Posted In: Health Care
Compliance Checkup: Completing a Risk Analysis - What You Need to Know to Secure Your Practice in 2020
By Laura F. Fryan on January 7, 2020
Happy New Year! Let’s start this year’s Compliance Checkup with a very important topic from HIPAA. Remember the Compliance Checkup where we discussed which documents the Office of Civil Rights may ask for if your practice has to report a HIPAA breach? One of these documents is a risk analysis. The HIPAA Security Rule requires covered entities and business associates to:
“Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.” 45 CFR § 164.308(a)(ii)(A).
If this seems complicated, you don’t know where to start, or you need a refresh on the basics of completing a risk analysis, I’ll let you in on a secret.
There are a lot of resources to help you with a risk analysis, and some are free! Here’s the how, when, and why of a risk analysis:
Many IT vendors and security consultants have their own templates for a risk analysis, but you can find a free template here, developed by the Office of the National Coordinator for Health Information Technology and the Office for Civil Rights. You can download the electronic tool or scroll down to the bottom for paper documents you can download and print or fill out electronically.
Whichever risk analysis template your organization uses, it should walk you through each administrative, technical, and physical safeguard requirement and help you identify areas of risk in your organization. Here’s an example from the tool linked above:
HIPAA does not specify how frequently to perform a risk analysis. Think about whether your organization should perform a risk analysis annually or on another established schedule, like biannually or every three years. Remember, if your organization has to report a data breach, the Office of Civil Rights is likely to ask for your organization’s latest risk analysis, so prepare with this in mind.
A risk analysis is required for all covered entities and business associates. Look at this activity as a way to assess your organization’s HIPAA compliance on a regular basis. A thorough risk analysis will help you identify areas of weakness so you may address these areas and mitigate risk. You may also use the information gleaned from a risk analysis to help your organization make decisions, for example:
- Design better employee screening processes
- Identify what data to backup and how
- Decide whether and how to use encryption
- Determine the appropriate manner of protecting health information sent by mail, email, etc.
If you have any questions about the risk analysis process or encounter any compliance issues during your organization’s regular risk analysis, contact the Brouse Health Care Practice group. The Brouse Health Care Practice Group understands the importance of data security, and we have attorneys and resources that can help you achieve peace of mind through security for your organization in 2020.
This blog is intended to provide information generally and to identify general legal requirements. It is not intended as a form of, or as a substitute for legal advice. Such advice should always come from in-house or retained counsel. Moreover, if this Blog in any way seems to contradict advice of counsel, counsel's opinion should control over anything written herein. No attorney client relationship is created or implied by this Blog. © 2022 Brouse McDowell. All rights reserved.