The Health Insurance Portability and Accountability Act (HIPAA) granted the Secretary of Health and Human Services the power to establish regulations for covered entities, including the information security policies of the entity. An important aspect of the security regulations is regularly assessing risks to the entity’s information systems and infrastructure under section 164.308(a)(ii)(1) of the security regulations. If you are a health care provider, clearinghouse, or insurance company (and under ARRA, if you are a business associate of one of these covered entities), you are required to conduct risk assessments of your information systems on a regular basis. In addition, if you are a qualifying health care provider under the Medicaid or Medicare program, using a certified electronic health record and you wish to qualify for the meaningful use incentive payments, one of the core requirements of meaningful use is that you regular conduct a risk assessment of your information systems.
Risk Assessment Document Online Faith At Law now offers an online form to help walk you through assessing the risks to your information systems. Completing this form online will allow you to conduct a risk assessment and obtain documentation of your findings and proposed mitigations for risks identified. You can purchase a single system risk assessment, or you can buy bundles of risk assessments if you have several systems that you wish to assess.
- Single System Risk Assessment
- 2-5 Systems Risk Assessment Bundle
- 6-10 Systems Risk Assessment Bundle
- 11-20 Systems Risk Assessment Bundle
Contact Us if you would like to schedule time to conduct a risk assessment with us.
Section 164.308(a) specifically requires a covered entity to “[c]onduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.” Id. This analytical process is helpful to the organization for several reasons. First, doing an inventory of the information systems in use in the organization helps to categorize the extent of exposure of the organization to security threats. Second, spending time on identifying known problems or vulnerabilities helps to clarify what should be budgeted for mitigating these problems. Third, all risk assessment methodologies require an organization to balance the potential impact of the risk against available mitigations, and to choose a reasonable mitigation (one which costs less than the adjusted risk to the organization of loss).
The following is an overview of the Risk Assessment Process:
Want to learn more or need help performing a risk assessment? Contact us for help by phone or email to review a document or to ask a specific question by phone or email concerning HIPAA compliance.
There are a wide variety of analytical tools available today to help a provider assess risk to his business organization. For example, the Centers for Medicaid and Medicare (CMS) has developed a risk assessment system that aids a provider in categorizing existing information systems, evaluating what risks exist to those systems, what mitigations are in place to reduce risk, and what risks remain that are sufficiently great that either additional mitigations are required or the business owner must accept them in order to continue to operate the system. See Centers for Medicare & Medicaid Services (CMS) Information Security Business Risk Assessment Methodology, version 2.1 (May 11, 2005).