Every healthcare provider and healthcare worker should be familiar with HIPAA regulations. But it can be overwhelming to wrap your head around the many different components. Here are some key points about HIPAA.

Top Facts About HIPAA Every Healthcare Provider Needs to Know

HIPAA offers guidelines on how to process patients' personally identifiable information (PII) for the highest level of privacy and security.

To stay compliant, you should be aware of these top facts:

1. HIPAA regulations apply to more organizations than you might think

Every organization considered a "covered entity" must ensure ongoing healthcare HIPAA compliance. The term covered entity encompasses different provider types and entities in various healthcare settings. They include physician practices, ambulatory surgery centers (ASCs), hospitals, dentists, psychologists, podiatrists, lab technicians, hospitals, clinics, nursing homes, schools with health services, nonprofits that offer healthcare services, and government agencies involved in healthcare.

A covered entity can be health insurance companies, employer-sponsored health plans, and government health programs such as Medicare and Medicaid. They may also refer to organizations that work with healthcare data (e.g., patient billing services, electronic medical records providers) or require access to healthcare information (e.g., data processing firms, medical equipment providers, law firms, and software vendors.)

2. HIPAA compliance is non-negotiable for healthcare workers

HIPAA regulations play a critical role in streamlining administrative healthcare procedures, increasing efficiency in the healthcare industry, protecting sensitive patient information, and ensuring that workers retain their healthcare insurance even if they lose their jobs. Every healthcare provider must always maintain HIPAA compliance or risk substantial fines.

HIPAA consists of 4 key components: 

• Privacy Rule: Safeguards individuals' health information and makes sure that patients have the right to access their health records.
• Security Rule: Provides guidelines on how to properly store, protect, and manage electronic protected health information (ePHI.)
• Business Associate Agreement (BAA): Designed to ensure that any business associate (discussed further later in the guide) of a covered entity will abide by HIPAA regulations.
• Breach Notification Rule (the Omnibus Rule): Provides instructions on the procedures to follow in the event of a breach of unsecured protected health information (PHI).
  
  

3. Failure to comply with HIPAA regulations could cost you — a lot

HIPAA enforcement is taken very seriously. Depending on the type of HIPAA violation, providers could face fines of up to $1.5 million per year. Moreover, a failure to protect patient data can erode patient trust, cause long-term damage to the provider's reputation, and impact patient care.

4. HIPAA compliance includes technical, physical, and administrative protections

A HIPAA compliance strategy touches upon every aspect of your organization. It must cover the following:

• Technical protections: Encrypt and authenticate ePHI, implement access control, log changes to health data, and ensure that users are automatically logged off from the system after accessing ePHI.
• Physical protections: Implement a process for controlling and monitoring the personnel who can access patient data. Also, you must manage and track all the devices (e.g., laptops, smartphones, tablets) that can access PHI remotely.
• Administration protections: Ensure that every business associate has signed a BAA, document a contingency plan, record and track security incidents, and train staff on the latest HIPAA regulations.
  
  

5. Protected health information (PHI) has a broad definition

HIPAA focuses on protecting and managing health information that can be associated with a specific individual (i.e., patient.) PHI can include a wide range of data and must be carefully handled under HIPAA regulations. Types of patient data include:

• Patient phone numbers and email addresses
• Social security numbers
• Chart numbers
• Health insurance numbers
• Device identifiers and Internet Protocol (IP) addressed
• Biometric information, such as fingerprints or retinal scans
• Full face photographs
• Laboratory results

If the information is "de-identified" — for instance, if personal details are removed so that no specific individual can be associated with the data — then it would no longer be considered PHI and HIPAA regulations would not apply.

6. You need to perform multiple audits and document them

Maintaining healthcare HIPAA compliance is not a one-and-done process. To keep compliant with HIPAA, you are expected to conduct and document six annual audits:

• Physical site audit
• Audit of all assets and devices
• Security standards audit
• Security risk assessment
• Privacy assessment (for covered entities only, not business associates)
• HITECH Subtitle D audit

If you identify compliance gaps during these annual audits, you must document the deficiencies and create a plan to address them. You should keep all audit documentation for at least six years.

7. All staff must receive HIPAA compliance training

All staff members working in a healthcare setting must receive annual HIPAA training and security awareness training. They must understand what HIPAA is and why compliance is important. You'll need to document staff attendance and designate one employee to act as the HIPAA compliance and/or security officer.

8. Staying HIPAA compliant while working remotely can prove more difficult

The remote working trend will make it tougher to ensure HIPAA compliance. For instance, staff trained in data security on company-owned workstations may not know how to maintain the same level of protection on their laptops or other devices used outside of the workplace.

Additionally, not every employee can guarantee patient confidentiality in an at-home setting. For example, if a healthcare professional is sharing a home office with a family member, patient calls could be overheard.

To best maintain HIPAA compliance when employees are telecommuting, establish security protocols for all work devices used to access health information. Also, provide employees with HIPAA compliance training on how to set up a secure home office environment.

9. You need a detailed plan

To effectively maintain HIPAA compliance, you need a detailed plan to avoid human errors. HIPAA policies and procedures must be shared and communicated with staff members. Meanwhile, patients must also receive a notice of privacy practices that details how a provider plans to use and disclose their health information. Your policies and procedures should address information security, such as password management, data encryption, email, data backups, and data disposal.

You should define privacy policies, including how and when patient information may be discussed. Also, develop a detailed response plan for data breaches and review your policies annually to make sure they address new developments in your organization or changes in HIPAA regulations.

Once you have a handle on the main tenants of compliance, you'll want to begin strengthening your organization's HIPAA compliance performance. But before we share some guidance for you to consider, we want to discuss a concept commonly associated with HIPAA compliance that's often misunderstood: HIPAA compliance certification. Let's look at what this really means.

What You Need to Know About HIPAA Compliance Certification

HIPAA compliance certification often gets confused with HIPAA compliance, resulting in erroneous and potentially costly assumptions. There's a big difference between achieving HIPAA compliance certification and achieving HIPAA compliance. According to the HIPAA Journal,

"… there is no standard or implementation specification within HIPAA that requires covered entities or business associates to certify compliance …"

What does HIPAA compliance certification mean for your organization? Here's what you need to know about certification and why you may want to get certified even though it's not an essential part of achieving and maintaining compliance.

Bringing your healthcare organization into compliance with HIPAA is just the first step. The challenge is to then remain compliant as regulations evolve and your organization undergoes changes over time.

To adapt to these changes, you need to understand the purposes of HIPAA, which include the following:

• Ensure protection and confidential handling of PHI
• Reduce the likelihood of healthcare fraud or abuse
• Mandate industry-wide standards for healthcare information contained in electronic billing and other processes
• Provide the ability to transfer and continue online health insurance coverage for patients when they change or lose their jobs.
  

Staying Current with HIPAA Compliance Requirements 

New circumstances often present obstacles to staying compliant with HIPAA regulations. Let's examine some common challenges and how to overcome them using ongoing best practices that can help you stay current now and in the future.

Problem: New technologies or procedures are introduced that disrupt compliance.

Solution: Conduct risk assessments

Conduct a HIPAA risk assessment annually to help your organization maintain ongoing compliance. A risk assessment may be required more than once per year if new technologies or procedures are introduced. HIPAA Journal recommends that a risk assessment should cover the following:

• Identify where PHI is stored, received, maintained, or transmitted
• Identify and document potential threats and vulnerabilities
• Assess current security measures used to safeguard PHI
• Assess whether the current security measures are used properly
• Determine the likelihood of a "reasonably anticipated" threat
• Determine the potential impact of a breach of PHI
• Assign risk levels for vulnerability and impact combinations
• Document the assessment and act where necessary
  

Conducting a risk assessment can be challenging for small or medium-sized practices. To better ensure a thorough assessment, work with an experienced healthcare IT professional so you can be confident that any HIPAA compliance issues and vulnerabilities are uncovered and addressed.

Problem: Protected health information (PHI) is stored in multiple places

Solution: Identify and analyze the location of PHI and all systems that may contain it

A protected health information analysis evaluates every element of PHI within your organization and its information systems. While the HIPAA Security Rule covers ePHI, you should also take inventory of all data stored on paper. This will help reveal risks that should be addressed so you can better secure all information from potential breaches. Your practice's PHI should be reviewed at least annually.

While identifying how information is collected, used, stored, shared, and disposed of can be straightforward, protecting such data isn't as simple. Consider partnering with a healthcare IT specialist to perform a thorough PHI analysis and ensure that your PHI is secure.

Problem: Staff, services, technology changes can make policies ineffective if they are not updated

Solution: Frequently develop and implement documented standards for your policies and procedures

At least every two years, or more frequently if your organization undergoes significant changes, your policies and procedures should be reviewed and updated. By developing and implementing policies and procedures, you communicate to staff and patients that roles and responsibilities have been established to keep PHI secure. This also enables you to explain how you'd handle an incident such as a data breach.

Policies your practice should have in place include the following:

• Security policies — These may include procedures designed to protect PHI, such as password management, encryption, email, data backups, device disposal, and more.
• Privacy policies — These should include rules that pertain to how patient information is shared within your organization and with third parties.
• Breach notification policies — These detail the rules or steps your organization must take if a data breach occurs. You should include a current incident response plan (IRP,) which outlines guidelines related to PHI security-related incidents that meet HIPAA requirements.
• Procedures — These are necessary steps that staff must follow to implement your policy. For example, explain how employees should utilize healthcare IT software to keep patient information secure.
  

You can partner with a healthcare IT specialist to ensure that you meet all requirements for the EHR Incentive Program and annual HIPAA security risk analysis (SRA), so you can put your organization in a position to receive financial incentives that support your compliance efforts. Yet, there are more steps you can take — starting with reforming as many paper-based processes as possible.

Why You Should Implement HIPAA-Compliant Electronic Forms

The migration from paper-based to electronic HIPAA compliance forms has become increasingly important to achieving and maintaining HIPAA compliance. Consider the following:

• The Health Information Technology for Economic and Clinical Health (HITECH) Act incentivizes healthcare organizations to use electronic health records to increase efficiency and portability. It also permits the OCR to audit and punish non-compliance more aggressively.
• The HIPAA Omnibus Rule specified a patient's right to electronic PHI, broadened the definition of business associates with whom healthcare organizations must maintain HIPAA agreements, and required updates to notice of privacy practices (NPPs.)
• Plans are under consideration to enhance patient access to PHI, boost information-sharing, and improve case management across the care continuum.
  

What do these all mean to healthcare providers? It's imperative to be able to share your HIPAA compliance forms (e.g., NPP, authorizations, intake records, BAAs) quickly and store them in a controlled way. This means switching to electronic forms.

Below are some of the common problems that switching to electronic HIPAA-compliant forms helps to address.

Why Your Organization Should Use a HIPAA Compliance Checklist

HIPAA compliance involves the continuous monitoring of technical, physical, and administrative processes. Failure to comply with HIPAA regulations can result in massive fines and lasting damages to your organization's reputation.

Fortunately, there's a straightforward and low-cost solution to keep your organization HIPAA compliant: a HIPAA compliance checklist. This resource can be as simple as a list with checkboxes, either in a digital or paper format, to cover areas of HIPAA compliance and identify required actions that your employees must complete to ensure compliance.

Here are seven reasons why your organization should leverage a HIPAA compliance checklist.

1. Checklists work incredibly well in high-stakes situations

Checklists are highly effective at reducing memory-related errors, particularly when people are active, under time pressure, and in stressful situations. That's why checklists are frequently used for surgery and intensive care. You can adopt this method to help enforce HIPAA compliance as well.

2. Checklists create clarity

The process of creating, reviewing, updating, and completing a HIPAA compliance checklist helps prevent your team from overlooking critical areas. This systematic approach to risk management better enables you to detect threats to and vulnerabilities within your organization that could result in the unauthorized disclosure of PHI. By addressing vulnerabilities, you can avoid potential damages to your brand and patient trust while reducing the risk of breaching HIPAA guidelines and incurring hefty fines.

3. Checklists facilitate knowledge management

HIPAA requires covered entities to assign an employee as HIPAA compliance officer. This individual is responsible for ensuring HIPAA compliance in your organization. However, if that person is unavailable for the short or long term, HIPAA requirements might be overlooked. A checklist helps maintain consistency when there is a transfer of responsibility from one HIPAA officer to another.

4. Checklists help you prioritize

A HIPAA compliance checklist gives you visibility into issues of concern. It also helps you create and document a plan to address these challenges, as required by HIPAA. Such a level of transparency also allows you to prioritize the issues according to their risk level.

5. Checklists help you build a culture of compliance

Becoming a HIPAA-compliant healthcare provider isn't just a question of box-ticking. To maintain compliance over time, you need to create a HIPAA-aware culture. That way, if employees change a process or update a system, they'd know to check for compliance issues or inform the HIPAA officer without being reminded.

As a simple risk management tool, checklists help effectively communicate with employees about your security priorities. Once you have a working checklist in place, make sure every employee who works with PHI receives a copy. You can introduce the checklist in a workshop to help ensure that everyone understands how to implement the procedure.

6. Checklists can improve compliance training

Checklists can help you create more effective HIPAA training programs, which you must provide to comply with HIPAA. By working through a HIPAA compliance checklist and reviewing best practices, you can create a customized training course that is much more likely to result in positive outcomes.

Training your employees in compliance best practices is far better than correcting bad practices in the workplace randomly as you see them happen. Being proactive is not only the right thing to do but can also greatly reduce the risk for your organization.

7. Checklists support compliance documentation

The documents used in creating a HIPAA compliance checklist also satisfy some of the administrative safeguards mandated by the HIPAA Security Rule. Aside from advancing your compliance efforts, the documents may aid an investigation process and reduce your costs if your organization experiences a breach or is selected for a HIPAA audit.

How To Create a HIPAA Compliance Checklist

The HHS does not provide a standardized HIPAA compliance checklist because no two organizations face the same HIPAA compliance risks. Checklists should be designed specific to an organization's operations and needs.

To create a HIPAA compliance checklist, it's best to partner with a consultancy or managed services provider (such as Medicus IT) with HIPAA expertise or work with an experienced HIPAA officer.

Begin by conducting a systematic HIPAA risk assessment to identify critical infrastructure vulnerabilities that can put PHI at risk. From there, review each of the potential risk areas and create a plan to address them. Finally, create a customized checklist for your organization by considering a broad range of compliance areas such as:

• Annual audits and assessments
• Business associates
• Contingency planning
• Data encryption
• Documentation
• Identity management
• Patient access
• Policies and procedures
• Training
• Updates and changes to systems and operations

We strongly believe in the value of using a HIPAA compliance checklist. As such, we have created a HIPAA SRA checklist template, which you can download here to jumpstart your effort.

Even with the best-laid plans, cybercriminals can still potentially exploit holes in your security posture. That's why it's a good idea to consider what the threat landscape looks like and what your organization can do in response.

BACK TO TOP 

Cybercrime is a billion-dollar black market, and the healthcare industry is a prime target. It's been among the most popular for cybercrime in recent years. Staying on top of the latest cybersecurity best practices and changes in HIPAA legislation can be challenging. Yet, healthcare organizations can't afford to have compliance gaps that can be exploited by cybercriminals.

It's therefore critical to understand the most significant threats to HIPAA cybersecurity compliance and healthcare systems. Below are some common HIPAA cybersecurity threats and obstacles to HIPAA compliance success. They show how organizations may go awry with compliance and how you can put in the necessary measures to better keep your organization protected.

1. Phishing, Malware, and Ransomware

Phishing is one of the top causes of data breaches. Simple in concept, phishing schemes rely on gaining key information by fooling unsuspecting employees into doing something via email (e.g., downloading malware or clicking on a malicious link.) The goal is to infiltrate an IT system.

Many phishing schemes are designed to deliver malware, which can hide in downloads. Malware can include viruses, trojans, adware, spyware, ransomware, and other malicious programs. It can remain largely hidden to collect information or lock up an entire system. In 2015, the University of Washington School of Medicine was fined $750,000 after 90,000 patient records were potentially exposed in a phishing incident. One employee opened a likely-forged email to review a document that looked reputable. This misstep resulted in fines, public reputation damage, and the expense of corrective actions.

Ransomware is a type of malware that's a growing threat. Ransomware encrypts important files and systems so an organization cannot access and use them. This can slow down essential processes or render them inoperable. Once files are encrypted, cybercriminals typically demand payment in cryptocurrency to release the files. However, there is no assurance that the criminals will release the files after payment is made.

Here are four strategies to increase resilience to phishing and malware you should add to your HIPAA cybersecurity program:

• Minimize available information about employees — Public directories and other documents with details about staff members are often used for phishing. The more information available about a person, the more convincing (i.e., personal) phishing emails can be.
• Train employees on cyber incidents — Employees should regularly be drilled with phishing simulations and learn about how real-life successful attacks occurred. Those exposed to simulations had a median click rate 25% lower than those who did not.
• Filter out suspicious content — All email systems should have filtering mechanisms to block phishing attempts by quarantining suspicious inbound messages and blacklisting phishing sources.
• Multi-factor authentication (MFA) — Cybercriminals often try to exploit usernames and passwords to access networks. Reduce vulnerability by implementing another level of security to confirm the identity of a user. It could be a security question, PIN, or a registered device that interacts with the computer.
  
  

2. Legacy Systems

A legacy system is an outdated system no longer actively patched and maintained. Its vulnerabilities can become well-known. Cybercriminals are more likely to infiltrate a network through outdated programs. Yet, many healthcare providers still use legacy systems because of the expense and administrative disruption that they believe an overhaul can cause. Surveys have shown that many individuals and business using legacy systems. One of the most common is Windows 7, which was added to the list of obsolete software as of January 2020.

It is critical to determine what legacy systems are still in use by your organization and devise a plan to perform necessary upgrades or replacements.

3. Insufficient Employee Training

• Although your employees may be aware of common phishing scams, there are other avenues through which breaches can occur. Whether it's caused by intentional misconduct or, more commonly, a lack of awareness, employee behaviors should be at the top of your list of concerns and a significant focus of your HIPAA cybersecurity checklist and training. HIPAA Journal identifies these common ways that poor employee practices may be putting PHI at risk:
• Snooping on medical records — Healthcare employees who have received HIPAA training should understand what is considered a violation of their employer's HIPAA policies. Yet, this is not always the case: From 2012 to 2020, Kaiser Foundation Health Plan of the Mid-Atlantic reported an employee inappropriately accessed members' radiology records. Lurie Children's Hospital of Chicago reported an employee inappropriately viewed more than 4,800 patient medical records.
• Mishandling of PHI — This broad category can include everything from insufficient PHI access controls and emailing PHI to personal email accounts to downloading PHI onto unauthorized devices. Cited as one of the 10 most common reasons for HIPAA violations, using unauthorized devices is often a shortcut for time-crunched staff. But HIPAA security rules clearly state that:
  
  

  "Clinicians and team members working virtually may access PHI only on authorized devices and must avoid downloading them to unsecure locations."

  Proper training must emphasize this rule, as well as the one that requires covered entities and their business associates to limit access to PHI to authorized individuals. The failure to implement appropriate ePHI access controls is also one of the most common HIPAA violations and has garnered a lot of attention. For instance, HIPAA Journal cites the example of Anthem, which paid $16 million in fines for access control failures and other HIPAA violations.

• Improper disposal of PHI — Training your employees on how to securely and permanently destroy PHI is essential. As HIPAA Journal states,

  "For paper records, this could involve shredding or pulping and for ePHI, degaussing, securely wiping, or destroying the electronic devices on which the ePHI is stored to prevent impermissible disclosures."

  It might seem simple, but as recently as 2019, Becker's Hospital Review reported that seven healthcare providers disclosed that patient and employee records were dumped in unsecure locations.

4. Non-Compliant Third-Party Business Agreements

You could risk a HIPAA violation if you engage with third-party vendors and business associates whose work involves handling sensitive data but are non-compliant with HIPAA rules. Even when business associate agreements (BAAs) are in place for your partners, they may not be HIPAA compliant or continually assessing their risks.

Healthcare providers must do their best to verify that any partners responsible for managing PHI follow HIPAA policies and procedures. Regularly reviewing and updating business associate agreements should be an item on your HIPAA cybersecurity checklist.

5. Loss or Theft of Technology

Loose security standards can put your organization at risk of theft. Even if theft cannot be proven, the inability to account for records represents an equal risk.

6. Failure to Use Encryption on Portable Devices

Although encryption is not a requirement, it's a HIPAA cybersecurity best practice for defending against threats. According to HIPAA Journal,

"Breaches of encrypted PHI are not reportable security incidents unless the key to decrypt data is also stolen."

When weighing whether to implement encryption, consider the cost implications of not adding this safeguard. In 2017, the Children's Medical Center of Dallas received a $3.2 million civil monetary penalty for:

"failing to take action to address known risks, including the failure to use encryption on portable devices."

7. Impermissible Disclosures of PHI

Any disclosure of protected health information not permitted under the HIPAA Privacy Rule can result in a financial penalty. OCR reports that it has investigated and resolved more than 28,000 cases by

"requiring changes in privacy practices and corrective actions by, or providing technical assistance to, HIPAA-covered entities and their business associates."

The investigation yielded some important insights. For example, the report states that among the compliance issues most often alleged in complaints, "impermissible uses and disclosures of protected health information" tops the list in terms of frequency.

The impact of overlooking this issue could have staggering consequences. The OCR reports that it has settled or imposed a civil money penalty in close to 100 cases resulting in a total dollar amount of more than $135 million.

8. Improper Use of Electronic Forms

HITECH recommends that healthcare providers use electronic health records to increase efficiency and portability while better ensuring HIPAA compliance. Proposed rules that aim to enhance patient access to PHI, boost information-sharing, and improve case management across the care continuum are making the digitalization of PHI even more urgent.

Healthcare organizations often make the mistake of using a mix of paper and e-forms. This can result in information being stored in different places and make compliance even more challenging. Additionally, not using the right software or workflows to manage e-forms can make an organization more volume and increase opportunities for hackers to access PHI.

Lastly, don't overlook the importance of identifying and protecting remote access points from cyberattacks as you migrate PHI to digital format. You can read more about how to strengthen remote access security and ensure patient confidentiality here.

9. Improper Disposal of Devices

Devices on which PHI is stored must be disposed of properly or you could risk having the information stolen by malicious actors. Here are some common mistakes to avoid in this area:

• Neglect to train home healthcare workers — If your organization employs home healthcare workers, they must know how to securely dispose of devices that may store PHI. While there isn't a specified way for home healthcare workers to dispose of hardware, they should be trained with the rest of your staff and consistently follow your organization's policies.
• Reusing hardware with PHI — Another area that organizations may overlook is the reuse of hardware that previously used to store ePHI. Don't forget to properly dispose of PHI stored in the devices before reusing them.
• Only performing simple deletion of data — Some organizations may think that deleting all the data or formatting the hard drive before disposal is enough. But if you fail to clear data thoroughly, traces could be left behind. Some criminals may even be able to retrieve the data, putting your organization and patients at risk. It's critical to have the appropriate procedures in place to purge data and verify that it has been completed deleted.
  
  

10. Not Using a HIPAA-Compliant Phone Service

HIPAA regulations apply to all forms of patient communication, including phone calls, voice messaging, text messages, call recording, and video calls. If you communicate with your patients via phone, you must use a HIPAA-compliant phone service.

Your phone service must satisfy the conditions specified in the HIPAA rules. In particular, your VoIP vendor must offer features including:

• Encryption for all stored data, including call recordings and chat logs
• Detailed call records
• A unique ID for every phone in the system, each with a specific username and password
• Role-based access controls

A HIPAA-compliant phone service helps you stay compliant, protect patient information, ensure a secure IT system, support a remote workforce, and facilitate the shift to telehealth services.

11. Not Conducting Regular and Professional Risk Assessments

If you are found to have violated HIPAA regulations during a compliance audit, you may face a significant fine. As the HIPAA Journal notes,

"More recently, the majority of fines have been under the 'Willful Neglect' HIPAA violation category, where organizations knew — or should have known — they had a responsibility to safeguard their patients´ personal information. Many of the largest fines — including the record $5.5 million fine issued against the Advocate Health Care Network — are attributable to organizations failing to identify where risks to the integrity of PHI existed."

Healthcare organizations that fail to ensure the safety and integrity of their patients' PHI are putting their organization, financial stability, and patients' data at risk. HIPAA security risk assessments should always be performed by a qualified third party with healthcare experience and expertise. Even if you have your own in-house IT team, it's best to work with an experienced healthcare IT firm for your risk assessments.

Why? An IT firm that specializes in HIPAA compliance will be more likely to identify shortcomings. With an unbiased and objective viewpoint, they are better positioned to catch overlooked problems and deficient processes. As the saying goes, you don't know what you don't know. Not to mention, regular and comprehensive risk assessments can help you identify many of the pitfalls we discuss here, so you can prevent them from festering into costly issues.

With all of that said, the effectiveness of these assessments will depend heavily on how your company chooses to optimize their usefulness.

BACK TO TOP 

Violating HIPAA regulations can have serious consequences for organizations and patients. A proper HIPAA risk assessment is crucial to complying with security standards and achieving compliance.

Why a HIPAA Risk Assessment is Critical to Achieving Compliance

A HIPAA risk assessment provides an accurate and thorough evaluation of the potential risks and vulnerabilities to protected health information in your organization. In fact, it must be conducted whenever certified EHR technology is adopted in the first reporting year.

Here's the critical role that a risk assessment plays in helping ensure compliance.

Importance of a HIPAA Security Assessment

A HIPAA risk assessment is vital for identifying and addressing issues concerning confidentiality, integrity, and availability of PHI. The HIPAA security assessment pinpoints shortcomings, so healthcare providers can take appropriate actions, implement improvements, and mitigate such risks through physical, technical, and organizational safeguards.

Healthcare providers should take the HIPAA risk assessment seriously — not only because of its role in helping safeguard PHI but also to avoid penalties. Security risk assessment (SRA) failures are a common precursor for HIPAA penalties. Many OCR HIPAA settlement actions concerning electronic PHI breaches involve insufficient risk analysis. Healthcare providers that struggle with risk assessment should seek professional help to identify and address vulnerabilities and avoid penalties.

Understanding HIPAA Security Assessments Rules

Performing a risk analysis regularly is an integral part of a solid action plan for protecting PHI. The HIPAA Security Rule, section 164.308(a)(1)(ii)(A) states that a risk analysis is required. Specifically, the Guidance on Risk Analysis states that every organization must "Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity."

Acquiring written proof of compliance by conducting a risk analysis does more than fulfil a requirement. It identifies vulnerabilities in the security of your organization, so you can strengthen security and better protect patient information. Without a risk analysis, weak points could go unnoticed. They may worsen over time, putting your patients' privacy and your organization in even greater jeopardy.

How HIPAA Security Assessments Help Ensure Compliance

The HIPAA security assessment is a complete audit of all your healthcare organization's systems, processes, hardware, and more. It analyzes every nook and cranny of your infrastructure.

A well-formed and executed HIPAA risk assessment will find problems and vulnerabilities. Once you identify the areas that need addressing, they can be fixed or monitored. You are less likely to encounter unpleasant surprises if your organization undergoes a HIPAA audit.

The preventative nature of an SRA allows you to identify vulnerable systems before problems arise to avoid fines. It is important to note that SRAs will only help improve compliance if executed correctly.

How to Conduct a Proper HIPAA Security Assessment

HIPAA risk assessments can be very effective — when done thoroughly. Assessments are intended to essentially examine every inch of your infrastructure, so the process can feel arduous. How can you make sure the job is done right? The Office of the National Coordinator for Health Information Technology (ONC) offers a few resources to streamline the process, one of which is a security risk assessment tool.

This tool guides small companies through the HIPAA security assessment process. When you enter information into the SRA Tool, data is stored locally on your device. HHS doesn't receive or access your data in any way, so you don't have to worry about data security.

After completing the assessment, you'll receive a results report. You can use it as a guide to locate risks and strengthen policies, processes, systems, and methods that require attention. The SRA Tool undergoes periodic updates, including one in September 2020. New features are intended to make the new SRA Tool easier to navigate while delivering a more in-depth risk assessment. Expanded exporting capabilities make reports easier to share.

A More Reliable HIPAA Security Assessment Method

While the SRA Tool can be a helpful resource, it has some shortcomings. The federal government notes that the SRA Tool

"… is not intended to be an exhaustive or definitive source on safeguarding health information from privacy and security risks."

The target audience of the tool is smaller organizations (with 1-10 healthcare providers,) so it may be inappropriate for larger organizations. Also, organizations that only use the SRA Tool to perform their HIPAA risk assessment may overlook the value and importance of engaging with external HIPAA experts.

To best ensure that your HIPAA security assessment catches all potential vulnerabilities, outsource your SRA to a specialist in HIPAA compliance. While it's possible for small providers to complete risk assessments without outside help, partnering with experts will give you a thorough and dependable risk analysis to effectively identify risks, protect data, and better avoid penalties.

Not to mention, a third-party healthcare IT firm is more likely to provide an objective report that identifies overlooked problems and deficient processes. A proper HIPAA security risk assessment includes a consultation so you can get your questions answered, learn simple solutions, discuss the next steps for improvement, and receive training.

Download this HIPAA security risk assessment template checklist to see what you should expect from an assessment. Getting the assessment is only the first step, however. It's what you do with the results that really matters.

5 Critical Steps to Take Once You Receive HIPAA Assessment Results

A comprehensive HIPAA assessment will almost always find problem areas and vulnerabilities that might affect HIPAA security compliance. If you work with an experienced healthcare IT service provider, you should receive a detailed results report following the assessment. This report will flag risks and identify policies, processes, or workflows that should or must be revised.

The good news is that once you know what to address, you can either immediately get to work on fixing the problems or set up processes to monitor shortcomings until you can resolve them. This will help keep your healthcare organization HIPAA compliant and better protect your patients' data.

Here are the five key steps you should take after receiving your HIPAA assessment results.