Without a doubt, healthcare practices—big and small—find the HIPAA risk assessment daunting. The HIPAA Security Rule requires all covered entities (a.k.a. providers) and business associates (a.k.a. the people and vendors providers do business with) to conduct an accurate and thorough risk analysis of potential risks and vulnerabilities to the confidentiality, integrity, and availability of all electronic protected health information (ePHI). However, carrying that out often seems insurmountable and impossible. How can any busy healthcare practice be expected to accomplish this task—while concurrently serving patients and managing operations? The reality is that many healthcare practices are not conducting a HIPAA risk assessment at all. For example, Texas Medical Imaging recently agreed to pay the Office for Civil Rights (OCR) $3 million for not conducting an accurate and thorough HIPAA risk assessment—an oversight that resulted in the exposure of 300,000 patients’ information on the Internet.
Clearly, failing to conduct a HIPAA risk assessment can be a risk in and of itself. And it’s a critical component to protecting your patients’ information. However, can a practice that does not have in-house expertise, resources, and time still accomplish such a complicated requirement? Absolutely! Here are four strategies to help you do just that:
1. Get educated.
Before you can even begin to tackle your HIPAA risk assessment, you must school yourself on the HIPAA Security Rule. Good thing, then, that there are many free resources you can use to educate yourself on HIPAA’s requirements, including these:
- The HIPAA Security Series Security 101 for Covered Entities
- The HIPAA Security Series Basics of Risk Analysis and RIsk Management
- OCR’s Risk Analysis Requirements under the Security Rule
- Security Guidance Material on the OCR website
- OCR training about the Security Rule
- HIPAA videos on YouTube
2. Get organized.
The OCR Audit Protocol provides audit inquiry questions to help you determine whether you are satisfying the regulatory criteria. Use the Audit Protocol as a guide for gathering all of your HIPAA policies and procedures—as well as your HIPAA business associate agreements. Then, map all the locations where you store ePHI and collect all of your HIPAA training materials. Having this information at your fingertips will maximize your time when you are ready to dedicate your focus to the risk assessment itself.
3. Identify the right assessment tool.
You use assessments to measure and track your patients’ progress, so this step will be familiar. Find a risk assessment tool that will help you identify and measure your practice’s ePHI risk. The National Institute of Standards and Technology (NIST) offers a free assessment toolkit to assess risk to your ePHI. And Sunhawk Consulting offers an easy-to-use HIPAA Check™ tool that guides you through the risk assessment process. HIPAA Check uses an algorithm to measure OCR settlement agreements and guidance in order to assess regulatory risk for each Security Rule requirement. The tool helps you prioritize items with higher regulatory risk, which pose a more significant threat to your ePHI security. WebPT Members can purchase a special version of HIPAA Check on the Marketplace that includes seven free HIPAA policies and procedures.
4. Break up a big project into manageable chunks.
Assessing risk is an ongoing process, meaning it cannot effectively be completed in one sitting. In the beginning, you’ll have to build an assessment process that works for your practice, understand where your ePHI lives, and learn about the applicable rules. To avoid becoming overwhelmed—and to ensure you maintain this project as a priority—consider breaking the project into smaller, more manageable components. Plan on reserving about four hours per month to work on the assessment. It may help to schedule a recurring time slot on your calendar.
The HIPAA risk assessment should be conducted periodically and whenever there are changes to your ePHI. After your first risk assessment and remediation, the time commitment may eventually reduce to about two hours per month. HIPAA Check™ is an ideal tool for tracking your risk assessment progress, because it’s easy to jump back into the tool after a period of several weeks. You can use the tool to filter the high, medium, and low risks and efficiently organize your time. Alternatively, you can use a spreadsheet or project management tool to track your progress and create a list of action items.
There you have it: four strategies to help you tackle the HIPAA risk assessment. Unfortunately, there isn’t a HIPAA easy button—and there is always a learning curve with these types of things. However, your process for conducting the assessment will do more than satisfy your compliance requirements; it will help you will better understand HIPAA rules, identify the risks to your ePHI, and empower you to take steps to mitigate those risks. Knowledge of this nature is critical to protecting your patient information—and thus, your practice.