HIPAA risk analysis is the core of a seamless HIPAA compliance program.
If you want to do better with HIPAA compliance you can create a checklist to make sure you’re hitting all the right steps. Don’t think of the checklist as a shortcut though – it’s a map to guide you to each step. Follow it, stay organized and gain confidence.
You can review specifics about how to do a risk analysis here, but today provides a high level checklist review. The checklist helps you get organized, assemble key documents and find team members to help.
Remember that a HIPAA risk analysis should be completed at least once a year, and each location needs its own site-specific risk analysis. Apply the nine checklist items below separately to each location.
HIPAA Risk Analysis is a Team Effort
1. Alert team members who may contribute that the risk analysis is coming. Let them know well in advance so they can prepare.
One person is usually assigned the central responsibility to manage the risk analysis but the job often requires expertise and input from others. No matter the size or type of organization (with the exception of true sole proprietors), at least two or three job functions are key. An owner, the IT staff, a practice manager, compliance manager and HR are all examples of key staff needed for HIPAA risk analysis. By involving others in the process you also help create a culture of compliance throughout the organization. This is critical for a well-rounded 365-day a year approach to HIPAA risk management.
HIPAA Risk Analysis Includes a Security Risk Assessment
2. Engage IT team early on and review your Security Rule Checklist.
Whether you have IT expertise on staff or under contract, make sure they are central to the process. In some cases the IT staff are running the risk analysis and if so, they need to engage general compliance staff and HR.
Note that the risk analysis must include both electronic and non-electronic assets and information, including paper, film, a list of staff and whether they’ve been trained, business associates, and multiple policies and procedures.
HIPAA Risk Analysis Begins with an Inventory
3. Be prepared to list locations of all electronic and non-electronic protected health information (PHI) for which you’re responsible.
4. Be prepared to list all staff members who come into contact with PHI.
Have they been trained in HIPAA? Is their level of access in line with their job responsibility?
5. Be prepared to list all business associates (or, if you are a business associate, list any subcontractor BAs) that create, receive, maintain or transmit PHI.
Have you done due diligence for each of them and do you have a business associate (or subcontractor BA) agreement in place?
HIPAA Risk Analysis Requires Choices and Judgments
6. Make honest assessments about threats and vulnerabilities.
The Office for Civil Rights (OCR) is not looking for a squeaky clean perfect grade A+ when it evaluates an organization’s risk analysis. Squeaky clean perfection is impossible. Every organization has risks of some kind. The only way to improve is to make realistic judgments and implement safeguards to reduce those risks unique to your organization.
7. Assign responsibility for tasks to reduce the risks throughout the year.
HIPAA compliance is a process and doesn’t happen overnight. But when individuals take responsibility for reducing risks within their area of job responsibility, you have a much better chance of bringing risks down to a reasonable and appropriate level.
Complete the HIPAA Risk Analysis – Risk Management Cycle
8. Document and date everything.
If OCR or a state attorney general investigates, or if you find yourself defending a breach of privacy lawsuit, you need to prove you completed the risk analysis and show the steps you took to reduce any risks found. HIPAA requires that you save risk analysis documentation for six years.
9. Review throughout the year, and repeat once a year.
HIPAA risk analysis is an assignment that can be completed once a year. HIPAA risk management uses the lessons learned in the analysis and continues to refine and improve procedures year round.
Stay Current and Update Policies as Needed
HIPAA law is dynamic and changing. If your policies are more than a year or two old, make sure they are up-to-date. Changes happened during the pandemic, some temporary, some permanent, and there may be changes ahead.
The HIPAA E-Tool® is the easiest way to stay current because we monitor the law and update the policies as soon as change happens. If you need help and want a convenient path to full compliance, send us an email or give us a call.