Knowing that you need to conduct a Risk Assessment for HIPAA compliance is one thing. Figuring out how to go about it is something else.
For better or worse, the Office for Civil Rights does not require covered entities to use a standardized assessment form or process. This is good because it enables every organization to conduct an assessment that is meaningful and relevant for their operation. It can also be a challenge since it leaves responsibility for developing or choosing an assessment process in companies’ hands.
If you’ve been struggling to develop a good assessment process or feel that your existing one isn’t working, here’s what you need to know about implementing a powerful and effective HIPAA risk assessment process.
HIPAA Risk Assessment Questions
A good HIPAA security risk assessment looks at three distinct areas of your operation:
- Physical security
- Technical security
- Administrative security
Physical security focuses on your organization’s campuses. It looks at how secure properties are and what safeguards are in place to protect people, equipment, and Protected Healthcare Information (PHI).
Technical security focuses on your IT processes, equipment, and programs. It also covers contingency planning, including data recovery and backup systems.
Administrative security centers around your policies and procedures. This includes:
- Employee training and management
- Workflows and staff habits
- Documentation practices
- Business associate and vendor agreements related to PHI
While this can help you organize your assessment, it is still somewhat vague.
If you were to develop a HIPAA risk assessment template, what kinds of specific questions would you need to include in your physical security section to ensure compliance? The exact answer will vary to some extent depending on the size, structure, and nature of your operation and the PHI with which you work.
Most organizations, however, will start with questions like these:
- Is there a receptionist or other employee assigned to control access to the facility during standard business hours?
- Can non-staff access restricted areas without going through that person?
- How are restricted areas secured? (E.g. key locks, key-card locking systems)
- What procedures does your organization have in place to ensure that keys, passwords, records, and other access to PHI are collected from employees when they leave or their employment is terminated?
- How does your organization ensure the appropriate disposal of hard-copy records? (E.g. a cross-cut shredder, a contract with a professional shredding service)
- How does your organization ensure the appropriate disposal of digital records?
These questions are a great starting point, but larger or more complex organizations may need to add several layers of additional questions to fully explore and identify potential safety risks.
Evaluating technical security may be the most challenging part of a HIPAA breach risk assessment. It encompasses everything from the very simplest of questions, such as whether an organization has anti-virus software, all the way up to complex encryption issues. Here are some sample questions you might expect to see on an average assessment:
- Do all workstations have reasonable firewalls and password protection?
- Do all passwords meet minimum safety standards?
- How often do passwords get changed?
- Is PHI available remotely or via mobile devices?
- Do workstations track users when they log in?
- Do workstations automatically log users out when they are inactive?
- Is all the appropriate equipment and data encrypted?
- Is your organization capable of remote terminating access to your systems if a connected mobile device is stolen?
The actual questions you use on your assessment should reflect your specific operations. You will likely need the help of an IT professional to adequately assess the safety of your systems.
The administrative security category covers a wider range of topics than the other two categories. This can make it difficult to know if you have covered everything. For example, common starting questions include:
- What information security policies and procedures do you have in place?
- Are these policies and procedures up-to-date?
- Do these policies align with current HIPPA standards?
- Are these policies consistently followed?
- How often is staff trained on HIPAA procedures?
- What type of training does your staff receive? (E.g. in-person, digital, interactive, lecture-based)
- Have all appropriate staff in all areas of your operations signed confidentiality agreements?
- Are your business associate and vendor contracts in order?
- Can you document all of the above?
It is important to keep in mind that having good practices is only one aspect of a strong administrative security score. If you cannot prove what you are doing through good documentation, it doesn’t count.
Risk Assessment HIPAA Compliance Help
The Office for Civil Rights doesn’t require everyone to use the same assessment, but they do require that everyone use an effective and thorough assessment. Developing an assessment from scratch is time-consuming and stressful.
Using a HIPPA risk assessment template may work for very small and simple organizations. But the onus and responsibility for safety remain on the organization.
It is up to you to prove to the OCR that you conducted a risk assessment suitable for your operation and that your organization is in compliance.
For many covered organizations, the best way to manage and mitigate this risk is to hire an experienced third-party to handle their assessments. Qualified third-party assessors can help you:
- Determine what PHI you handle and how it moves through your organization
- Identify weaknesses and vulnerabilities within your operations
- Evaluate your existing safeguards
- Document your current status and any improvements you make
Third-party specialists like HIPPA Security Suite have the tools and expertise to customize an assessment to your organization. We work with operations of all sizes and designs and know how to drill down into each category. Our assistance makes it easy to:
- Run assessments as often as needed
- Document your results
- Act on areas that need improvement
- Rest with confidence, knowing that your organization is in compliance
Learn more about how we can help you implement a Risk Assessment for HIPAA compliance stress-free. Contact us to learn how to get started and what we can offer you today.