What to consider when conducting a risk assessment
by Kelly Grahovac
June 5, 2018

Here at mid-year, there is no better time to ensure your practice is compliant, especially where the Health Insurance Portability and Accountability Act (HIPAA) regulations are concerned.

Understanding the HIPAA regulations isn’t easy, but this article presents some suggestions to get you started in the right direction.

Generally, when HIPAA comes up, the discussion is associated with a hospital or a medical group where a breach or HIPAA violation occurred. What most people don’t know is that HIPAA applies to organizations outside of hospitals and health networks.

Who exactly needs to be compliant when it comes to HIPAA? It can seem somewhat vague when you start looking at the federal law that restricts the release of medical information. The U.S. Department of Health and Human Services (HHS) describes those who must be compliant as “covered entities.” Let’s dig a little deeper to help understand what types of organizations are considered a covered entity.

Health plans fall under the covered entity title. This includes anyone who deals with insurance or medical information for patients. Examples of these are HMOs, Medicare and Medicaid, as well as private insurance. Covered entities also include human resource employees and employers, and schools that handle patient information when the employees are hired and students are enrolled.

Health care clearinghouses, organizations that collect any patient information from health care entities, are also in the covered entity description. Examples include billing and collection services and health management information systems.

Health care providers as covered entities include physicians, surgeons, dentists, optometrists, hospitals, clinics, nursing homes/care facilities and pharmacies.

While the examples of covered entities may seem obvious, most people don’t realize that business associates must be HIPAA-compliant, too. Anyone you are involved with or who falls under any of the following examples plays a role in ensuring that your business is compliant. Some examples of business associates include data processors, medical equipment companies, consultants, medical transcription services, external accountants and auditors and any third-party organization dealing with protected health information (PHI).

PHI includes any conversation with medical professionals about a patient’s care or treatments, any patient billing information and any medical insurance information. Anyone who accesses or deals with PHI should comply.

Determining Risk for HIPAA Violation

In 2003, HHS issued the original HIPAA privacy rule as a response to the HIPAA mandate, setting standards to the protection of health information, and the requirement to have a HIPAA risk assessment was put in place. However, many entities have yet to comply. In fact, the Office of Civil Rights (OCR) has spent the last two years conducting HIPAA audits. The first thing they ask for? Your security and risk assessments from the past three years.

If the OCR audited you today, would you be able to comply with their request? Consider—in 2016 the OCR fined covered entities more than $23 million, and more than $19 million in fines in 2017.

A risk assessment intends to identify potential risks, vulnerabilities, availability and integrity of PHI that an organization creates, maintains, receives and transmits. Consider the following when conducting a HIPAA risk assessment:

  1. Identify where your PHI is stored, transmitted and received.
  2. Identify and document threats and vulnerabilities.
  3. Assess your current security measures.
  4. Determine the likelihood of a threat occurrence.
  5. Determine the potential impact if a threat occurs.
  6. Determine the level of risk.
  7. Identify your security measures and finalize documentation.

When you identify these potential risks, you can work to mitigate the potential for breaches of PHI, and prevent fines for your organization. Developing this assessment is beneficial to help determine just how secure your practice is, as well as where improvements need to be made within your organization. A security and risk assessment should be conducted on an annual basis.

Employee Training in HIPAA Compliance

Most HIPAA breaches are a result of an employee error; therefore, it is important that everyone on your staff receive regular and adequate HIPAA training, which should include the proper handling of PHI, seeing and reporting suspicious activity and/or any possible violations, what constitutes a violation, and how to protect yourself and your company from breaches.

After HIPAA training has been provided, be sure to document what was covered and the employees who participated.

When presenting a HIPAA training initiative to staff, stress the importance of the steps that everyone needs to take. There are many risks involved with not being HIPAA-compliant. If you are a small entity, a breach can potentially wipe you out after paying the associated penalties and fines. HIPAA compliance, and more specifically, HIPAA training, should be an “all-hands-on-deck” effort, and all staff need to all be on the same page when it comes to ensuring compliance.

HIPAA compliance software can provide organizations with a security and risk assessment, employee training, complete policies and procedures and more.