A HIPAA security risk assessment is a thorough evaluation of all the potential threats to a practices’ electronic protected health information (EPHI). There are three areas of emphasis in a risk assessment, as mandated by the HIPAA Omnibus Rule: administrative safeguards, technical safeguards and physical safeguards. Most HIPAA security risk assessment tools are in the form of questionnaires or checklists that review all the necessary risks and needed components to safeguard EPHI in all three categories of risk. The assessment can be performed using an online or cloud document or a paper document. The key word here is document – as in the assessment must be documented in written or electronic format.
HIPAA rules require that this assessment be performed on an annual basis. The rules also state that if areas of risk are identified, they must be fixed, or a plan developed and followed up on to fix the issues. The risk assessment is one of the key documents that the Dept. of Health and Human Services (HHS) reviews during a random HIPAA audit or an audit that results from a complaint.
The requirement for assessing risks stems from the need for any health care provider to be aware of vulnerabilities in the creation, use, transmission and storage of EPHI. This includes things such as backups, use of security software and firewalls, policies on the appropriate use of computers in health care facilities, the need for secure passwords and much more. A typical questionnaire used for a HIPAA risk assessment has in excess of 100 items to be reviewed.
And speaking of appropriate use of computers in health care facilities…they should NEVER be used to download any type of software that is not related to the practice. This includes music, games, personal email, photos, etc. HIPAA requires a practice to have a policy in place that prohibits this and that employees be made aware of the consequences of violating this policy (i.e. what disciplinary action will be taken).
If your practice has questions about or needs assistance with a security risk assessment, contact Tyler at firstname.lastname@example.org.