Risk Assessment: The Core of HIPAA Compliance

Risk Assessment: The Core of HIPAA Compliance

by Stacy Harper, JD, MHSA, CPC

The core of any effective HIPAA compliance program is the development of a risk assessment and management process. An effective risk assessment and management process should include, at least: inventory, flow, scope, threats/vulnerabilities, likelihood, impact, risk, and response.

Inventory

For HIPAA compliance, the inventory should focus on identification of all of the locations where protected health information (PHI) is stored or transmitted. This usually begins with the servers that store the electronic medical record or practice management software, and should include other ancillary storage of PHI (e.g., e-mail systems, back-up drives, laptop computers).

Flow

Next, diagram the flow of information through the organization. For HIPAA compliance, this flow should track the movement of PHI in and out of the organization.

Scope

Not every risk assessment must be comprehensive. For example, a risk assessment may focus on HIPAA implications related to the implementation of an electronic medical record.

Threats/Vulnerabilities

To determine potential threats and vulnerabilities, the organization can consider information such as transmittals, alerts, or relevant guidance from regulatory agencies or payers; recent audit results or compliance investigations; coding or regulatory changes; and other industry guidance. The more specific the organization is in identifying threats and vulnerabilities, the more specific the risk assessment will be.

Risk Assessment

A risk is the extent to which the organization is threatened by a particular event, considering:

  1. the probability that a particular threat will exercise a particular vulnerability, and
  2. the resulting impact if this should occur.

There are different methodologies for calculating the level of risk. As part of the process, the organization should document the methodology used. What factors were considered in determining the likelihood and probability? What matrix was used to convert the likelihood and probability combination into a risk?

Ongoing Management Completes the Process

For the process to be complete, the organization must also respond to the identified risks and document the response. For each identified risk, the organization should document potential options evaluated for response, the option selected, the reason that option was determined to be appropriate, and the plan for implementation. This risk management plan can then be integrated into future assessments to evaluate the effectiveness of each response.

2017-code-book-bundles-728x90-01

One Response to “Risk Assessment: The Core of HIPAA Compliance”

  1. Debbie Simpson says:

    More of a question. When sending out Change of Appointment postcards, should they be placed inside an envelope for HIPAA privacy?

Leave a Reply

Your email address will not be published. Required fields are marked *