According to HIPPA (Health Insurance Portability and Accountability Act), all healthcare organizations and companies must implement the necessary procedures and policies to safeguard the privacy and security of patients’ health information (also known as PHI or Protected Health Information).
That’s why every business that comes in contact with the PHI (storing, receiving, generating, or transmitting) must undergo an annual HIPAA risk assessment. Also, if you introduce new work methods or technologies into your system, it’s important to redo the risk assessment even if it’s earlier than one year.
The HIPAA risk assessment is mandatory and the fines for even a small breach are harsh. Also, the loss of reputation can be fatal for any business that wants to grow in the healthcare industry. Plus, such an analysis helps you discover any security breaches waiting to happen which is an added bonus to the situation.
What Does It Mean for My Business?
Audit and Analysis
The purpose of the risk assessment is to audit the safeguards a business has in place in order to prevent the theft of PHI stored or handled in electronic format. This analysis will thoroughly investigate all the internal processes, business flows, collaborators, and technologies to identify vulnerabilities and any other scenarios where the PHI’s integrity could be affected.
Proper IT Support
As part of the assessment, you have to prove your business is capable of reacting fast in case of an unexpected cyberattack that may be successful. This implies the existence of a solid IT support layer that can activate its counteract measures as soon as they are needed.
For many small and medium-sized businesses, the best way to go about this is to have a local business partner specialized in working with HIPAA-covered entities. In short, an IT support company in San Diego that meets the requirements can have several clients in need of a reliable collaborator.
Types of Safeguards
Each Risk Assessment session should cover the three main types of safeguards a business should implement: administrative, technical, and physical.
We’ll briefly go through each type so you can have a broader perspective of what it means to be truly prepared in today’s crazy days of cyberattacks and misleading online behavior.
Start with assessing your personnel:
- Who has access to PHIs and how (via electronic devices, remotely, only with the proper credentials, and so on);
- Who has access to the more sensitive parts of the system (get all their data, contact information, and addresses on file);
- Is there an access hierarchy to the data or anyone can access anything?
Moving forward, check your policies and procedures:
- Is there a sanction policy in place if one of the employees breaks the rules?
- Do you run training sessions for the employees to help them understand the need for an increased level of security?
- Is there a specific plan for dealing with breaches (should they happen)?
This section concerns everything related to the technologies used in the company and the ways to handle the situation if something goes awry. Start by checking the data backup plan and the backups’ security and move on to the level of encryption used for communications.
Also, check the security in place for remote access, website security, password requirements, and so on.
For this section have a look at who can enter your business place and why. For instance, do you receive visitors that don’t have anything to do with the business? Is there a monitoring system for the entry and exit points?
Does your business store physical files? If yes, is there a protection system in case of an emergency or disaster?
Businesses that are covered under HIPAA, including the ones that help develop new technologies for healthcare, must be able to safeguard the PHI. This is done via an elaborate protection system that needs to cover the administrative, technical, and physical plans of the business. This is what the risk assessment is all about – check if your business is in compliance with the rules.