HIPAA Annual Security Risk Assessment Deadline Approaching
In order to stay compliant under the HIPAA Security Rule, each year optometric practice owners must conduct a security risk assessment to identify risks and vulnerabilities to patient protected health information. As the December 31st assessment deadline approaches, it is important to understand what needs to be done to meet HIPAA risk assessment requirements. There are six components to conducting an accurate and thorough risk assessment:
- Collecting Data
- Identifying and Documenting Potential Threats and Vulnerabilities
- Assessing Current Security Measures
- Determining the Likelihood of Threat Occurrence
- Determining the Potential Impact of Threat Occurrence
- Determining the Level of Risk
The first step to completing a security risk assessment is ensuring that electronic protected health information is adequately protected by identifying where it is created, stored, received, maintained, or transmitted. HIPAA refers to this as “collecting data”
Identifying and Documenting Potential Threats and Vulnerabilities
Once step one is completed, reasonably anticipated threats and vulnerabilities to ePHI must be documented. This includes how vulnerabilities can be potentially exploited by a threat, and the risk of improper access or disclosure to ePHI that would occur as a result. HIPAA refers to this as “Identifying and Documenting Potential Threats and Vulnerabilities.”
Assessing Current Security Measures
The next step to completing a risk assessment is documenting the current security measures in place to protect ePHI. Those security measures must meet HIPAA Security Rule requirements, and be properly configured and maintained. HIPAA refers to this as “Assessing Current Security Measures.”
Determining the Likelihood of Threat Occurrence
Based on the threats identified in step 2, optometric practices must determine the likelihood of potential risks to ePHI. HIPAA refers to this as “Determining the Likelihood of Threat Occurrence.”
Determining the Potential Impact of Threat Occurrence
Next, the impact that a threat would have if it triggers or exploits a vulnerability must be determined. Would the impact be severe, moderate, or low? If malware exploits a vulnerability, would the impact be severe? HIPAA refers to this as “Determining the Potential Impact of Threat Occurrence.”
Determining the Level of Risk
Lastly, practices must assess the level of risk that identified vulnerabilities to ePHI. HIPAA refers to this as “Determining the Level of Risk.” By determining the level of risk vulnerabilities pose, remediation plans can be created accordingly, ensuring that those that pose the most risk will be addressed quickly.
Security Risk Assessments and HIPAA Compliance
Although conducting a security risk assessment is an important part of HIPAA, it is just one small component of meeting HIPAA requirements. Compliancy Group gives eyecare professionals confidence in their compliance plan, increasing patient loyalty and profitability of their practice, while reducing risk. As an AOAExcel endorsed solution, Compliancy Group is dedicated to helping eyecare professionals across the country succeed. With newly designed software, becoming HIPAA compliant has never been easier. Find out more about Compliancy Group and HIPAA compliance. Get compliant today!
Practices who had a breach of protected health information (PHI) in 2021 that affected less than 500 individuals will need to take action before March 1.
With the recent rise in ransomware attacks within the healthcare industry it’s important to be aware of the latest trends. Bring these ransomware prevention tips to your next staff meeting.