Conducting a HIPAA Security Risk Assessment (SRA) on every aspect of your organization’s operations can be a complex endeavor. This is especially true for smaller health practices that have limited resources or an inadequate internal risk auditor. Having a third party take care of compiling your assessment ensures that you have help with identifying and anticipating any threats.
HIPAA Security Risk Assessment Explained
HIPAA Security Risk Assessment is a provision of the Health Insurance Portability and Accountability Act. This was first instituted in 2003 as the original HIPAA Privacy Rule that required health institutions to have physical and technical safeguards for Protected Health Information (PHI).
In compliance with the Security Rules, stakeholders are expected to conduct an annual Security Risk Assessment (SRA) which should yield an unbiased analysis of the organization’s security standpoint. Note that post-2013, companies handling PHI are considered liable for the actions of like vendors.
Seeing that healthcare providers incur the additional risk of noncompliance through third-party breaches, you require a business associate that proactively protects as it pertains to the potential legal and financial ramifications of HIPAA noncompliance.
Cost of Noncompliance
Most business entities often fail to conduct a formal risk assessment on their business systems regularly. This is sometimes due to not having a HIPAA Compliance Officer in-house or lacking the resources to have evaluated your organization’s workflow. Thus, they are unable to identify any threats to this system that could lead to possible PHI breaches and consequent fines.
Failure to conduct a for your organization puts you at risk of breach of PHI. In the event that negligence is to blame for noncompliance, the fines have historically been severe. Your organization might attract a fine due to “Willful Negligence” violations in the event that the organization:
Fails to Encrypt its Data
The majority of compromise on PHI is due to data breaches, especially when said data was unencrypted. To safeguard your organization from this likelihood, consider encrypting your data. Additionally, invest in additional protection for devices used to access PHI.
Experiences Theft of Technology
A common HIPAA violation is the loss of a device with PHI on it. Granted, you can never really eliminate all risks of theft of such devices. Still, consider having a passcode in place to ensure that hackers do not have access to the PHI in the event that you lose said devices.
Lacks Employee Training
The most extraordinary risk PHI faces are from ignorant employees. They might put the organization at risk by losing devices, sending vendors ePHI without complying with security measures or unknowingly sharing patient information. As an organization, you are thus required to provide employees with training on HIPAA regulations. This is, in actuality, in compliance with HIPAA regulations themselves.
Note that noncompliance costs can cripple your organization. Penalties are categorized into tiers, each covering the circumstances under which the violation occurred and the fines they attract. The tiers include:
The penalties herein are based on the assumption that as an organization, you did not know or could not have possibly known of an eminent preach. Fines range from $10 to per incident of noncompliance.
For your fine to be categorized under this tier, the auditors must have proven that as a covered entity, you were aware and was negligent, and as such, there was willful negligence. The minimum fine you attract with this kind of violation is per violation.
The auditors have sufficient evidence that you acted in willful negligence without correction over 30 days, and as a result, there was a breach in PHI. For a single violation, your organization will receive a minimum of a fine.
To attract a fourth-tier infraction, your organization must have knowingly been in contravention with HIPAA regulations. The minimum fine is per incident with the possibility of a civil penalty if deliberate malicious intent can be proven.
How to Prevent HIPAA Violations with an SRA
Safeguarding PHI goes beyond training your employees, encrypting your data, and identifying threats to your system. As part of the HIPAA Security Rules, your business must conduct an
As a third-party IT service provider, we take on the role of your Privacy Officer. Our mandate is to ensure that PHI flows internally and externally comply with HIPAA privacy programs. The assessment should unearth loopholes in the organization’s security, uncovering any vulnerabilities. CTI Technology checks your compliance with the 20 Security Standards and more than 60 Safeguard Criteria in place.
A comprehensive assessment as a result of your request of a HIPAA SRA yield:
A PHI Inventory
The technician creates and reviews PHI inventory to decipher where the organization’s data is located. This is then saved in a portal for audit purposes in future SRAs. The inventory includes a detailed overview of where PHI is stored and maintained.
Assessment of Current Security Compliances
Part of SRA is identifying and documenting the current security compliances. Current security measures check for confidentiality and integrity of the current handling measures. The assessment should yield measures that will help with reducing the risks and vulnerabilities to a reasonable point.
A Risk Remediation Plan
A risk remediation plan addresses the identified weaknesses and vulnerabilities in the handling of PHI. The program creates procedures and policies that address each of the risk levels specified. These should include administrative guidelines with a sanction policy in which the organization adopts appropriate sanctions against an employee who proactively fails to comply with security policies.
HIPAA regulations apply to all health plans, health care clearinghouses or any other healthcare provider that handles or transmits health information electronically. These groups are considered covered entities and are expected to electronically protected health information. Being compliant increases your efficacy and productivity. CTI Technology is committed to offering you ongoing assessment monthly. We leverage our IT expertise in filling for HIPAA compliance to help you request a HIPAA Security Risk Assessment. When you work with our consultants, you avoid that last-minute scramble at the end of the year to ensure you have no security issues.