What is a HIPAA Risk Assessment?

September 27, 2019
Share this post

Health records are worth hundreds or even thousands on the black market. Do you have policies and security in place to protect your customers’ information? Are you sure? What happens if you have a breach?

Risk Assessments in Practice

HIPAA requires that a risk assessment must be completed every year, or as soon as there are any major changes to the physical or digital environment. There are 100+ questions the government requires you to answer, covering the different aspects of your business that PHI might reside in. This includes administrative practices, technical logistics, and the physical location of your business and the PHI you work with.

Examples of questions:

  1. Does your business consider how natural or man-made disasters could damage its information systems or prevent access to ePHI and develop policies and procedures for responding to such a situation?
  2. Does your business have policies and procedures that make sure those who need access to ePHI have access and those who do not are denied such access?
  3. Does your business have policies and procedures for verification of a person or entity seeking access to ePHI is the one claimed?
  4. Do you have an inventory of the physical systems, devices, and media in your office space that are used to store or contain ePHI?
  5. Does your business use laptops and tablets as workstations? If so, does your business have specific policies and procedures to safeguard these workstations?

Why is a Risk Assessment Important?

It’s always important to know what you don’t know! A risk assessment is an opportunity for you to discover what holes there may be in your systems or location that open you up to a data breach. You can (and must!) then take steps to address those vulnerabilities. Knowing what needs to be done, and doing it, will bring peace of mind to you, your employees, and your patients or customers.