HIPAA Annual Security Risk Assessment Deadline Approaching

November 26, 2021
Ensure you understand the six components of the mandatory HIPAA Annual Security Risk Assessment prior to the December 31st deadline.
White laptop keyboard keys, 'enter' button is blue and the word 'HIPAA' replaces the word 'Enter'

In order to stay compliant under the HIPAA Security Rule, each year optometric practice owners must conduct a security risk assessment to identify risks and vulnerabilities to patient protected health information. As the December 31st assessment deadline approaches, it is important to understand what needs to be done to meet HIPAA risk assessment requirements. There are six components to conducting an accurate and thorough risk assessment:

  1. Collecting Data
  2. Identifying and Documenting Potential Threats and Vulnerabilities
  3. Assessing Current Security Measures
  4. Determining the Likelihood of Threat Occurrence
  5. Determining the Potential Impact of Threat Occurrence
  6. Determining the Level of Risk

Collecting Data

The first step to completing a security risk assessment is ensuring that electronic protected health information is adequately protected by identifying where it is created, stored, received, maintained, or transmitted. HIPAA refers to this as “collecting data”

Identifying and Documenting Potential Threats and Vulnerabilities

Once step one is completed, reasonably anticipated threats and vulnerabilities to ePHI must be documented. This includes how vulnerabilities can be potentially exploited by a threat, and the risk of improper access or disclosure to ePHI that would occur as a result. HIPAA refers to this as “Identifying and Documenting Potential Threats and Vulnerabilities.”

Assessing Current Security Measures

The next step to completing a risk assessment is documenting the current security measures in place to protect ePHI. Those security measures must meet HIPAA Security Rule requirements, and be properly configured and maintained. HIPAA refers to this as “Assessing Current Security Measures.”

Determining the Likelihood of Threat Occurrence

Based on the threats identified in step 2, optometric practices must determine the likelihood of potential risks to ePHI. HIPAA refers to this as “Determining the Likelihood of Threat Occurrence.”

Determining the Potential Impact of Threat Occurrence

Next, the impact that a threat would have if it triggers or exploits a vulnerability must be determined. Would the impact be severe, moderate, or low? If malware exploits a vulnerability, would the impact be severe? HIPAA refers to this as “Determining the Potential Impact of Threat Occurrence.”

Determining the Level of Risk

Lastly, practices must assess the level of risk that identified vulnerabilities to ePHI. HIPAA refers to this as “Determining the Level of Risk.” By determining the level of risk vulnerabilities pose, remediation plans can be created accordingly, ensuring that those that pose the most risk will be addressed quickly.

Security Risk Assessments and HIPAA Compliance

Although conducting a security risk assessment is an important part of HIPAA, it is just one small component of meeting HIPAA requirements. Compliancy Group gives eyecare professionals confidence in their compliance plan, increasing patient loyalty and profitability of their practice, while reducing risk. As an AOAExcel endorsed solution, Compliancy Group is dedicated to helping eyecare professionals across the country succeed. With newly designed software, becoming HIPAA compliant has never been easier. Find out more about Compliancy Group and HIPAA compliance. Get compliant today!

 

 

 

Related News

Preventing Ransomware Attacks in Your Optometric Practice

With the recent rise in ransomware attacks within the healthcare industry it’s important to be aware of the latest trends. Bring these ransomware prevention tips to your next staff meeting.

Five Indicators of Phishing Emails

Take these 5 tips to your next staff meeting to help them identify malicious emails before they wreak havoc on your practice.