We all understand the importance of regular health exams. Our doctors and various health organizations frequently cite the necessity of receiving consistent check-ups that can help identify problems before they start, pinpoint issues early, and even increase the chance of proper treatment and cure. There are even organizations that will offer free or low-cost tests of various kinds to ensure everyone receives preventative care.
As healthcare professionals, you understand better than anyone the importance and effectiveness of consistent health exams. Some of you may even recall a firsthand account of lives saved or major physical issues prevented because someone went in for a check-up.
There are many different areas of life that can demand consistent monitoring: vehicle maintenance, financial reviews, insurance renewals, and for some of us our kid’s grades.
The significance of professional, physical, and even familial reviews is not lost on most of us. But all of these are voluntary efforts. For healthcare practices, unlike health exams and physical checkups, regular risk assessments and vulnerability scans are based on HIPAA Rule mandates and are not optional. They are, however, an incredible asset for every practice to ensure patients and their data remain safe, compliant, and secure.
Included in HIPAA Security Rule (45 C.F.R. §§ 164.302 - 318.) is a requirement that covered entities (that's your practice!) perform regular risk assessments. The Office of Civil Rights (OCR) is responsible for issuing annual guidance on the provisions in the HIPAA Security Rule, but completion of the assessment is your practice’s responsibility.
Regular Risk Assessments are not just another compliance box to check. Improper or infrequent review could lead to major compliance violations and PHI security breaches, which often cause significant financial upset, among other implications.
Risk assessments are the first step in identifying and implementing safeguards that comply with and carry out HIPAA standards. If your practice attests for Meaningful Use, a risk assessment should be performed during any attestation period.
Most of the risk assessment covers policy and procedural items, but roughly one third of the assessment covers technical items.
Here are a few things you should consider while planning your Risk Assessment:
- Do you know if your practice is compliant with HIPAA / HITECH risk assessment requirements?
- Do any of the practice's physicians attest for Meaningful Use?
- Can you locate the practice's HIPAA Policies and Procedures documentation quickly?
- Have you made progress on your Risk Assessment Remediation plan?
As part of the risk assessment, a vulnerability scan should also be performed. Vulnerability scans identify security weaknesses in your systems and networks. Attackers are very aware of the types of vulnerabilities typically present and are adept at finding and exploiting those weaknesses.
In addition to annual vulnerability scans, if the practice's physicians attest for Meaningful Use, the risk assessment and external vulnerability scan should both be performed during any attestation period.
Consistent reporting and documentation from your current IT company should also be a consideration for HIPAA compliance and attestation for Meaningful Use. As you approach your regular risk assessment, you should evaluate the importance and necessity of receiving regular reports.
- Do I receive regular security reports, and, if so, how extensive are those reports?
A truly comprehensive compliance report should cover backup, firewall security, and proof of patch compliance with documentation.
- Does my practice maintain an updated asset list?
Although not explicitly required in the HIPAA Security Rule, it does indicate that an accurate asset inventory list can support several of the other requirements including Risk Analysis and Management, Activity Reviews, Device and Media Management, and Audit Controls.
All reports and documentation should be saved and kept with your HIPAA Policies and Procedures documentation.
Should the risk assessment or external vulnerability scan identify technical concerns or items that need to be addressed or that are not fully compliant with HIPAA / HITECH requirements, we can assist with creating a remediation plan as required by HIPAA Security rule.
If you are not completely confident about the answers to the above items, or you are not receiving any of the previously mentioned reports, we want to help!
Medicus IT takes your practice's security and HIPAA compliance very seriously. If you are unsure of your practice's status, or have questions about risk assessments, external vulnerability scans, or any other Meaningful Use/HIPAA/HITECH items, please don’t hesitate to contact us today!
We are dedicated to supporting healthcare practices so you can focus on what matters most – your patients.
- The Office of Civil Rights (OCR) is responsible for issuing annual guidance on the provisions in the HIPAA Security Rule (45 C.F.R. §§ 164.302 - 318.) Included in the HIPAA Security rule is a requirement that covered entities (that's your practice!) perform regular risk assessments (§ 164.308(a)(1)(ii)(A)). Risk assessments are the first step in identifying and implementing safeguards that comply with and carry out the standards and implementation specifications in the Security Rule.1 If the practice attests for Meaningful Use, a risk assessment should have performed during any attestation period. Most of the risk assessment covers policy and procedural items; roughly one third of the risk assessment covers technical items.
- The HIPAA Security Rule does not specify how frequently to perform risk analysis as part of a comprehensive risk management process. The frequency of performance will vary among covered entities. Some covered entities may perform these processes annually or as needed (e.g., bi-annual or every 3 years) depending on circumstances of their environment. The recommendation from Medicus IT is that practices complete a risk assessment annually