Under the HIPAA Security Rule, all HIPAA-beholden entities must conduct a thorough risk assessment within their organization. HIPAA regulation is built on the premise of safeguarding the privacy and security of protected health information (PHI) or Electronic Protected Health Information (ePHI).
When performing a HIPAA risk assessment, you must address your business’ administrative, physical, and technical compliance with the HIPAA Security Rule. Here are some brief explanations of each component of a HIPAA risk assessment:
- Administrative: the administrative assessment takes a look at the processes that your business has in place to ensure the security of PHI. Think about:
- What kind of security policies does your business have in place?
- Are your employees trained on HIPAA security requirements?
- Physical: the physical assessment is an audit of your business’ physical premises to ensure that proper security safeguards are in place. Think about:
- Are your health records kept in locked cabinets?
- Do you have an alarm system for the physical premises?
- Technical: the technical assessment audits the safeguards your business has in place to keep the electronic transmission, storage, access, or engagement with PHI kept secure. Think:
- What kind of firewall do you have in place?
Compliancy Group Can Help!
The simplest way to handle your HIPAA risk assessment is with an automated solution. Click here to schedule a free HIPAA consultation to find out the options you have and how you can address your HIPAA risk assessment.
Compliancy Group provides healthcare professionals with the tools they need to effectively address their HIPAA compliance with our web-based HIPAA compliance tracking app, The Guard™. The Guard simplifies HIPAA compliance and allows users to address every element of the regulation.
We have a unique methodology that has made the industry leaders in simplified compliance. Users are paired with an expert Compliance Coach™ to guide you through each and every step of your compliance program. We answer your questions and give you a compliance program that is truly tailored to the needs of your individual business.
And in the event of a data breach or HIPAA audit, our Audit Response Program™ guides our users through the entire documentation and reporting process. At Compliancy Group, we go above and beyond to help demonstrate your “good faith effort” toward HIPAA compliance.