Recently, many organizations have begun to wonder if a risk assessment is mandatory. This in part is due to misinformation on some websites that claim that a HIPAA mandatory risk assessment is not actually mandatory. The question of is a HIPAA risk assessment mandatory is answered below.

HIPAA and Risk Assessment: HIPAA Mandatory Risk Assessment

Is a HIPAA risk assessment mandatory? The Health Insurance Portability and Accountability Act (HIPAA) set forth industry standards to safeguard protected health information (PHI). One such standard is a HIPAA mandatory risk assessment. HIPAA requires organizations working with PHI to conduct a risk assessment to determine whether or not their administrative, technical, and physical safeguards are adequately protecting PHI. 

Are you adequately protecting patient data? Find out now with our HIPAA compliance checklist.

  • Administrative: Include creating policies and procedures dictating the proper use and disclosure of PHI. PHI should only be used or disclosed to complete a specific job function, known as the minimum necessary standard. To ensure that this standard is met, employees must be trained annually on their organization’s policies and procedures, as well as HIPAA standards.
  • Physical: Include securing areas that contain PHI. Physical safeguards may include installing alarm systems, locks on doors and cabinets storing patient files, CCTV cameras, etc. 
  • Technical: Include securing devices that have access to electronic protected health information (ePHI). ePHI is protected health information in electronic form. Technical safeguards may include encryption, firewalls, antivirus, multi-factor authentication (MFA), etc.

These safeguards must ensure that the confidentiality, integrity, and availability of PHI is maintained. If an organization’s safeguards are not adequate, the organization must address deficiencies with remediation plans. Remediation plans close the gaps that were identified through conducting a HIPAA mandatory risk assessment, to ensure that safeguards are up to HIPAA standards.

HIPAA and Risk Assessment: HIPAA Risk Assessment Frequency

The HIPAA risk assessment frequency requirement states that organizations must conduct the assessment annually. The reason a risk assessment must be conducted annually is to account for changes in business practices, as well as changes in HIPAA and risk assessment requirements.

Is a HIPAA Risk Assessment Mandatory?

So, is a HIPAA risk assessment mandatory? Yes, a HIPAA mandatory risk assessment is in fact mandatory. What is HIPAA risk assessment frequency requirement? As with all other mandatory self-audits, a HIPAA mandatory risk assessment must be completed annually.

See How It Works