HIPAA Security Risk Assessments: 5 Things to Know
The Health Insurance Portability and Accountability Act (HIPAA) mandates that healthcare organizations complete an annual security risk assessment (SRA). An SRA allows organizations to identify areas in which their security practices may be lacking. Completing an SRA enables organizations to develop remediation plans, specific to their organization, to ensure that protected health information (PHI) is properly protected.
- Security Risk Assessments (SRAs) Safeguard Protected Health Information (PHI)
Communicating via internet is increasingly common, even between healthcare organizations and patients. Managing communication used to be straightforward, but with technological advancements that allow for quicker communication, comes increased cybersecurity risk. Medical-based web applications give patients easy access to their doctors and medical information, however, all of these applications have to be monitored to ensure that PHI is safeguarded.
In the past two years, 81% of healthcare organizations have been breached in some manner. Healthcare organizations are particularly appealing targets for cyberattacks as healthcare information is ten times more valuable than financial information.
The HIPAA Security Rule mandates that healthcare providers have adequate safeguards in place to protect PHI. Healthcare organizations are required to assess their physical, administrative, and technical safeguards annually to ensure that they are properly handling PHI. This is done through a security risk assessment.
Conducting a security risk assessment identifies gaps in security practices; organizations must create remediation plans determining how they plan, or are already working, to close those identified gaps.
- HIPAA Regulations do not Specify How to Complete an SRA
The Health Insurance Portability and Accountability Act (HIPAA) established industry standards for healthcare organizations. The law was meant to apply to all healthcare organizations, from single doctor practices to large hospital groups. As such HIPAA law is vague, allowing healthcare organizations to determine what they need to implement to adequately safeguard PHI.
Although the Office for Civil Rights (OCR) provides some guidelines, they do not explicitly tell organizations what needs to be included in a security risk assessment. Organizations must determine what is right for them when assessing if they are correctly securing PHI.
- Lack of an SRA can Result in Large HIPAA Fines
HIPAA fines are skyrocketing, with the average fine at $1.5 million. HIPAA violations, in many cases, are the result of human error. Losing a device or opening a malicious email link, can lead to HIPAA violations. A security risk assessment ensures that in the event of a breach, organizations will have the proper measures in place protecting PHI. HIPAA fines are not issued due to the breach itself, the OCR realizes that breaches are inevitable, fines are issued for lack of adequate safeguards. Conducting a security risk assessment allows healthcare organizations to identify where their security practices may be lacking, so that they can make necessary updates, minimizing their risk of HIPAA fines.
- “Safe Harbor” Method
As stated previously, HIPAA fines are not issued for lost devices, but from lack of safeguards. HIPAA’s “Safe Harbor” method gives healthcare organization guidelines that they should implement to de-identify patient information. De-identified information cannot be linked to a specific individual. De-identifying patient information protects healthcare organizations from HIPAA fines; if a device holding PHI is lost or stolen, PHI will be unreadable, making it likely that the organization will not be subject to fines.
- SRAs Increase Cybersecurity
Cybersecurity should be a top priority for healthcare organizations. Conducting a security risk assessment allows organizations to identify areas in which their security is lacking so that they may address vulnerabilities.
Do you Need Help Conducting a Security Risk Assessment?
Compliancy Group gives healthcare providers and vendors working in healthcare the tools to confidently address their HIPAA compliance in a simplified manner. Our cloud-based HIPAA compliance software, the GuardTM, gives healthcare professionals everything they need to demonstrate their “good faith effort” towards HIPAA compliance.
To address HIPAA cybersecurity requirements, Compliancy Group works with IT and Managed Service Provider (MSP) security partners from across the country, who can be contracted to handle your HIPAA cybersecurity protection.