The Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires that covered entities conduct a risk assessment of their healthcare organization. A risk assessment helps your organization ensure it is compliant with HIPAA’s administrative, physical, and technical safeguards. A risk assessment also helps reveal areas where your organization’s protected health information (PHI) could be at risk.

Benefits of HIPAA Security Risk Analysis

  • Risk analysis involves identifying probable threats to an IT system and organization and analyzing the related vulnerabilities to these threats.
  • Risk assessment is used to determine the extent of the potential threat and the risk associated with an IT system to the organization. The output of this process helps to identify appropriate controls for reducing or eliminating risk during the risk mitigation process.
  • Risk management is the process of identifying risk, assessing risk, and taking steps to reduce risk to an acceptable level.

In the new Audit Protocols published by the Office for Civil Rights (OCR) in a April 2016 found at http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/protocol/ has a section about HIPAA Security risk analysis and assessment.

Basically, if you have Patient Health Information (PHI, or ePHI) then you need to protect it. It’s as simple as that. You need to know how to protect it and what the requirements are.

what your organization will need to show to OCR not if, but when your organization is audited:

  • Does the entity have policies and procedures in place to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all the electronic protected health information (ePHI) it creates, receives, maintains, or transmits?
  • Has the entity conducted an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all the ePHI it creates, receives, maintains, or transmits?

Your organization will need to have at least the following to provide to OCR for an audit or investigation:

    • Policies and procedures that state how your organization conducts an assessment, what is your methodology, who does the assessment, and how often your organization does an a risk analysis and assessment; and
    • The risk analysis and assessment documentation for 2016, 2015 and before, that includes
    • All your organization’s systems that create, transmit or maintain ePHI
    • Reports detailing all threats and vulnerabilities specific to your organization
    • An outline and assessment of your organization’s current security measures and controls
    • An analysis of the impact and likelihood of the specific threats and vulnerabilities
    • A risk rating of your organization’s threats and vulnerabilities
    • Inventory of all your organization’s systems and tools, such as tablets, laptop, and clinical tools connected to your organization’s network that create, maintain or transmit ePHI.

Cytek can assist your organization with performing a HIPAA Risk Assessment and easily organize all what you need to pass such an audit. Cytek Safeguard™ a cloud portal that provides you and your staff everything you needs to become compliant and pass audits.

Don’t leave your organization subject to fines and negative publicity associated with a privacy breach, or other missteps in today’s elevated focus on HIPAA at the OCR.

Visit Cyteksafeguard.com today for your free HIPAA Risk Assessment

www.cyteksafeguard.com