Risk Management in red type with hand and pen

How to do a HIPAA Risk Analysis

“We had policies and a privacy officer, but we failed the HIPAA audit. What went wrong?”

Most organizations fail their HIPAA audit because they haven’t completed a HIPAA Risk Analysis. It’s a core HIPAA requirement but is often overlooked.

What is a HIPAA Audit?

The government does HIPAA audits, randomly, to figure out who complies and who doesn’t. They are looking for up-to-date policies and good risk management. The best way to pass an audit is to make sure you’ve completed a HIPAA-compliant Risk Analysis. It’s the key to full compliance, and your path to an A grade on a HIPAA audit.

When HIPAA Risk Analysis is overlooked bad things happen.

The Office for Civil Rights (OCR) is the agency which oversees HIPAA compliance and does the audits. OCR found that 94% of covered entities and 88% of business associates failed the Risk Management section of HIPAA audits. But if done right, and refreshed every year, it’s the perfect blueprint to prevent data breaches and fines for noncompliance.

One common mistake is to tackle only the IT side and do a “security risk assessment.” But this is not the full picture – a complete HIPAA Risk Analysis – Risk Management plan covers all the HIPAA Rules – Privacy, Security, Breach Notification and Enforcement. Our solution covers it all, and gives you the tools to do it yourself.

When OCR investigates, they can impose fines, but they also usually require annual Risk Analysis – Risk Management through a multi-year “corrective action plan.”

Cottage Health Systems and Touchstone Medical Imaging both paid OCR $3,000,000 in fines this year, and were mandated to complete HIPAA-compliant Risk Analysis – Risk Management in future years as part of the settlements.

One of the biggest settlements last year was Fresenius Medical Care North America, where OCR made the point that Risk Analysis must be done at every location. Fresenius also paid $3,500,000 in fines.

Instead of getting caught and being forced, why not learn to do it and avoid the headache and costs?

Why are healthcare organizations failing OCR’s HIPAA Audits?

Because Risk Analysis is misunderstood or overlooked. Does this sound like you?

  1. We’re not sure how
  2. It’s too difficult
  3. It’s too expensive
  4. It takes too much time
  5. It’s not necessary
  6. Maybe next year we’ll do it

We know how to help you do it, calmly, completely and confidently. This year.

What is HIPAA Risk Analysis – Risk Management?

A Risk Analysis is an inventory of locations and risks to protected health information (PHI).

Key elements:

  • The inventory must include both electronic and non-electronic information
  • It must include every location
  • Do it once a year

Risk Management is a plan to reduce the risks you identify. It does not require perfection, or budget-breaking changes.

  • Put in place “Administrative, Technical, and Physical Safeguards” to protect PHI
  • Reduce risks to a reasonable and appropriate level
  • Work on it throughout the year

Risk Analysis uncovers risks (once a year) and Risk Management helps you reduce risks (throughout the year).

Step-by-step guidance makes HIPAA Risk Analysis easy.

Our approach at The HIPAA E-Tool® is to break it down into 3 parts, like a 3-Act play. It’s designed for a busy office manager or compliance officer to do it themselves, as time allows. You can do a chunk at a time saving your work as you go. And there’s no need for expensive outside consultants.

HIPAA Risk Analysis is like middle school math – you have to show your work.

From The HIPAA E-Tool® 

Screenshot of The HIPAA E-Tool Risk Analysis-Risk Management screen

Act 1 is the inventory, starting with a simple list of PHI locations, a list of staff and a list of your business associates. You figure out the risks by naming “threats and vulnerabilities” for the PHI. The HIPAA E-Tool®  is interactive, so everything you enter in this first section shows up in later sections, so you don’t have to re-enter anything.

Act 2 is the job assignment section. Who will do the action steps required to reduce your risks? What are the deadlines? When have they been completed? Everything you entered in the first sections shows up in this section, keeping you organized and on track.

Act 3 is documentation of everything. If OCR comes calling, this is your proof of compliance!

The Dashboard tracks your progress and reminds you what to do next. You don’t have to complete the Risk Analysis on one day in a busy office. Save your work, check the Dashboard and pick it up again.

Screen shot of Three part risk analysis - risk management section in The HIPAA E-Tool

Once complete, you archive the whole thing. Next year when you do it again, your information is ready to go. You can easily add, subtract and refresh everything. Every year after the first is easier and faster. But it’s also comprehensive and complete.

With the right tools and step-by-step guidance, you can do a full HIPAA Risk Analysis by yourself. Prevent breaches, avoid fines and pass your HIPAA audit!  

And if you have questions along the way, we have answers.

The HIPAA E-Tool® makes compliance fast and easy. Get your free HIPAA Quick Start Kit, complete with a webcam privacy guard, HIPAA Hot Zone labels and a HIPAA checklist delivered directly to your office.

Share This Post

Share on facebook
Share on twitter
Share on linkedin

Maggie Hales

Maggie Hales is a lawyer specializing in health information privacy and security. As CEO of ET&C Group LLC she advises health care providers and business associates in 36 states, Canada, Egypt, India and the EU, using The HIPAA E-Tool® to deliver up to date policies, forms and training on everything related to HIPAA compliance.

Copyright © 2019 The ET&C Group LLC.
The HIPAA E-Tool® is a registered trademark of The ET&C Group LLC
Terms of Service | Privacy Policy

Free hipaa kit!

hipaa compliance Quick start kit
Delivered free