How can a risk assessment be worthless?

Can a risk assessment be worthless?Risk assessments can be one of the most effective tools in your security arsenal. However, if you get the results and don’t act on them, it’s as good as not doing one at all, and all too often, that is the reality. So how do you actually make your company more secure?

It starts with an effective security risk assessment. Identifying what assets you have and what protections are in place, or what is needed, is critical to keeping your organization’s sensitive data protected. For too many, however, and this is the point OCR made in this penalty, the risk assessment itself is not enough. In fact, knowing what you need to do to protect your assets, and failing to do so, is no better than not knowing at all. If you aren’t going to remediate the deficiencies found in your risk assessment, you may as well toss it into the trash bin. In other words, what you do about your risk assessment matters as much, or more, than having one done. 

Ironically, the same holds true for your Business Associates. Congratulations, your vendor signed your BAA (Business Associate Agreement), but if that’s the extent of your vendor due diligence, then you may as well file that in the trash bin too. Do you realize when your vendor signs a BAA they’re committing to adhering to the same process as you? That’s right, they have to do a risk assessment also. Do you think it’s a good idea to request a copy of your vendor’s risk assessment? We sure do. Our clients do. 

If you need help with your HIPAA compliance, we can help. Not only can we cost-effectively conduct a thorough security risk assessment, but we can assist in remediating any of the shortfalls. It’s what we do. And we’re very, very good at it. 

Your security matters to us. Be safe.

If you have any questions or if you are concerned about your organization’s cybersecurity, give us a call at (800) 970-0402. We’ll be happy to help.


For more HIPAA information, download our ebook – The Ultimate HIPAA Compliance Handbook.

The HIPAA Security Rule requires the implementation of a security awareness and training program for all members of its workforce (including management). Have your team sign up for a weekly HIPAA Security Reminder to help stay compliant.