Conduct a HIPAA Risk Assessment

CEO of Codex Techworks in Columbus, Ohio, reminds ODs of the impending enforcement date for the HIPAA Omnibus Rule on electronic health records and patient privacy—and the potential fines for non-compliance. He recommends three immediate actions: Conduct a risk assessment, document in detail your system for storing and protecting the privacy of patient health records, and remediate and document any problems you found. Included here are steps and online resources to take the critical first step: conducting a risk assessment.

Strickling recommends three action points:

Conduct a risk assessment—a detailed analysis.

Document your system for storing and protecting the privacy of patient health records—document this in detail.

Remediate any problems you found, and document your process of correcting them.

Failing to take these three critical steps, Strickling warns, could result in hefty fines following audits of practices.

Steps and Resources for Conducting a Risk Assessment

Step 1: Familiarize yourself with the HIPAA Rule, via an overview and FAQ section from Health & Human Services.

A helpful overview of the privacy requirements is found in this Summary of the HIPAA Privacy Rule.

Step 2: Increase your understanding by delving deeper into the HIPAA Rule via the complete document from the Federal Register (1/25/13).

This is a 138-page PDF document, with a helpful Executive Summary and Background section on pages 1-4.

Step 3: Formulate your risk assessment plan via a “Guide to Conducting Risk Assessments” from the National Institute of Standards and Technology. This is a 95-page PDF document, of which the first 39 pages are key; the remainder is an appendix.

Step 4: Plan a risk assessment: Offices and staff sizes vary, but most practices should plan to spend about a week conducting a risk assessment. There is a great deal of information to be collected, so delegate data collection to various staff members and have one person (e.g., office manager) serve as project manager, recording the findings in a central document. Alternately, if this task would overwhelm your staff, there are consultants and services that can be hired to aid a practice in achieving and documenting HIPAA compliance.

Click on the triangular play button in the box below to play the video.