HIPAA compliance can be difficult to approach on your own. Healthcare providers and their business associates are required to perform an annual HIPAA Security Risk Assessment (SRA) to ensure that proper physical, administrative, and technical controls are in place to protect health information. By performing a security risk assessment, not only will you be prepared to pass an audit, but you can also protect your organization and its housed information from cybersecurity and privacy threats (after all, that is the point of the SRA and the mandate to perform one each year).
In the event of a HIPAA audit, the first thing that will be examined by the OCR is whether a quality security risk assessment was performed for the audit year. The key word there is “quality.” Anyone can perform a security risk assessment (many use spreadsheets and paper documents to manage their annual SRA, at great difficulty and disorganization), but how can you be sure that your risk assessment is qualitative enough to survive the heavy scrutiny of a federal audit? If you are not too confident in the quality of your SRA, you are not alone. During each of our webinars, we ask a few questions to gauge whether those attending have performed an SRA, and if they have, whether they are 100% confident they would pass an OCR audit. In every webinar, we see similar results. Nearly 60% of respondents that completed an SRA are not 100% confident they would pass an OCR audit. You might say, “well, that’s unfair to ask if someone is 100% confident in something, most people are not that confident about anything.”
Staying up to date on all the latest HIPAA regulations, privacy laws, and state regulations can be difficult. Often, our clients feel less than confident in their HIPAA compliance because they “don’t know what they don’t know.” That is why it is particularly important to look for software and services that work with you side by side to simplify and automate your compliance so you can have confidence you are completing all the necessary HIPAA security and privacy requirements.
We have found that clients utilizing our industry-leading SRA software, HIPAA One®, have significantly higher confidence in their compliance program and in the possibility of passing and audit because we not only follow the OCR audit protocol and incorporate NIST methodologies into our assessment, we have a team of certified assessors to help walk each client through the process. To anyone who is unsure whether their SRA is will meet all the requirements of a HIPAA SRA, here are a few key objectives to look for. A quality SRA should:
- Evaluate the organization’s compliance to HIPAA/HITECH and document the current security controls
- Identify gaps in compliance and security that pose true business risk
- Create a practical remediation roadmap or plan
- Establish a sustainable operating model for information security and privacy
If you can check all these boxes, then your SRA is in great shape. The problem is very few organizations have the resources and expertise to meet these criteria, requiring many to outsource their SRA needs to an external organization. So how can you find a software/tool you can trust? A quality SRA contains features that address HIPAA controls. You should look for an SRA tool that offers:
- An automated and guided approach to your annual assessment; reducing unnecessary human error
- Continually updated software that addresses the most recent HIPAA controls, updates, and NIST standards
- Integrated documentation of policies and procedures to track your ongoing compliance efforts
- Automated task reminders and remediation tracking to ensure remediation tasks are performed
- Calculated risk assessment with prioritization on key business drivers to help protect vital parts of your business and supply chain
- Year-over-year import of prior assessments to ensure consistency and less work in the future
Our humble recommendation would be Intraprise Health’s HIPAA One® software, which is trusted by over 7,000 client sites across the nation. With the flexibility to conduct your SRA independently through the software, or to perform an assessor-led risk assessment, we have affordable options for organizations of all types and sizes. Contact a member of our team to learn more.