Tech Tips

Staying Compliant in Healthcare: Conducting a HIPAA Risk Assessment

hipaa risk assessmentHIPAA (Health Insurance Portability and Accountability Act) serves as a constant reminder to professionals in the healthcare field that data security is of utmost importance. As a result, every company that works directly with protected health information (PHI), along with their business associates, needs to complete a risk assessment.

What is a Risk Assessment?

HIPAA requires covered entities to complete a thorough risk assessment to determine all possible vulnerabilities regarding data security. This includes, health plans, healthcare providers, and healthcare clearinghouses.  A HIPAA risk assessment should specify that your organization complies with all of the privacy, security, and breach notification requirements of HIPAA. It is a requirement of both entities and business associates. Someone can achieve this via the risk assessment process, which aims to identify all of the potential areas of vulnerability.

Why is a HIPPA Risk Assessment Mandatory?

HIPPA regulations exist to cover data security. Covered entities are responsible for assessing, identifying, documenting vulnerabilities, and taking precautions to eliminate or mitigate the risk of a breach. An organization can faces fines for the failure of due diligence to recognize areas where a data breach could occur. For example, the Centers for Medicare and Medicaid Services reported a wireless health service provider violated HIPPA Privacy and Security rules. This happened when someone stole a laptop with PHI from an employee’s vehicle. The investigation revealed insufficient risk analysis, and the company agreed to pay $2.5 million and implement a corrective action plan. Companies are also subject to a fine fined even if there is no data breach, but they allow a situation to develop, creating vulnerability.

What Does a HIPPA Risk Assessment Entail?

Due to the unique vulnerabilities of electronically stored and transmitted data, a professional in cybersecurity, data protection, and data backups should handle your risk assessment. Therefore, Wahaya IT’s cybersecurity and compliance services can assist your organization. Wahaya IT can help with internal compliance and the specific requirements to protect you from legal regulations regarding. Here is a quick summary of what a risk assessment entails. A risk assessment should first determine where PHI resides, moves, or is transmitted and all of the access points. For example, the individuals in an office that have access to patient data and via what media. Interestingly, the rise of mobile devices has created a new area of concern for data security because medical professionals can access data on their phones and tablets.

Then, the assessment should determine the vulnerabilities along all of these touchpoints. That means identifying the threats to data security, which HHS summarizes in four categories:

  1. Unauthorized (malicious or accidental) disclosure, modification, or destruction of information
  2. Unintentional errors and omissions
  3. IT disruptions due to natural or man-made disasters
  4. Failure to exercise due care and diligence in the implementation and operation of the IT system.”

Next, a risk assessment will need to identify and evaluate all existing security protocols to protect PHI.

The following step determines if these tools are sufficient for data protection and whether the protocols and safeguards get followed.

After that, identify the likelihood of a threat. In other words, not all risks are of equal probability. There are limits to an organization’s capacity to eliminate risk. Therefore, the focus should be on those with a higher likelihood of occurrence.


Finally, calculate the likely consequences of a breach of PHI. If a breach occurs along any particular touchpoint, how severe would it be? Would it be the release of a single piece of PHI or one affecting thousands? Given that so much data is stored electronically, the risk of a data breach is considerably higher, and security is far more complex. People need to note that ignorance of any part of HIPAA Guidelines is not an excuse for non-compliance. Failure to do a risk assessment or to have conducted an adequate risk assessment that failed to identify specific vulnerabilities is, in and of itself, a fineable offense.

Given how quickly the digital landscape changes, it is important to consult an expert with HIPAA-related digital security experience. Wahaya IT can help protect your business and your patients’ PHI from HIPAA violations with a thorough risk analysis, adding data security measures, and following all security and compliance regulations.

Click here to contact our team of IT Professionals!

June 29, 2020

Want to talk?