While it is required within HIPAA rules and regulations to complete a risk assessment regularly, the question may still be in your mind regarding WHY you have to do this.
The legal ramifications are obvious. If audited, you’ll have to show a risk assessment as part of your HIPAA compliance program. And remember, an audit or investigation can be triggered for several reasons, from an employee or patient complaint to a data breach. We could stop there with listing reasons to complete one, but there are other factors that you should understand that will perhaps make you more determined to perform one for your organization outside of HIPAA regulations.
Beyond the Realm of Law
There are other reasons that while not in the legal realm of HIPAA, are as critically important for your business to perform a risk assessment. First and foremost, you need to identify weaknesses before you can address and correct them. And every organization has weak spots that could be strengthened, so ignoring this is simply putting your head in the sand if you think your business is excluded or “above” such instances.
Identifying and acknowledging the risks that could compromise your patient’s protected health information (PHI) is a detailed way to understand how it can happen. From there you can create a remediation plan to prevent those weak spots in your organization from being exploited. This is the follow up to your risk assessment and is often referred to as a risk management plan. Once you have this foundation, you can build upon it and reduce your risk of a breach or employee mistake, but even more importantly, know how to react if one should happen. A remediation plan should be updated as you make improvements, but it is also important to document why you may not have moved forward with addressing a weakness at this time.
HIPAA compliance can seem overwhelming, but this first step is going to give you a map that is as critical to your success as a business plan was to you launching your business in the first place.
Still Not Sure?
Imagine showing up to an IRS audit and telling them that you don’t have any completed tax returns. You’d be fined, you’d be scolded, and you’d be in trouble. And you would still have to do the tax returns. Not having your documented risk assessment is going to put you in the same situation.
This article was originally published on HIPAA Secure Now! and is republished here with permission. HIPAA Secure Now offers annual online subscriptions to help covered entities and business associates keep up with compliance. Learn more here.
HIPAA Secure Now! suite of subscriptions offers an extensive list of tools to provide ongoing training, assessment, moderation activities and more to support an organization’s privacy and security efforts. Subscriptions also support the process of conducting an annual Security Risk Assessment to meet MIPS and Promoting Interoperability requirements.
The subscriptions work for organizations of all sizes, both Covered Entities and Business Associates. All are priced at a flat annual fee, based on number of employees, for a full 12 months. All include a discount if purchased through us.
If your organization has more than 50 employees, or if you’d like to schedule a demo or you just want to get a couple questions answered, take a few seconds to complete this form and we will get back to you.