The Health Insurance Portability and Accountability Act was signed into law in August 1996, a milestone piece of legislation intended to simplify the administration of healthcare, prevent healthcare fraud, eliminate waste, and ensure insurance coverage was not lost when employees were between jobs. Since that time HIPAA has seen numerous significant updates including; HIPAA Privacy Rule (2003), HIPAA Security Rule (2005), HIPAA Enforcement Rule (2006), HITECH Act and the Breach Notification Rule (2009), and the HIPAA Omnibus Final Rule (2013).
Not to be overlooked is HITRUST, a certification framework that incorporates both the HIPAA and HITECH compliance frameworks and requirements.
When do I do Risk Assessments?
While the act was broad in intent and details, for practical purposes, it comes down to an organization’s proper control, privacy and security of Protected Health Information (PHI) they collect, store and use, and the risk assessment of their internal control. The law requires “regular” risk assessments with out providing specificity on the actual frequency.
This has led to the question of whether risk assessments must be performed on a one, two- or three-year recurring schedule. A consensus, best practice for a risk assessment annual cadence has emerged within the covered entity and audit community. What is statute, however, is that if an organization has gone through systems changes or upgrades, or merged or acquired business entities, the HIPAA risk assessment should be performed in that year.
The annual risk assessment helps your organization ensure it is compliant with HIPAA’s administrative, physical, and technical safeguards, and helps reveal areas where PHI could be at risk.
What should the Annual Risk Assessment include?
Utilization of the updated HIPAA Security Risk Assessment (SRA) tool will broadly address the risks of the confidentiality, integrity, and availability of health information. It diagrams HIPAA Security Rule safeguards and provides enhanced functionality to document how your organization implements safeguards to mitigate, or plans to mitigate, identified risks.
The risk assessment should also examine and determine any areas where PHI, that organizations possess and control, could be at risk and what is being done to manage and limit those risks. Best practice has the annual risk assessment encompass both the HIPAA Rules and the HITECH Act, as follows:
- HIPAA Security Rule regarding requirements on covered entities and business associates to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting e-PHI to ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit.
- HIPAA Privacy Rule regarding the range and types of information being collected and the permissible uses of that information.
- HITECH Act provisions that address the privacy and security concerns associated with the electronic transmission PHI, in part, through several provisions that strengthen the civil and criminal enforcement of the HIPAA rules.
- Examination of existing IT compliance and information security policies and procedures.
- Review of the IT compliance and information security staff structure and division of responsibilities.
- Review of records pertaining to vendor risk categorization and assessment.
- Confirmation of forensic evidence documenting the implementation of administrative, technical and physical controls required under the Security Rule.
It is vital to get ahead and stay ahead of the HIPAA regulations through the annual risk assessment and subsequent gap remediations. The ramifications on your business of not complying with HIPAA can range from painful to downright devastating. Penalties for non-compliance can include both civil and criminal penalties depending on the nature of the non-compliance, and in the event of a breach, fines can be assessed based on the number of records that are compromised
Let BostonCOMPLY help you. A simple call can provide guidance and lead to compliance with HIPAA and HITECH regulations in a practical and efficient manner and prepare you for HIPAA and/or HITRUST audits and certification processes.