The results are in from the early HIPAA audits by Health and Human Services (HHS). Want to know what was the major weakness found by the government’s auditors? The compliance deficiency all-to-common among healthcare practices? It was, according to HHS, “the lack of a thorough risk analysis.”
Time after time, auditors would ask to see evidence that the covered entity had performed a risk analysis. And time after time, much to their dismay, the answer they heard was, “A what?”
Probably because that response was so widespread, HHS has since developed some excellent materials aimed at helping healthcare providers understand why a risk analysis is necessary and also, how to go about doing one. I’d like to share those with you today.
The 8-minute video that could save your practice from failure
For the record, a risk analysis, according to HIPAA, requires healthcare providers to “conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic Protected Health Information (ePHI) held by the covered entity.”
To help you avoid getting an “F” on your HIPAA audit, the Department of Health and Human Services produced a video that provides an overview of the why’s and how’s of a risk analysis. I could fill the screen here with a lot of words on that very topic, but this little video does such a good job with the basics, the best words I can type now are the ones that will take you to it on YouTube: Click here.
Getting down to the nitty-gritty of risk analysis
So important is a risk analysis to the well-being of a practice, the government has taken the extra step of creating a downloadable Security Risk Assessment Tool. Mostly it includes questions that provide insight into what the law requires. But it doesn’t stop there. On the same page as each question, you’ll also see a section with the three topics below, each of them an invitation to click and learn more about the particular issue that question addresses:
- Things to Consider
Provides explanations of requirements, definitions of legal terms, and — as the heading says — things to consider when it comes to avoiding risk to ePHI.
- Threats and Vulnerabilities
Spells out the impact on a practice and on ePHI if certain actions aren’t taken.
- Examples of Safeguards
Offers up a “To-Do List,” of sorts, to help providers develop action plans around the issues addressed in each question.
To download your Security Risk Assessment Tool, click here to go to that page on the healthIT.gov website.
“You’re welcome.” – Uncle Sam
The government is often criticized for the way it does things or fails to get things done. But sometimes, Uncle Sam gets it right. In my opinion, the tools the HHS has put together to help a healthcare practice perform a risk assessment and pass a HIPAA audit are well worth checking out.
BIO: Roman Diaz is president and founder of Touchstone Compliance, a San Diego-based company offering a comprehensive suite of interactive online tools for meeting HIPAA standards.