When it comes to performing your HIPAA Risk Assessment, federal HIPAA guidelines can be confusing. With a HIPAA Risk Assessment template outlining the process your practice should follow, you can mitigate your chances of leaving something out or doing extra work, all while keeping your business safe.
Let’s take a look at what exactly HIPAA regulation says about risk assessments so you can better understand your responsibilities under the law.
Understanding HIPAA Risk Assessments
HIPAA regulation is composed of several HIPAA Rules. The HIPAA Rules set national standards for the security and privacy of protected health information (PHI). PHI is any demographic information that can be used to identify a patient. Common examples of PHI include names, dates of birth, addresses, phone numbers, email addresses, insurance ID numbers, Social Security numbers, and medical records.
HIPAA Risk Assessments are mandated by the HIPAA Security Rule. The Security Rule sets standards for the security and integrity of PHI based on security infrastructure that HIPAA-beholden organizations have in place. These safeguards must be captured and documented in your organization’s HIPAA policies and procedures in order to ensure that security is maintained uniformly across your organization.
The HIPAA Security Rule is broken into three main categories: Administrative, Physical, and Technical standards. Each of these categories has associated standards that must be addressed within all HIPAA-beholden organizations.
In order to perform a complete HIPAA Risk Assessment, your organization must audit its Security measures against the standards outlined in these three categories. Some examples of standards addressed in each category include:
- Administrative: Are all staff members properly trained on your organization’s HIPAA Security policies?
- Physical: What kind of physical security measures (locks, alarm systems) does your organization have in place to protect against burglary?
- Technical: What kind of cyber-security measures (firewall, antivirus, encryption) does your organization have in place to protect electronic PHI?
The Department of Health and Human Services (HHS) and the National Institute of Standards and Technology (NIST) have released two free HIPAA Risk Assessment template tools that can be accessed below:
HHS Security Risk Assessment Tool
NIST HIPAA Security Rule Toolkit Application
Compliancy Group gives behavioral health professionals confidence in their HIPAA compliance with The Guard®. The Guard is a web-based HIPAA compliance solution, built by former auditors to help simplify compliance.
Compliancy Group’s team of expert Compliance Coaches® field questions and guide users through the implementation process, taking the stress out of managing compliance. The Guard is built to address the full extent of HIPAA regulation, including guided walkthroughs of HIPAA Risk Assessments.
With The Guard, behavioral health professionals can focus on running their practice while keeping their patients’ data protected and secure.
Find out more about how Compliancy Group and the HIPAA Seal of Compliance® can help simplify your HIPAA compliance today!
Join us for the upcoming webinar about Cybersecurity: Top 5 Things You Can Do Tomorrow Morning to Protect Your Practice on May 23, 2018.
Basic Telehealth Legal Issues: Rules, Regulations & Risk Management
Bring your telehealth practice into legal compliance. Get up to date on inter-jurisdictional practice, privacy, HIPAA, referrals, risk management, duty to warn, the duty to report, termination, and much more!