HIPAA Risk Assessment: HHS Requires Progress not Perfection

January 21, 2015

The National Institute of Standards and Technology (NIST) protocol is the gold standard for HIPAA risk assessment. It is what the federal government uses to measure the compliance of their organizations. They have developed some public domain standards and tools for streamlining this process. The Security Content Automation Protocol (SCAP) scanner was developed to measure compliance. When attached to a computer it will analyze 33 different areas and report on their compliance with the NIST protocol. This can be done through an inexpensive on-line tool.

The NIST protocol asks 102 questions. The SCAP scanner answers 33 and if the company is small enough another 25 questions are deemed non-applicable. If the company has no written policies and procedures another 10 questions are answered automatically. So, answering 34 questions will complete the initial HIPAA risk assessment. The report will show virtually all areas as non-compliant and in the red.

If this small company (1-5 employees) then began the HIPAAssure® Micro program developed by Compliance Helper within a few hours they would have written policies and procedures. By running the risk assessment again they would have over 50% in the green. They are now in compliance. By repeating the process of measure, remediate and measure they would be able to stay in compliance forever.


Back to News